summaryrefslogtreecommitdiffstats
path: root/base/common/src/com/netscape/certsrv
Commit message (Collapse)AuthorAgeFilesLines
* Move OCSP digest name lookup to CertID classFraser Tweedale2016-03-031-9/+0
| | | | | | | | | The OCSP digest name lookup is currently defined in IOCSPAuthority and implemented by OCSPAuthority, but /any/ code that deals with CertID might need to know the digest, so move the lookup there. Also refactor the lookup to use a HashMap, and add mappings for SHA2 algorithms.
* Lightweight CAs: add audit eventsFraser Tweedale2016-03-011-0/+3
| | | | | | Add audit events for lightweight CA administration. Fixes: https://fedorahosted.org/pki/ticket/1590
* Added mechanism to import system certs via PKCS #12 file.Endi S. Dewata2016-02-261-6/+26
| | | | | | | | | | | | | | | | | | | | | | The installation tool has been modified to provide an optional pki_server_pkcs12_path property to specify a PKCS #12 file containing certificate chain, system certificates, and third-party certificates needed by the subsystem being installed. If the pki_server_pkcs12_path is specified the installation tool will no longer download the certificate chain from the security domain directly, and it will no longer import the PKCS #12 containing the entire master NSS database specified in pki_clone_pkcs12_path. For backward compatibility, if the pki_server_pkcs12_path is not specified the installation tool will use the old mechanism to import the system certificates. The ConfigurationUtils.verifySystemCertificates() has been modified not to catch the exception to help troubleshooting. https://fedorahosted.org/pki/ticket/1742
* Lightweight CAs: enrol cert via profile subsystemFraser Tweedale2016-02-221-0/+3
| | | | | | | | | | | | Enrol new CA certs via the profile subsystem to ensure that the usual audit events are logged and to avoid the nasty ConfigStore hack used to generate the cert via CertUtil. This commit also fixes an issue where the new CA certificate does not have the correct Authority Key Identifier extension. Fixes: https://fedorahosted.org/pki/ticket/1624 Fixes: https://fedorahosted.org/pki/ticket/1632
* Ticket #1007 TPS audit eventsChristina Fu2016-02-152-0/+40
| | | | | | This patch implements the TPS operation auditing: TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_KEY_CHANGEOVER,TOKEN_KEY_CHANGEOVER_FAILURE,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_STATE_CHANGE,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE Administrative auditing (via REST interface) will be covered in a separate ticket
* Remove unused TOKEN_AUTHMGR_IMPL_NAME AuthToken attributeFraser Tweedale2016-02-151-19/+0
|
* Added resource bundle for token state labels.Endi S. Dewata2016-02-051-7/+16
| | | | | | | | | | | | | | | The labels for token states and the transitions are now stored in token-states.properties. The default file will be stored in the /usr/share/pki/tps/conf, but it can be overriden by copying and customizing the file into <instance>/tps/conf. When the UI retrieves the token data the labels for the current state and the valid transitions will be loaded from the file and returned to the UI. The UI will show the transition labels in the dropdown list for changing token status. https://fedorahosted.org/pki/ticket/1289 https://fedorahosted.org/pki/ticket/1291
* Fixed LDAP error handling in TokenService.Endi S. Dewata2016-02-051-0/+4
| | | | | | | | | | The DBSSession has been modified to attach the LDAPException to the EDBException. The TokenService will catch the EDBException and obtain the orignal LDAPException. This way the TokenService can obtain the LDAP error code and throw the proper exception the client. https://fedorahosted.org/pki/ticket/1646
