| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
The configuration code has been modified to use the REST interface
to get the installation token and ignore CA cert validation errors.
Ticket #476
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously nonces were stored in a global map which might not scale
well due to some issues:
1. The map uses the nonces as map keys. There were possible nonce
collisions which required special handling.
2. The collision handling code was not thread safe. There were
possible race conditions during concurrent modifications.
3. The map was shared and size limited. If there were a lot of
users using the system, valid nonces could get pruned.
4. The map maps the nonces to client certificates. This limits
the possible authentication methods that can be supported.
Now the code has been modified such that each user has a private map
in the user's session to store the nonces. Additional locking has been
implemented to protect against concurrent modifications. The map now
uses the target of the operation as the map key, eliminating possible
collisions and allowing the use of other authentication methods. Since
this is a private map, it's not affected by the number of users using
the system.
Ticket #474
|
|
|
|
|
|
|
| |
The cert-request-approve has been merged into cert-request-review
to ensure that these operations are executed in the same session.
Ticket #474
|
|
|
|
| |
* TRAC Ticket #488 - Dogtag 10: Fix CLI 'cert-find' clientAuth issue
|
| |
|
| |
|
|
|
|
|
|
|
| |
A utility class has been added to convert LDAP exceptions into PKI
exceptions.
Ticket #191, #214
|
|
|
|
|
|
|
| |
The certificate REST service has been modified to validate
nonce when revoking a certificate.
Ticket #213
|
|
|
|
|
|
|
|
|
|
|
| |
* Added RESTful servlet to add/remove a KRA connector from the CA.
* Modified ACL to allow KRA subsystem user to remove connector.
* Modified connector code to allow the connector to be replaced without a server restart.
* Added functionality to pki CLI to add/remove connector
* Added code to pkidestroy to remove the connector (using both pki CLI and sslget)
When the issues with pki connection are resolved, we will use that method instead.
* Modified sslget to accept HTTP return codes != 200. In this case, we were returning
204 - which is perfectly legitimate.
|
|
|
|
| |
* TRAC Ticket #430 - License for 3rd party code
|
| |
|
|
|
|
| |
Trac Ticket #466
|
|
|
|
|
|
| |
* TRAC Ticket #469 - Dogtag 10: Fix tomcatjss issue in pki-core.spec and
dogtag-pki.spec . . .
* TRAC Ticket #468 - pkispawn throws exception
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Tomcat in f17 expects the file under /etc/sysconfig/foo to be a
set of environment variables being set, and parses it that way.
We recently added some logic to source the global pki.conf file.
This works in f18, but breaks instance startup in f17.
While this works in f18, its an indication that we are using the
tomcat config file incorrectly. Reverting to hardcoding resteasy lib.
|
|
|
|
| |
Ticket #418
|
|
|
|
|
|
|
|
|
| |
The paths to RESTEasy jar files have been modified such that it can
be configured globally at build time using the spec file to support
different distributions, and at deployment time using a system-wide
configuration in /etc/pki/pki.conf.
Ticket #422, #423.
|
|
|
|
|
|
| |
This patch improves number verification.
Bug 864397.
|
|
|
|
| |
* TRAC Ticket #231 - Dogtag 10: Update PKI Deployment to handle external CA
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The messages in ProfileList.template in CA EE has been extracted
into a properties file which can be translated separately.
The original messages in the template have been marked as follows:
<span class="message" name="...key...">...message...</span>
When the page is loaded into the browser, the original message will
be replaced with the translated messages.
Ticket #406
|
|
|
|
| |
As oer review, changed useCommonAdmin to importAdminCert
|
|
|
|
|
|
|
| |
The pki.policy has been modified to grant permission to symkey.jar
which is used by TKS.
Ticket #415
|
|
|
|
|
|
|
|
| |
The CertSearchRequest has been modified to fix the infinite loop
in getIssuedOnTo(). The CertFindCLI has been modified to accept
dates with format YYYY-MM-DD instead of epoch time.
