| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
The upgrade framework has been split into base and server upgrade
frameworks since they will be run automatically by different RPM
packages during upgrade. The base upgrade framework will upgrade
the system configuration. The server upgrade framework will upgrade
the instances and subsystems.
Ticket #544
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code to import CA certificate has been moved from PKIConnection
into PKIClient to allow reuse.
The Client classes have been modified such that it uses a shared
PKIClient object instead of PKIConnection.
The return codes in CertFindCLI has been fixed to be more consistent
with other commands.
Ticket #491
|
|
|
|
|
|
| |
This patch improves cloning in regards to configuration of random certificate serial numbers.
Bug: 922121.
|
|
|
|
|
|
|
| |
The pki.conf has been moved into the base/common folder to match
the RPM package.
Ticket #553
|
|
|
|
|
|
| |
This patch corrects JavaScript inability to handle big numbers in key key recovery process.
Bug: 955784.
|
|
|
|
|
|
|
|
| |
Output the actual result of a revoke/unrevoke operation in CLI. Since
the actual result of the operation can be different from the cert request
status.
Ticket #217
|
|
|
|
|
|
| |
This patch corrects key IDs miscalculated by JavaScript for key search results and key record views.
Bug: 951501.
|
|
|
|
|
|
|
|
| |
New options have been added to the CLI to reject or ignore certain
cert validity statuses such as UNTRUSTED_ISSUER or BAD_CERT_DOMAIN.
The options can also be defined in pki.conf as a system-wide policy.
Ticket #491
|
|
|
|
|
|
|
|
|
| |
The CLI has been modified such that when it connects to an untrusted
server it will ask the user whether to import the CA certificate and
also ask for the location of the CA server from which to download
the CA certificate.
Ticket #491
|
|
|
|
|
|
|
|
| |
Changed the status check and restart commands to systemctl.
The text $errorString will not be seen when the security domain login panel
is launched for the first time.
Ticket #452
|
|
|
|
|
|
|
|
|
|
| |
D9 instances run on tomcat6, which does not have support for the
autheticator and realm. We are not supporting the REST operations
on D9 style instances. They will need to be migrated.
The migration framework has been modified to process d9 or d10
style instances, and a migration script has been added to add the new
servlet to existing d9 instances.
|
|
|
|
|
|
| |
This patch adds support for random certificate serial numbers.
Bug 912554.
|
|
|
|
|
|
|
|
|
|
|
| |
The upgrade framework has been modified to use pki.conf to track
system upgrade, tomcat.conf to track instance upgrade, and CS.cfg
to track subsystem upgrade.
The preop.product.version in CS.cfg has been renamed into
cms.product.version and is now used to track upgrade.
Ticket #544
|
|
|
|
|
|
|
| |
Some common constants and methods in pki.upgrade have been moved
into the pki module.
Ticket #544
|
|
|
|
|
|
|
| |
Modified code to use this interface by default. Added required
migration script code.
Ticket 546
|
|
|
|
|
|
|
|
| |
A new Python library has been added to provide a framework to develop
upgrade scriptlets. A new CLI has been added to execute the upgrade
scriptlets.
Ticket #544
|
|
|
|
|
|
| |
SubjectAltNameExtDefault gname is empty, not added in cert ext during configuration
Bug 927545 - Transport Cert signing Algorithm doesn't show ECC Signing Algorithms during DRM configuration with ECC
|
|
|
|
| |
NSCertTypeExtension bits (patch from mpoole)
|
| |
|
|
|
|
|
|
|
| |
A new option has been added to the CLI to capture HTTP requests
and responses and store them in the specified folder.
Ticket #523
|
|
|
|
|
|
|
| |
The class registration for JSON encoding has been moved after the
class definitions to avoid problems.
Ticket #532
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Connection is now made to the installation servlet through a python
client using JSON. The code to construct the ConfgurationRequest and
parse the results has been moved to pkihelper.py, and configuration.py
no longer calls a separate jython process to create the Configuration
object and parse the results. The jython code has therefore been removed.
Also added status servlet to other java subsystems, to be tested prior
to starting configuration.
Trac Ticket 532
|
|
|
|
|
|
|
|
|
|
| |
By default Tomcat relies on /dev/random as a random number generator
to generate the session ID's. Under certain conditions /dev/random
may block, which will block Tomcat as well. To solve the problem all
webapps in Tomcat have been configured to use the random number
generator provided by JSS.
