| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
New CLI modules have been added for each subsystem. The user commands
have been added to these subsystems while keeping the original command
for backward compatibility.
Ticket #701
|
| |
|
|
|
|
|
|
|
| |
A new Client class was added as a base for all client classes. The
SubsystemClient was added as a base for all subsystem clients. It also
provides methods to authenticate against the subsystem. The DRMClient
has been renamed to KRAClient to match the actual subsystem name.
Ticket #701
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
A new generic database class has been added to simplify in-memory
database creation. The token database has been refactored to inherit
this class.
Ticket #652
|
| |
|
|
|
|
| |
The ACLInterceptor and AuthMethodInterceptor interceptors only run
on the server, so they have been moved from the base package into
the server package.
|
| |
|
|
|
| |
Added self tests analogous to the tests previously performed
inthe C subsystem.
|
| |
|
|
| |
cmscore classes should not depend on classes in cms.
|
| |
|
|
|
| |
This code allows pkispawn to configure a tps in tomcat.
It does not include any config using the web UI panels.
|
| |
|
|
|
|
|
|
| |
A skeleton for token service and the clients has been added. Currently
it's storing the database in memory. The actual implementation using
LDAP database will be added after the TPS configuration code is ready.
Ticket #652
|
| |
|
|
| |
Simplified the inputs, outputs for ProfileData
|
| | |
|
| |
|
|
|
| |
1. Fixed REST API as per review.
2. Add output for profile-show and profile-find
|
| |
|
|
|
|
|
|
|
| |
The authenticator configuration has been modified to store the authentication
info in the session so it can be used by the servlets. An upgrade script has
been added to update the configuration in existing instances.
The SSLAuthenticatorWithFalback was modified to propagate the configuration
to the actual authenticator handling the request.
|
| | |
|
| |
|
|
| |
NullPointerException if a parameter is not supplied by the caller (TPS) - cfu
|
| |
|
|
|
|
|
|
| |
The CryptoManager.initialize() and CryptoToken.login() invocation has been
moved into the main program as a workaround for the authentication problem
on RHEL and to ensure proper initialization in general.
Bugzilla #985111
|
| |
|
|
|
| |
This adds the initial framework for viewing and managing profiles.
Also adds CLI code for viewing/adding/deleting and editing profiles.
|
| |
|
|
|
|
|
|
|
| |
The CMSRequest is a server class but it's used by the ICommandQueue
that belongs in the base package. To fix the dependency issue the
CMSRequest has been refactored to implement a new interface
ICMSRequest in the base package. Some constants in CMSRequest have
also been moved into ICMSRequest. All code referencing CMSRequest
has been adjusted accordingly.
|
| |
|
|
|
|
|
|
| |
The key import code was written for when there was only one
subsystem per tomcat instance, and only one subsystems certs
and keys per p12 file. We need to ensure that only the master's
subsystem keys and certs are imported. Otherwise, unpredictable
behavior happens, like in Ticket 665.
|
| |
|
|
|
|
|
|
|
| |
The build and deployment tools have been modified to support creating
a basic Tomcat instance to run TPS. New configuration and template
files for TPS have been copied from another Tomcat subsystem. The TPS
functionality itself will be added in future patches.
Ticket #526
|
| |
|
|
| |
Add checking for sane lengths of the fields in the subject dn.
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously the server certificate name was partially hard-coded as
"Server-Cert cert-[PKI_INSTANCE_NAME]". Now in Tomcat-based subsystems
it can be fully configured using pki_ssl_server_nickname parameter.
In Apache-based subsystems it's left unchanged.
Unused serverCertNick.conf files have been removed.
Ticket #631
|
| |
|
|
|
|
| |
This patch provides an option to generate CRLs with nextUpdate calculated as sum of thisUpdate and an offset.
Ticket #571
|
| |
|
|
|
|
| |
This patch provides plug-in randomizing validity
Ticket #607
|
| |
|
|
|
|
| |
java.security.NoSuchAlgorithmException" when using NetHSM token
- small patch to remove Eclipse warning
|
| |
|
|
| |
java.security.NoSuchAlgorithmException" when using NetHSM token
|
| |
|
|
|
|
|
|
|
| |
Recently the CLI was changed to initialize the default client database
automatically which will create it if it did not exist before. This was
causing a problem since the database was not created with a password.