* Fixed TPS token state transitions.Endi S. Dewata2016-02-032-0/+24
| | | | | | | | | | | | | | | | | | | | The TPS service has been modified to provide a list of allowed state transitions based on the current token state. The TPS UI was modified to display only the allowed state transitions when changing the token status. The allowed state transition list has been modified to remove invalid token transitions including: * UNINITIALIZED -> FOUND * UNINITIALIZED -> TEMP_LOST_PERM_LOST The token FOUND state has been renamed to ACTIVE for clarity. The token TEMP_LOST_PERM_LOST state has been merged into PERM_LOST since they are identical in the database. https://fedorahosted.org/pki/ticket/1289 https://fedorahosted.org/pki/ticket/1291 https://fedorahosted.org/pki/ticket/1684
* Avoid profile race conditions by tracking entryUSNFraser Tweedale2016-01-191-0/+5
| | | | | | | | | | | | | Avoid race conditions in the LDAPProfileSubsystem by tracking the most recently known entryUSN of profiles' LDAP entries. As part of this change, add the commitProfile method to the IProfileSubsystem interface, remove commit behaviour from the enableProfile and disableProfile methods and update ProfileService and ProfileApproveServlet to commit the profile (using the commitProfile method) where needed. Part of: https://fedorahosted.org/pki/ticket/1700
* Updated CLI to run individual selftests.Endi S. Dewata2016-01-185-0/+217
| | | | | | | | | The pki selftest-run command has been modified to execute the specified selftests, or all selftests if nothing is specified. The command will also display the status of each test and the stack trace if it fails. https://fedorahosted.org/pki/ticket/1502
* Fixed selftest error handling.Endi S. Dewata2015-12-012-20/+20
| | | | | | | | The selftest has been modified to throw an exception and provide more specific error message if a test fails in order to help troubleshoot the problem. https://fedorahosted.org/pki/ticket/1328
* Added mechanism to import existing CA certificate.Endi S. Dewata2015-11-251-0/+12
| | | | | | | | | | | The deployment procedure for external CA has been modified such that it generates the CA CSR before starting the server. This allows the same procedure to be used to import CA certificate from an existing server. It also removes the requirement to keep the server running while waiting to get the CSR signed by an external CA. https://fedorahosted.org/pki/ticket/456
* Refactored LDAPSecurityDomainSessionTable.Endi S. Dewata2015-10-291-9/+9
| | | | | | | The LDAPSecurityDomainSessionTable has been modified to throw an exception if there is a failure. https://fedorahosted.org/pki/ticket/1633
* Replaced legacy HttpClient.Endi S. Dewata2015-10-221-3/+17
| | | | | | | | | | | | | The ConfigurationUtils and CertUtil have been modified to use PKIConnection which uses Apache HttpClient instead of the legacy custom HttpClient. The POST request content is now created using MultivaluedMap. The PKIConnection has been modified to provide a get() method to send an HTTP GET request. The post() method was modified to accept a path parameter. https://fedorahosted.org/pki/ticket/342
* Removed unused WizardServlet.Endi S. Dewata2015-10-221-22/+8
| | | | | | | | | | The unused configuration wizard servlet has been removed to simplify refactoring other codes. The remaining references in CertUtil and ConfigurationUtils have been removed as well. https://fedorahosted.org/pki/ticket/1120
* Store issuer DN in certificate recordsFraser Tweedale2015-10-211-2/+5
| | | | | | | | Lightweight CAs mean that we may wish to filter certificates based on the issuer. Update X509CertImplMapper to store the issuer DN in each certificate record, using exiting schema. Also add indices for the 'issuerName' LDAP attribute.