Ticket #524
|
|
|
|
|
|
|
|
| |
The Python REST client has been modified to parse JSON data using a method
that is compatible with python-requests 1.1. The RPM spec file has been
modified to require python-requests 1.1 package.
Ticket #535
|
| |
|
|
|
|
|
|
|
|
|
| |
The installer script has been modified to validate security domain
info in both interactive and silent installation.
A basic Python API has been added to access the REST interface.
Ticket #473
|
| |
|
|
|
|
|
|
|
| |
A new cert-request-show command has been added to allow EE users to
check certificate request status.
Ticket #511
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new mechanism has been added to specify the authentication methods that
can be used to invoke the REST methods. The AuthMethodMapping annotation
maps each REST method to a list of allowed authentication methods. When a
client calls a REST method, the AuthMethodInterceptor will intercept the
call and verify that the client uses an allowed authentication method.
Most REST methods that require authentication have been configured to
require client certificate authentication. Authentication using username
and password will only be used to get the installation token from security
domain.
Ticket #477
|
|
|
|
|
|
|
|
| |
New CLI's have been added to search, add, and remove user membership.
The group member management code has been refactored into a processor
to allow reuse.
Ticket #190
|
|
|
|
|
|
|
| |
The cert-find command has been modified to provide an option to
search by certificate status.
Ticket #501
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
The cert-find command has been modified to include some additional
attributes including certificate type and version, key algorithm
name and length, validity dates, creation time and issuer.
Ticket #498
|
|
|
|
|
|
|
|
|
| |
The cert-find command has been fixed to show better error messages
on missing validity duration options. The validity duration unit
has been changed to take "day", "week", "month", or "year" and
convert it into milliseconds.
Ticket #291, #500
|
|
|
|
|
|
|
|
| |
The SecurityDomainProcessor has been modified to generate the host
ID from the subsystem type, hostname, and secure port instead of
relying on the user-configurable SubsystemName attribute.
Ticket #503
|
|
|
|
|
|
|
|
| |
All date parameters for cert-find have been modified to use the
YYYY-MM-DD date format. Date parsing code in FilterBuilder has
been modified not to ignore parsing errors.
Ticket #497
|
|
|
|
|
|
|
| |
The configuration code has been modified to use the REST interface
to get the installation token and ignore CA cert validation errors.
Ticket #476
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously nonces were stored in a global map which might not scale
well due to some issues:
1. The map uses the nonces as map keys. There were possible nonce
collisions which required special handling.
2. The collision handling code was not thread safe. There were
possible race conditions during concurrent modifications.
3. The map was shared and size limited. If there were a lot of
users using the system, valid nonces could get pruned.
4. The map maps the nonces to client certificates. This limits
the possible authentication methods that can be supported.
Now the code has been modified such that each user has a private map
in the user's session to store the nonces. Additional locking has been
implemented to protect against concurrent modifications. The map now
uses the target of the operation as the map key, eliminating possible
collisions and allowing the use of other authentication methods. Since
this is a private map, it's not affected by the number of users using
the system.
Ticket #474
|
|
|
|
|
|
|
| |
The cert-request-approve has been merged into cert-request-review
to ensure that these operations are executed in the same session.
Ticket #474
|
|
|
|
| |
* TRAC Ticket #488 - Dogtag 10: Fix CLI 'cert-find' clientAuth issue
|
| |
|
| |
|
|
|
|
|
|
|
| |
A utility class has been added to convert LDAP exceptions into PKI
exceptions.
Ticket #191, #214
|
|
|
|
|
|
|
| |
The certificate REST service has been modified to validate
nonce when revoking a certificate.
Ticket #213
|
|
|
|
|
|
|
|
|
|
|
| |
* Added RESTful servlet to add/remove a KRA connector from the CA.
* Modified ACL to allow KRA subsystem user to remove connector.
* Modified connector code to allow the connector to be replaced without a server restart.
* Added functionality to pki CLI to add/remove connector
* Added code to pkidestroy to remove the connector (using both pki CLI and sslget)
When the issues with pki connection are resolved, we will use that method instead.
* Modified sslget to accept HTTP return codes != 200. In this case, we were returning
204 - which is perfectly legitimate.
|
|
|
|
| |
* TRAC Ticket #430 - License for 3rd party code
|
| |
|
|
|
|
| |
Trac Ticket #466
|