| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
The cert-request-approve has been merged into cert-request-review
to ensure that these operations are executed in the same session.
Ticket #474
|
|
|
|
| |
* TRAC Ticket #488 - Dogtag 10: Fix CLI 'cert-find' clientAuth issue
|
| |
|
| |
|
|
|
|
|
|
|
| |
A utility class has been added to convert LDAP exceptions into PKI
exceptions.
Ticket #191, #214
|
|
|
|
|
|
|
| |
The certificate REST service has been modified to validate
nonce when revoking a certificate.
Ticket #213
|
|
|
|
|
|
|
|
|
|
|
| |
* Added RESTful servlet to add/remove a KRA connector from the CA.
* Modified ACL to allow KRA subsystem user to remove connector.
* Modified connector code to allow the connector to be replaced without a server restart.
* Added functionality to pki CLI to add/remove connector
* Added code to pkidestroy to remove the connector (using both pki CLI and sslget)
When the issues with pki connection are resolved, we will use that method instead.
* Modified sslget to accept HTTP return codes != 200. In this case, we were returning
204 - which is perfectly legitimate.
|
| |
|
|
|
|
| |
Trac Ticket #466
|
| |
|
|
|
|
| |
Ticket #418
|
|
|
|
|
|
| |
This patch improves number verification.
Bug 864397.
|
|
|
|
| |
* TRAC Ticket #231 - Dogtag 10: Update PKI Deployment to handle external CA
|
|
|
|
| |
As oer review, changed useCommonAdmin to importAdminCert
|
|
|
|
|
|
|
|
| |
The CertSearchRequest has been modified to fix the infinite loop
in getIssuedOnTo(). The CertFindCLI has been modified to accept
dates with format YYYY-MM-DD instead of epoch time.
Ticket #416
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously ACL checking was done in PKIRealm by matching the URL.
This code has been replaced by ACLInterceptor which will intercept
RESTEasy method invocations. This allows more precise mapping of
REST methods to ACL entries in acl.ldif.
Ticket #287
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch, it will be possible to install a default instance
simply by adding the passwords in the pkideployment.cfg. This file
can then be used without additional alteration to add subsystems to the
same instance, by re-running pkispawn against the config file.
The patch makes sure that cert nicknames, database and baseDN , admin users
and client db are unique per subsystem. An option is added to reuse the
existing server cert generated by the first subsystem and copy the
required data to all subsystems.
Ticket 379, 385
|
| |
|
|
|
|
|
|
|
|
| |
The web.xml in KRA has been modified to enable the authentication
for key and key request services. Some tools have been added to
access the services via command-line.
Ticket #376
|
|
|
|
|
|
|
|
| |
Some synchronized methods in CertificateRepository may block
modifyCeritifcateRecord() too long, so they have been moved
into CRLIssuingPoint and CertStatusUpdateThread.
Ticket #313
|
|
|
|
|
|
|
| |
The GetDomainXML servlet has been refactored to use the new
SecurityDomainProcessor.
Ticket #309
|
|
|
|
|
|
|
|
| |
The REST interface for security domain has been updated to provide
a method to get the domain info. A CLI has been provided to access
this method.
Ticket #309
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The RetrieveModificationsTask has been modified such that it can
recover from errors while still allowing graceful shutdown.
The task is scheduled to run once. When it's done it will schecule
another one depending on the situation. If the search is abandoned
or the connection is closed it will wait one minute before
reconnecting. If the system is being shutdown it will not
schedule any more task.
Ticket #365
|
|
|
|
|
| |
The security configuration, JAXB mappings, and test script for KRA
have been updated to run properly.
|
|
|
|
|
|
|
|
|
| |
A REST account service has been added to allow client to login
to establish a session and to logout to destroy the session. This
way multiple operations can be executed using the same session
without having to re-authenticate.
Ticket #357
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Previously in PKIRealm the authentication token was stored in a thread
local variable. This does not work for multiple operations executed
using the same session because each operation may be handled by
different threads. A new PKIPrincipal has been added to store the
authentication token so that the threads can get the correct token
for the session.
