summaryrefslogtreecommitdiffstats
path: root/base/common/src/com/netscape/cms
Commit message (Collapse)AuthorAgeFilesLines
* Additional output attributes for cert-find.ticket-498Endi Sukma Dewata2013-02-061-7/+30
| | | | | | | | The cert-find command has been modified to include some additional attributes including certificate type and version, key algorithm name and length, validity dates, creation time and issuer. Ticket #498
* Fixed date format for cert-find parameters.Endi Sukma Dewata2013-02-061-6/+1
| | | | | | | | All date parameters for cert-find have been modified to use the YYYY-MM-DD date format. Date parsing code in FilterBuilder has been modified not to ignore parsing errors. Ticket #497
* Fixed getInstallToken() invocation.Endi Sukma Dewata2013-02-041-1/+3
| | | | | | | The configuration code has been modified to use the REST interface to get the installation token and ignore CA cert validation errors. Ticket #476
* Session-based nonces.Endi Sukma Dewata2013-02-0412-147/+178
| | | | | | | | | | | | | | | | | | | | | | | Previously nonces were stored in a global map which might not scale well due to some issues: 1. The map uses the nonces as map keys. There were possible nonce collisions which required special handling. 2. The collision handling code was not thread safe. There were possible race conditions during concurrent modifications. 3. The map was shared and size limited. If there were a lot of users using the system, valid nonces could get pruned. 4. The map maps the nonces to client certificates. This limits the possible authentication methods that can be supported. Now the code has been modified such that each user has a private map in the user's session to store the nonces. Additional locking has been implemented to protect against concurrent modifications. The map now uses the target of the operation as the map key, eliminating possible collisions and allowing the use of other authentication methods. Since this is a private map, it's not affected by the number of users using the system. Ticket #474
* https://fedorahosted.org/pki/ticket/362 RFE: CMC ECCChristina Fu2013-01-153-6/+95
|
* Added LDAP exception converter.Endi Sukma Dewata2013-01-151-3/+4
| | | | | | | A utility class has been added to convert LDAP exceptions into PKI exceptions. Ticket #191, #214
* Added nonce validation for certificate revocation.Endi Sukma Dewata2013-01-154-60/+112
| | | | | | | The certificate REST service has been modified to validate nonce when revoking a certificate. Ticket #213
* Resolved Trac Ticket 367 - pkidestroy does not remove connectorAde Lee2013-01-153-54/+314
| | | | | | | | | | | * Added RESTful servlet to add/remove a KRA connector from the CA. * Modified ACL to allow KRA subsystem user to remove connector. * Modified connector code to allow the connector to be replaced without a server restart. * Added functionality to pki CLI to add/remove connector * Added code to pkidestroy to remove the connector (using both pki CLI and sslget) When the issues with pki connection are resolved, we will use that method instead. * Modified sslget to accept HTTP return codes != 200. In this case, we were returning 204 - which is perfectly legitimate.
* Bug 839426 - [RFE] ECC CRL support for OCSPChristina Fu2013-01-091-1/+23
|
* Increase root CA validity to 20 yearsAde Lee2013-01-072-2/+2
| | | | Trac Ticket #466
* Ticket 191 - Mapping HTTP Exception to their proper HTTP error codesAbhishek Koneru2013-01-0410-135/+148
|
* Remove server code from CertSearchRequestAde Lee2012-12-072-2/+334
| | | | Ticket #418
* number verificationAndrew Wnuk2012-12-064-6/+30
| | | | | | This patch improves number verification. Bug 864397.