Ticket #416
|
| |
|
|
|
|
|
|
|
| |
1. Modified cmake dependency
2. Corrected conditionals in spec file
3. Added paths for resteasy-base
4. Added paths to policy for resteasy-base
|
| |
|
|
|
|
|
|
|
| |
The common templates have moved from common-ui into base/common.
The deployment tools have been updated to use the new location.
Ticket #407
|
|
|
|
|
|
|
|
|
| |
Previously ACL checking was done in PKIRealm by matching the URL.
This code has been replaced by ACLInterceptor which will intercept
RESTEasy method invocations. This allows more precise mapping of
REST methods to ACL entries in acl.ldif.
Ticket #287
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch, it will be possible to install a default instance
simply by adding the passwords in the pkideployment.cfg. This file
can then be used without additional alteration to add subsystems to the
same instance, by re-running pkispawn against the config file.
The patch makes sure that cert nicknames, database and baseDN , admin users
and client db are unique per subsystem. An option is added to reuse the
existing server cert generated by the first subsystem and copy the
required data to all subsystems.
Ticket 379, 385
|
| |
|
|
|
|
| |
* TRAC Ticket #350 - Dogtag 10: Remove version numbers from PKI jar files . . .
|
|
|
|
|
|
|
|
| |
The web.xml in KRA has been modified to enable the authentication
for key and key request services. Some tools have been added to
access the services via command-line.
Ticket #376
|
|
|
|
|
|
|
|
| |
Some synchronized methods in CertificateRepository may block
modifyCeritifcateRecord() too long, so they have been moved
into CRLIssuingPoint and CertStatusUpdateThread.
Ticket #313
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The tomcat.conf and the template deployment configuration have been
modified to enable the security manager. The operations script has
been modified to generate a new catalina.policy from the standard
Tomcat policy, the standard PKI policy and the custom policy every
time the instance is started.
The current catalina.policy has been changed to store a header for
the dynamically generated catalina.policy. A new pki.policy has been
added to store the default PKI security policy. An empty
custom.policy has been added to store policy customization.
Ticket #223
|
|
|
|
|
|
|
| |
The GetDomainXML servlet has been refactored to use the new
SecurityDomainProcessor.
Ticket #309
|
|
|
|
|
|
|
|
| |
The REST interface for security domain has been updated to provide
a method to get the domain info. A CLI has been provided to access
this method.
Ticket #309
|
|
|
|
| |
Ticket 369
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The RetrieveModificationsTask has been modified such that it can
recover from errors while still allowing graceful shutdown.
The task is scheduled to run once. When it's done it will schecule
another one depending on the situation. If the search is abandoned
or the connection is closed it will wait one minute before
reconnecting. If the system is being shutdown it will not
schedule any more task.
Ticket #365
|
|
|
|
|
| |
The security configuration, JAXB mappings, and test script for KRA
have been updated to run properly.
|
|
|
|
|
|
|
|
|
| |
A REST account service has been added to allow client to login
to establish a session and to logout to destroy the session. This
way multiple operations can be executed using the same session
without having to re-authenticate.
Ticket #357
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Previously in PKIRealm the authentication token was stored in a thread
local variable. This does not work for multiple operations executed
using the same session because each operation may be handled by
different threads. A new PKIPrincipal has been added to store the
authentication token so that the threads can get the correct token
for the session.
Ticket #357
|
|
|
|
|
|
|
|
|
| |
The code in PKIClient has been refactored into PKIConnection
such that a single connection object can be used by several
REST clients. The PKIClient will remain the base class for
all REST clients.
Ticket #357
|
|
|
|
|
|
|
| |
The GetCookie servlet has been refactored to use the new
SecurityDomainProcessor.
Ticket #309
|
|
|
|
|
|
|
|
| |
The REST interface for security domain has been refactored and
configured such that it requires authentication. A CLI has been
added to get an installation token.
Ticket #309
|
|
|
|
|
| |
This is a workaround until we can get the new interface working on IPA
clones.
|
| |
|