* Ticket #1648 [RFE] provide separate cipher lists for CS instances acting as ↵Christina Fu2015-10-202-1/+3
| | | | client and server This patch provides subsystem->subsystem cipher configuration when acting as a client
* Lightweight CAs: implement deletion API and CLIFraser Tweedale2015-10-066-0/+54
| | | | | | | Implement lightweight authority deletion including CLI command. To be deleted an authority must be disabled and have no sub-CAs. Fixes: https://fedorahosted.org/pki/ticket/1324
* Added Java client and CLI support for Feature resource.Ade Lee2015-10-023-5/+58
|
* Ticket #1593 auto-shutdown - for HSM failover supportChristina Fu2015-10-013-1/+17
| | | | | | | | | | | | | | | This is an interim solution for supporting HSM failover by automatically shutting down the server when signing key becomes inaccessible. At auto-shutdown, a crumb fiile will be left in the instance directory for an external daemon to detect and restart, if necessary. Due to limitation of the watch dog (nuxwdog) at present time, the restart option currently only works if started with watch dog (nuxwdog), and it will prompt for passwords on the terminals. The restart counter is to prevent the server from going into an infinite restart loop. Administrator will have to reset autoShutdown.restart.count to 0 when max is reached. (cherry picked from commit 5a9ecad9172f76ca1b94b40aedcdd49d009aceb1)
* Refactored certificate processors.Endi S. Dewata2015-09-301-5/+7
| | | | | | | | | | | | | The CertProcessor.setCredentialsIntoContext() and CAProcessor. authenticate() methods have been modified such that they can accept credentials provided via the AuthCredentials (for REST services) or via the HttpServletRequest (for legacy servlets). The CertEnrollmentRequest has been modified to inherit from ResourceMessage such that REST clients can provide the credentials via request attributes. https://fedorahosted.org/pki/ticket/1463
* Added Features REST API resourceAde Lee2015-09-272-0/+195
| | | | | | | | | This will help us track whether or not a server has a feature either offered or enabled. Ultimately, it could be used by an admin to enable or disable features. The Java client is not included in this commit. Will add in a subsequent commit.
* Lightweight CAs: REST cert request param to specify authorityFraser Tweedale2015-09-262-3/+18
| | | | | | | | Add the optional "ca" query parameter for REST cert request submission. Also update the ca-cert-request-submit CLI command with an option to provide an AuthorityID. Part of: https://fedorahosted.org/pki/ticket/1213
* Lightweight CAs: add ca-authority CLIFraser Tweedale2015-09-262-1/+64
| | | | | | Add CLI commands for creating, listing and showing lightweight CAs. Part of: https://fedorahosted.org/pki/ticket/1213
* Lightweight CAs: initial supportFraser Tweedale2015-09-2611-4/+403
| | | | | | | | | | | | | This commit adds initial support for "lightweight CAs" - CAs that inhabit an existing CA instance and share the request queue and certificate database of the "top-level CA". We initially support only sub-CAs under the top-level CA - either direct sub-CAs or nested. The general design will support hosting unrelated CAs but creation or import of unrelated CAs is not yet implemented. Part of: https://fedorahosted.org/pki/ticket/1213
* API: add support for generic entitiesFraser Tweedale2015-09-142-3/+21
|
* Fixed missing cert request hostname and address.Endi S. Dewata2015-08-052-10/+8
| | | | | | | | | | | | The CA services have been modified to inject request hostname and address into the certificate request object such that they will be stored in the database. This fixes the problem with requests submitted either via the UI or the CLI. An unused method in CertRequestResource has been removed. Some debug messages have been cleaned as well. https://fedorahosted.org/pki/ticket/1535
* Add code to reindex data during cloning without replicationAde Lee2015-07-311-2/+17
| | | | | | | | | | | | | When setting up a clone, indexes are added before the replication agreements are set up and the consumer is initialized. Thus, as data is replicated and added to the clone db, the data is indexed. When cloning is done with the replication agreements already set up and the data replicated, the existing data is not indexed and cannot be accessed in searches. The data needs to be reindexed. Related to ticket 1414
* Removed audit CLI from non-TPS subsystems.Endi S. Dewata2015-07-174-8/+0
| | | | | | | | | | Due to database upgrade issue the pki <subsystem>-audit CLI has been removed from all subsystems except TPS. The AuditModifyCLI has been modified to clarify that the --action and the --input parameters are mutually exclusive. https://fedorahosted.org/pki/ticket/1437
* Ticket 1459 Dogtag clients cannot connect when CS is configured with ECCChristina Fu2015-07-131-0/+4
| | | | clients are: cli, HttpClient, and java console
* Fixed user-cert-add --serial with remote CA.Endi S. Dewata2015-07-095-217/+344
| | | | | | | | | | | | | | | | | The user-cert-add command has been modified to ask the user for the CA server URI if the CA is not available locally. A new SubsystemClient.exists() method has been added to check whether a subsystem is deployed on the target instance. The SubsystemCLI has been modified to call logout() only if the operation is executed successfully. The certificate approval callback class has been refactored out of PKIConnection into a separate class to clean up circular dependency with PKIClient. https://fedorahosted.org/pki/ticket/1448
* Cleaned up SystemConfigService.validateRequest().Endi S. Dewata2015-07-012-2/+2
| | | | | | | | | | The configure() in SystemConfigService method has been modified to log only the error message in normal responses but log the full stack trace when unexpected issues occur. The validateData() in SystemConfigService has been renamed to validateRequest() for clarity. The log messages have been modified to include the invalid values entered in the request.