* Implemented ability to utilize an external CAMatthew Harmsen2012-12-061-12/+14
| | | | * TRAC Ticket #231 - Dogtag 10: Update PKI Deployment to handle external CA
* Common admin user: config servlet changesAde Lee2012-12-031-35/+50
| | | | As oer review, changed useCommonAdmin to importAdminCert
* Fix for improper crl retrieval from CA.Abhishek Koneru2012-11-211-21/+22
|
* Added ACLInterceptor.Endi Sukma Dewata2012-11-083-8/+18
| | | | | | | | | Previously ACL checking was done in PKIRealm by matching the URL. This code has been replaced by ACLInterceptor which will intercept RESTEasy method invocations. This allows more precise mapping of REST methods to ACL entries in acl.ldif. Ticket #287
* Set paths for default instanceAde Lee2012-11-041-0/+19
| | | | | | | | | | | | | | With this patch, it will be possible to install a default instance simply by adding the passwords in the pkideployment.cfg. This file can then be used without additional alteration to add subsystems to the same instance, by re-running pkispawn against the config file. The patch makes sure that cert nicknames, database and baseDN , admin users and client db are unique per subsystem. An option is added to reuse the existing server cert generated by the first subsystem and copy the required data to all subsystems. Ticket 379, 385
* Fix for ticket 384 - Incorrect profiles path referencedAbhishek Koneru2012-10-291-17/+20
|
* Enabled authentication for key services.Endi Sukma Dewata2012-10-295-52/+41
| | | | | | | | The web.xml in KRA has been modified to enable the authentication for key and key request services. Some tools have been added to access the services via command-line. Ticket #376
* Refactored GetDomainXML servlet.Endi Sukma Dewata2012-10-261-119/+10
| | | | | | | The GetDomainXML servlet has been refactored to use the new SecurityDomainProcessor. Ticket #309
* Added REST interface to get domain info.Endi Sukma Dewata2012-10-263-9/+291
| | | | | | | | The REST interface for security domain has been updated to provide a method to get the domain info. A CLI has been provided to access this method. Ticket #309
* Added REST account service.Endi Sukma Dewata2012-10-221-0/+50
| | | | | | | | | A REST account service has been added to allow client to login to establish a session and to logout to destroy the session. This way multiple operations can be executed using the same session without having to re-authenticate. Ticket #357
* Provide option to install, rather than replicate schema in a cloneAde Lee2012-10-223-4/+39
|
* Reorder VLV indexing for clones to avoid errorsAde Lee2012-10-223-12/+11
|
* Added PKIConnection.Endi Sukma Dewata2012-10-181-8/+6
| | | | | | | | | The code in PKIClient has been refactored into PKIConnection such that a single connection object can be used by several REST clients. The PKIClient will remain the base class for all REST clients. Ticket #357
* Refactored GetCookie servlet.Endi Sukma Dewata2012-10-181-89/+43
| | | | | | | The GetCookie servlet has been refactored to use the new SecurityDomainProcessor. Ticket #309
* Enabled authentication for security domain REST interface.Endi Sukma Dewata2012-10-185-43/+164
| | | | | | | | The REST interface for security domain has been refactored and configured such that it requires authentication. A CLI has been added to get an installation token. Ticket #309
* Reverted to old interface and httpclient to get installation token.Ade Lee2012-10-121-0/+22
| | | | | This is a workaround until we can get the new interface working on IPA clones.
* Added version number into server status.Endi Sukma Dewata2012-09-281-0/+2
| | | | | | | The GetStatus servlet has been modified to include the server version number. Ticket #339
* fall back to old interface for installtoken if neededAde Lee2012-09-271-3/+71
|
* Renamed escapeDN() into escapeRDNValue().Endi Sukma Dewata2012-09-275-23/+23
| | | | | | | The escapeDN() has been renamed into escapeRDNValue() for better clarity. Ticket #193
* (fixed warning for) task #304 TMS ECC infrastructure (enrollment with ↵Christina Fu2012-09-261-2/+2
| | | | client-side and server-side key generation, and key archival)
* Use getStatus servlet to provide startup statusAde Lee2012-09-211-0/+2
| | | | Ticket 314
* Changes to use standard dbuserAde Lee2012-09-193-26/+48
| | | | | | | | | | | | | | | | | We create a user that can be used to connect to the database using the subsystem cert for client auth. We identified this user, using the seeAlso attribute and provided certmap rules to this effect. For this user, we used to reuse the uid = user CA-hostname-port, which is already created for inter-system communication. But this is problematic if more than one dbuser exists, as the directory server may bind as the incorrect user. In any replication topology, there must be only one dbuser using the subsystem cert. To simplify things, we create a new user specifically for this purpose (pkidbuser), and we remove the seeAlso attribute from the older dbusers. A script is needed to convert existing dogtag 9 istances to use the new user, and set the relevant acls. This will be done in a separate commit.