Ticket #357
|
|
|
|
|
|
|
|
|
| |
The code in PKIClient has been refactored into PKIConnection
such that a single connection object can be used by several
REST clients. The PKIClient will remain the base class for
all REST clients.
Ticket #357
|
|
|
|
|
|
|
| |
The GetCookie servlet has been refactored to use the new
SecurityDomainProcessor.
Ticket #309
|
|
|
|
|
|
|
|
| |
The REST interface for security domain has been refactored and
configured such that it requires authentication. A CLI has been
added to get an installation token.
Ticket #309
|
|
|
|
|
| |
This is a workaround until we can get the new interface working on IPA
clones.
|
| |
|
|
|
|
|
|
|
| |
The GetStatus servlet has been modified to include the server version
number.
Ticket #339
|
| |
|
|
|
|
|
|
|
| |
The escapeDN() has been renamed into escapeRDNValue() for better
clarity.
Ticket #193
|
|
|
|
| |
client-side and server-side key generation, and key archival)
|
|
|
|
| |
Ticket 314
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We create a user that can be used to connect to the database using the
subsystem cert for client auth. We identified this user, using the seeAlso
attribute and provided certmap rules to this effect.
For this user, we used to reuse the uid = user CA-hostname-port, which is already
created for inter-system communication. But this is problematic if more than one
dbuser exists, as the directory server may bind as the incorrect user. In any
replication topology, there must be only one dbuser using the subsystem cert.
To simplify things, we create a new user specifically for this purpose
(pkidbuser), and we remove the seeAlso attribute from the older dbusers.
A script is needed to convert existing dogtag 9 istances to use the new user,
and set the relevant acls. This will be done in a separate commit.
|
|
|
|
|
|
|
| |
The ConfigurationUtils has been modified to escape values used in
DN or filter according to LDAP standard.
Ticket #193
|
|
|
|
|
|
|
|
| |
The duplicate methods to escape DN value have been removed. The
codes that used the duplicate methods have been modified to use
LDAPUtil.escapeDN().
Ticket #193
|
|
|
|
|
|
|
| |
The UGSubsystem has been modified to escape values used in DN or
filter according to LDAP standard.
Ticket #193
|
|
|
|
| |
TMS ECC infrastructure (enrollment with client-side and server-side key generation, and key archival)
|
|
|
|
|
|
|
| |
Added logging so that we can see what is passed in to server from pkispawn.
Fixed incorrect dbuser specification.
Added required replication config items to pkispawn.
Initial refactoring of construct_pki_configuration_data in pkijython.py
|
|
|
|
| |
internal db in cert status thread.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CMS engine is a singleton and it's used by PKI realm to authenticate
users accessing the subsystem. Since a Tomcat instance may contain
multiple subsystems, each having separate realm, the PKI JAR links
need to be moved into WEB-INF/lib so that they will run inside
separate class loaders.
Tomcat also requires that the authenticator and realm classes be
available in common/lib. To address this a new package pki-tomcat.jar
has been added. The package contains the authenticator and a proxy
realm. When the subsystems start running, they will register their
own realms into the proxy realms such that the authentications will
be forwarded to the appropriate subsystems.
Ticket #89
|
|
|
|
|
|
|
|
|
| |
During subsystem configuration the ConfigurationUtils.importLDIFS()
would generate LDIF files in <instance>/conf folder which may conflict
with files belonging to other subsystems. The code has been modified
to generate the files in <instance>/<subsystem>/conf folder.
Ticket #89
|
|
|
|
| |
This allow server to come up with DS where anon binds are turned off.
|
|
|
|
|
|
|
|
|
|
| |
The pki-client.jar has been split and merged into pki-certsrv.jar
and pki-tools.jar. The REST client classes are now packaged in
com.netscape.certsrv.<component> packages. The REST CLI classes
are now packaged in com.netscape.cmstools.<component> packages.
The "pki" script has been moved into pki-tools RPM package.
Ticket #215
|