* Fixed selftests log message.Endi S. Dewata2015-06-232-6/+4
| | | | | | | | | | | | | The SelfTestSubsystem has been modified to display a 'successful' message only if all tests have passed. If a test fails, it will log a failure, subsequent tests will not be executed, and the subsystem will shutdown immediately. The runSelfTest() in various tests have been cleaned up to throw the original exception to help troubleshooting. The unused RAPresence test has been removed. https://fedorahosted.org/pki/ticket/1249
* Fixed thread leaks during shutdown.Endi S. Dewata2015-06-183-9/+11
| | | | | | | | Various codes have been modified to properly stop threads during shutdown. A new ID attribute has been added to the LDAP connection factory classes to help identify leaking threads. https://fedorahosted.org/pki/ticket/1327
* Startup log message improvementes.Endi S. Dewata2015-06-161-1/+0
| | | | | | | | The PKIListener has been modified to verify that all subsystems are running and to show the command to enable the subsystem if it was disabled due to errors. https://fedorahosted.org/pki/ticket/1406
* Added options for internal token and replication passwords.Endi S. Dewata2015-05-112-145/+11
| | | | | | | | The installation code has been modified such that the admin can optionally specify passwords for internal token and replication. Otherwise the code will generate random passwords like before. https://fedorahosted.org/pki/ticket/1354
* Fixed authentication data in audit log.Endi S. Dewata2015-05-051-33/+9
| | | | | | | | | | | The REST methods may be executed by different threads even though they are invoked in the same session. A new interceptor has been added to all subsystems to make sure the SessionContext is created properly for each thread. This will fix the authentication data in the audit log. The SessionContext has also been improved to use ThreadLocal instead of a global Hashtable. https://fedorahosted.org/pki/ticket/1054
* Fix some javadoc errors that prevent F23 buildAde Lee2015-04-248-18/+2
|
* Add nuxwdog functionality to DogtagAde Lee2015-04-222-2/+2
| | | | | | | | | | | | This is the first of several commits. This adds a LifecycleListener to call init() on the nuxwdog client before any connectors or webapps start up, and call sendEndInit() once initialization completes. Code is also added to prompt for and test required passwords on startup. All that is required to use nuxwdog is to start the server using nuxwdog. An environment variable will be set that will trigger creation of the NuxwdogPasswordStore. We expect tags for the required passwords to be in cms.passwordList
* Ticket 1316 Allow adding SAN to server cert during the install processChristina Fu2015-04-211-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Usage: * under /usr/share/pki/ca/conf, you will find a new file called serverCert.profile.exampleWithSANpattern * copy existing serverCert.profile away and replace with serverCert.profile.exampleWithSANpattern * edit serverCert.profile.exampleWithSANpattern - follow the instruction right above 8.default. - save and quit * cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg - follow the instruction right above policyset.serverCertSet.9 - save and quit * save away and edit the ca config file for pkispawn: (note: you can add multiple SAN's delimited by ',' for pki_san_server_cert - add the following lines, e.g. pki_san_inject=True pki_san_server_cert=host1.Example.com - do the same pkispawn cfg changes for kra or any other instances that you plan on creating * create your instance(s) check the sl sever cert, it should contain something like the following: Identifier: Subject Alternative Name - 2.5.29.17 Critical: no Value: DNSName: host1.Example.com