* Added DN and filter escaping in ConfigurationUtils.Endi Sukma Dewata2012-09-191-19/+19
| | | | | | | The ConfigurationUtils has been modified to escape values used in DN or filter according to LDAP standard. Ticket #193
* Removed duplicate DN escaping methods.Endi Sukma Dewata2012-09-197-127/+11
| | | | | | | | The duplicate methods to escape DN value have been removed. The codes that used the duplicate methods have been modified to use LDAPUtil.escapeDN(). Ticket #193
* https://fedorahosted.org/pki/ticket/304Christina Fu2012-09-181-1/+43
| | | | TMS ECC infrastructure (enrollment with client-side and server-side key generation, and key archival)
* Various fixes to installation servlet and pki-deployAde Lee2012-09-121-1/+4
| | | | | | | Added logging so that we can see what is passed in to server from pkispawn. Fixed incorrect dbuser specification. Added required replication config items to pkispawn. Initial refactoring of construct_pki_configuration_data in pkijython.py
* Added proxy realm.Endi Sukma Dewata2012-09-053-0/+314
| | | | | | | | | | | | | | | | | CMS engine is a singleton and it's used by PKI realm to authenticate users accessing the subsystem. Since a Tomcat instance may contain multiple subsystems, each having separate realm, the PKI JAR links need to be moved into WEB-INF/lib so that they will run inside separate class loaders. Tomcat also requires that the authenticator and realm classes be available in common/lib. To address this a new package pki-tomcat.jar has been added. The package contains the authenticator and a proxy realm. When the subsystems start running, they will register their own realms into the proxy realms such that the authentications will be forwarded to the appropriate subsystems. Ticket #89
* Fixed conflicting LDIF files.Endi Sukma Dewata2012-09-041-3/+6
| | | | | | | | | During subsystem configuration the ConfigurationUtils.importLDIFS() would generate LDIF files in <instance>/conf folder which may conflict with files belonging to other subsystems. The code has been modified to generate the files in <instance>/<subsystem>/conf folder. Ticket #89
* Moved REST CLI into pki-tools.Endi Sukma Dewata2012-08-2942-4500/+4
| | | | | | | | | | The pki-client.jar has been split and merged into pki-certsrv.jar and pki-tools.jar. The REST client classes are now packaged in com.netscape.certsrv.<component> packages. The REST CLI classes are now packaged in com.netscape.cmstools.<component> packages. The "pki" script has been moved into pki-tools RPM package. Ticket #215
* Fixed exceptions during shutdown.Endi Sukma Dewata2012-08-282-3/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | The shutdown() methods in several classes have been fixed to allow more graceful shutdown and clean restart. There are two types of object attributes that need to be handled differently. Attributes that are initialized by the constructor should not be nulled during shutdown because they won't be reinitialized during restart. If they require a cleanup (e.g. emptying collections, closing LDAP connections) it's not necessary to check for null before calling the cleanup method because they're never null. For attributes that are initialized during init(), it may not be necessary to do a cleanup or null the attribute since they might still be used by other threads and they will be reinitialized during restart so the old objects will be garbage collected. If they do need a cleanup they should be checked for null because they might still be null due to init() failure or initialization conditionals. If the attributes are initialized conditionally, the logic has been modified to ensure the attributes are either initialized or set to null. Ticket #247
* subsequent OCSPs and DRM connector protectionAndrew Wnuk2012-08-203-50/+60
| | | | | | | | | This patch corrects process of attaching OCSP subsystem to CA. It improves handling of adding subsequent OCSP subsystems to CA. This patch also prevents DRM connector to be overwritten by subsequent DRM installations. Bug 804179.
* PKI Deployment ScriptletsMatthew Harmsen2012-08-179-19/+34
| | | | | | | | | | | * TRAC Ticket #266 - for non-master CA subsystems, pkidestroy needs to contact the security domain to update the domain * Made Fedora 17 rely upon tomcatjss 7.0.0 or later * Changed Dogtag 10 build-time and runtime requirements for 'pki-deploy' * Altered PKI Package Dependency Chain (top-to-bottom): pki-ca, pki-kra, pki-ocsp, pki-tks --> pki-deploy --> pki-common * Changed TPS to require a build-time dependency of 'httpd-devel >= 2.4.2' * Clarified RPM build script's usage message
* Ticket 219 - Conversion of integer variable to BigIntegerAbhishek Koneru2012-08-171-4/+2
|
* Fixed default port number in CLI help message.Endi Sukma Dewata2012-08-171-1/+1
| | | | | The CLI help message has been fixed to show the correct default port number.
* Fixed REST common class dependency.Endi Sukma Dewata2012-08-152-2/+49
| | | | | | | | | The ConfigurationResponse previously has a method that uses a class that exists on the server only, creating a dependency issue since the ConfigurationResponse will be used by the client as well. The method now has been moved into a separate factory class. Ticket #259
* Reorganized REST common classes.Endi Sukma Dewata2012-08-1599-6995/+179
| | | | | | | The common classes used by REST client and services have been moved into the com.netscape.certsrv.<component> packages. Ticket #215
* Reorganized REST server classes.Endi Sukma Dewata2012-08-1517-30/+46
| | | | | | | The factory and DAO classes used by REST services have been moved into the com.netscape.cms.servlet.<component> packages. Ticket #215
generated by cgit (git 2.34.1) at 2024-05-10 11:39:39 +0000