To create the database properly a separate command is needed. For now
the CLI is reverted to the old behavior where it initializes the database
only if it requires for SSL connection and/or client authentication.
|
| |
|
|
|
|
|
|
| |
Previously the -w option is used to specify the password for
either the username/password authentication or client database
password to do client certificate authentication. Since the
passwords now may be used at the same time, a new -c option
has been added for the client database password.
|
| |
|
|
|
|
|
|
| |
The code used by pkispawn and pkidestroy has been modified to ignore
certificate validity warnings/errors that happens during installation.
The instanceCreationMode is now redundant and has been removed from
ClientConfig.
|
| |
|
|
|
|
|
|
| |
A new method has been added to the PKIClient to download the CA
certificate chain from an alternative location including the admin
interface.
Ticket #491
|
| |
|
|
|
|
|
|
| |
The default client database location for CLI has been changed to
~/.dogtag/nssdb. The database will always be initialized regardless
whether it is actually used.
Ticket #491
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The code to import CA certificate has been moved from PKIConnection
into PKIClient to allow reuse.
The Client classes have been modified such that it uses a shared
PKIClient object instead of PKIConnection.
The return codes in CertFindCLI has been fixed to be more consistent
with other commands.
Ticket #491
|
| |
|
|
|
|
| |
This patch improves cloning in regards to configuration of random certificate serial numbers.
Bug: 922121.
|
| |
|
|
|
|
| |
This patch corrects JavaScript inability to handle big numbers in key key recovery process.
Bug: 955784.
|
| |
|
|
|
|
|
|
| |
Output the actual result of a revoke/unrevoke operation in CLI. Since
the actual result of the operation can be different from the cert request
status.
Ticket #217
|
| |
|
|
|
|
| |
This patch corrects key IDs miscalculated by JavaScript for key search results and key record views.
Bug: 951501.
|
| |
|
|
|
|
|
|
| |
New options have been added to the CLI to reject or ignore certain
cert validity statuses such as UNTRUSTED_ISSUER or BAD_CERT_DOMAIN.
The options can also be defined in pki.conf as a system-wide policy.
Ticket #491
|
| |
|
|
|
|
|
|
|
| |
The CLI has been modified such that when it connects to an untrusted
server it will ask the user whether to import the CA certificate and
also ask for the location of the CA server from which to download
the CA certificate.
Ticket #491
|
| |
|
|
|
|
|
|
| |
Changed the status check and restart commands to systemctl.
The text $errorString will not be seen when the security domain login panel
is launched for the first time.
Ticket #452
|
| |
|
|
|
|
|
|
|
|
| |
D9 instances run on tomcat6, which does not have support for the
autheticator and realm. We are not supporting the REST operations
on D9 style instances. They will need to be migrated.
The migration framework has been modified to process d9 or d10
style instances, and a migration script has been added to add the new
servlet to existing d9 instances.
|
| |
|
|
|
|
| |
This patch adds support for random certificate serial numbers.
Bug 912554.
|
| |
|
|
|
|
|
|
|
|
|
| |
The upgrade framework has been modified to use pki.conf to track
system upgrade, tomcat.conf to track instance upgrade, and CS.cfg
to track subsystem upgrade.
The preop.product.version in CS.cfg has been renamed into
cms.product.version and is now used to track upgrade.
Ticket #544
|
| |
|
|
|
|
|
| |
Modified code to use this interface by default. Added required
migration script code.
Ticket 546
|
| |
|
|
|
|
| |
SubjectAltNameExtDefault gname is empty, not added in cert ext during configuration
Bug 927545 - Transport Cert signing Algorithm doesn't show ECC Signing Algorithms during DRM configuration with ECC
|
| |
|
|
| |
NSCertTypeExtension bits (patch from mpoole)
|
| | |
|
| |
|
|
|
|
|
| |
A new option has been added to the CLI to capture HTTP requests
and responses and store them in the specified folder.
Ticket #523
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Connection is now made to the installation servlet through a python
client using JSON. The code to construct the ConfgurationRequest and
parse the results has been moved to pkihelper.py, and configuration.py
no longer calls a separate jython process to create the Configuration
object and parse the results. The jython code has therefore been removed.
Also added status servlet to other java subsystems, to be tested prior
to starting configuration.
Trac Ticket 532
|
| | |
|