* Fixed TPS REST services.Endi S. Dewata2015-04-178-12/+12
| | | | | | | | The REST services have been modified to support submit and cancel actions. The ACL has been fixed to allow admins and agents to change the status. https://fedorahosted.org/pki/ticket/1292
* Remove unused RequestSubsystem constructorFraser Tweedale2015-04-161-28/+0
|
* Simplified login response formatsEndi S. Dewata2015-04-131-26/+16
| | | | | | | The formats of XML and JSON responses of the AccountService.login() have been modified to be more consistent and user-friendly. https://fedorahosted.org/pki/ticket/1343
* Fixed problem with TPS profile default status.Endi S. Dewata2015-04-081-0/+5
| | | | | | | | | | The base class of ProfileDatabase (i.e. CSCfgDatabase) has been modified to return the correct default value (i.e. Enabled) if the status parameter doesn't exist. The TPSProcessor has been modified to use ProfileDatabase and other TPS codes have also been changed to use constants instead of string literals to ensure consistency. https://fedorahosted.org/pki/ticket/1270
* Added interface to show TPS token certificates.Endi S. Dewata2015-04-082-2/+3
| | | | | | | The TPS REST service, CLI, and UI have been modified to provide an interface to search for certificates belonging to a token. https://fedorahosted.org/pki/ticket/1164
* Update pki-profile CLI commands to work with "raw" formatFraser Tweedale2015-04-072-1/+61
| | | | | | | | Update CLI commands for working with the (now LDAP-based) profiles in the same format as was used by the files, by way of the --raw option. Also add the "edit" command to interactively edit a profile.
* Add ability to enable/disable dynamic subsystemsFraser Tweedale2015-04-072-0/+31
| | | | | | | | | | | | | | | | | The CA installation process requires starting with the profile subsystem disabled, then enabling it once profiles have been loaded into the database. Accordingly, to avoid hacks with hardcoded offsets, add the "enabled" CS.cfg configuration parameter along with methods to enable or disable a subsystem based on the subsystem ID. A disabled subsystem does not have its `init` method called, but it is still instantiated and added to the registry so that other code can look up a subsystem by name and find out its class. Subsystems are enabled by default. This commit also removes an assumption that the subsystem config sub-store names are sequential numbers beginning at `0`.
* Add LDAPProfileSubsystem to store profiles in LDAPFraser Tweedale2015-04-073-18/+7
| | | | | | | | | | | | Add the LDAPProfileSubsystem as another IProfileSubsystem implementation that can be used instead of ProfileSubsystem (which stores profiles on the file system) to store files in LDAP so that changes can be replicated. Extract common behaviour in to new AbstractProfileSubsystem superclass. Also address the minor issue #1220.
* Store groups on AuthToken and update group evaluatorFraser Tweedale2015-03-161-0/+2
| | | | | | | | | | | | | Update the UidPwdDirAuthentication plugin to retrieve all the user's groups from a directory and store them on the AuthToken. Also update the group evaluator to match against all the groups stored in the AuthToken. The "gid" and "groups" are merged into a single collection, if the ACL operation is "=" the collection is checked under disjunction, and if the operation is "!=", then conjunction. Fixes https://fedorahosted.org/pki/ticket/1174
generated by cgit (git 2.34.1) at 2024-07-03 20:42:42 +0000