summaryrefslogtreecommitdiffstats
path: root/base/common
Commit message (Collapse)AuthorAgeFilesLines
...
* Ticket 1307 (part1 refactoring) [RFE] Support multiple keySets for different ↵Christina Fu2015-05-211-4/+4
| | | | cards for ExternalReg This patch is mainly refactoring the names of the Mapping Resolver framework in preparation for ticket 1307 to support keySet mapping in addition to the original purpose of resolving tokenType mapping. The reason to separate out refactoring from the real code is for ease of reviewing. TPS is currently a Tech Preview feature, so upgrade is not of consideration at the moment.
* Added options for internal token and replication passwords.Endi S. Dewata2015-05-112-145/+11
| | | | | | | | The installation code has been modified such that the admin can optionally specify passwords for internal token and replication. Otherwise the code will generate random passwords like before. https://fedorahosted.org/pki/ticket/1354
* Patches to get nuxwdog working with systemdAde Lee2015-05-101-0/+6
| | | | | | | | | | | | | | | | | | | | | | This patch adds some new unit files and targets for starting instances with nuxwdog, as well as logic within the pki-server nuxwdog module to switch to/from the old and new systemd unit files. It also corrects some issues found in additional testing of the nuxwdog change scripts. To use nuxwdog to start the instance, a user needs to do the following: 1. Create an instance normally. 2. Run: pki-server instance-nuxwdog-enable <instance_name> 3. Start the instance using: systemctl start pki-tomcatd-nuxwdog@<instance_name>.service To revert the instance, simply do the following: 1. Run: pki-server instance-nuxwdog-disable <instance_name> 2. Start the instance using: systemctl start pki-tomcatd@<instance_name>.service
* Ticket 1295 Upgrade script for - CA: OCSP via GET does not workChristina Fu2015-05-051-0/+0
|
* Fixed authentication data in audit log.Endi S. Dewata2015-05-051-33/+9
| | | | | | | | | | | The REST methods may be executed by different threads even though they are invoked in the same session. A new interceptor has been added to all subsystems to make sure the SessionContext is created properly for each thread. This will fix the authentication data in the audit log. The SessionContext has also been improved to use ThreadLocal instead of a global Hashtable. https://fedorahosted.org/pki/ticket/1054
* Fix some javadoc errors that prevent F23 buildAde Lee2015-04-248-18/+2
|
* Fixed build issues.Endi S. Dewata2015-04-221-1/+1
| | | | | The code has been modified to fix tomcatjss and python-sphinx issues.
* Add nuxwdog functionality to DogtagAde Lee2015-04-222-2/+2
| | | | | | | | | | | | This is the first of several commits. This adds a LifecycleListener to call init() on the nuxwdog client before any connectors or webapps start up, and call sendEndInit() once initialization completes. Code is also added to prompt for and test required passwords on startup. All that is required to use nuxwdog is to start the server using nuxwdog. An environment variable will be set that will trigger creation of the NuxwdogPasswordStore. We expect tags for the required passwords to be in cms.passwordList
* Ticket 1316 Allow adding SAN to server cert during the install processChristina Fu2015-04-211-0/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Usage: * under /usr/share/pki/ca/conf, you will find a new file called serverCert.profile.exampleWithSANpattern * copy existing serverCert.profile away and replace with serverCert.profile.exampleWithSANpattern * edit serverCert.profile.exampleWithSANpattern - follow the instruction right above 8.default. - save and quit * cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg - follow the instruction right above policyset.serverCertSet.9 - save and quit * save away and edit the ca config file for pkispawn: (note: you can add multiple SAN's delimited by ',' for pki_san_server_cert - add the following lines, e.g. pki_san_inject=True pki_san_server_cert=host1.Example.com - do the same pkispawn cfg changes for kra or any other instances that you plan on creating * create your instance(s) check the sl sever cert, it should contain something like the following: Identifier: Subject Alternative Name - 2.5.29.17 Critical: no Value: DNSName: host1.Example.com
* Added server migration command.Endi S. Dewata2015-04-211-11/+61
| | | | | | | | | | | | New pki-server CLI commands have been added to migrate the server configuration from Tomcat 7 to Tomcat 8 and vice versa. These commands can be used later during system upgrade to migrate existing instances from Tomcat 7 in F22 to Tomcat 8 in F23. The Python CLI framework has been refactored to provide a way to find other CLI modules by the command names. https://fedorahosted.org/pki/ticket/1264
* Fixed TPS REST services.Endi S. Dewata2015-04-178-12/+12
| | | | | | | | The REST services have been modified to support submit and cancel actions. The ACL has been fixed to allow admins and agents to change the status. https://fedorahosted.org/pki/ticket/1292
* Remove unused RequestSubsystem constructorFraser Tweedale2015-04-161-28/+0
|
* Simplified login response formatsEndi S. Dewata2015-04-131-26/+16
| | | | | | | The formats of XML and JSON responses of the AccountService.login() have been modified to be more consistent and user-friendly. https://fedorahosted.org/pki/ticket/1343
* Added upgrade script to fix instance work folder ownership.Endi S. Dewata2015-04-081-0/+4
| | | | | | | | The <instance>/work/Catalina/localhost/pki folder was owned by root in Dogtag 10.0.x but now should be owned by pkiuser. An upgrade script has been added to fix the ownership. https://fedorahosted.org/pki/ticket/802
* Fixed problem with TPS profile default status.Endi S. Dewata2015-04-081-0/+5
| | | | | | | | | | The base class of ProfileDatabase (i.e. CSCfgDatabase) has been modified to return the correct default value (i.e. Enabled) if the status parameter doesn't exist. The TPSProcessor has been modified to use ProfileDatabase and other TPS codes have also been changed to use constants instead of string literals to ensure consistency. https://fedorahosted.org/pki/ticket/1270
* Added interface to show TPS token certificates.Endi S. Dewata2015-04-082-2/+3
| | | | | | | The TPS REST service, CLI, and UI have been modified to provide an interface to search for certificates belonging to a token. https://fedorahosted.org/pki/ticket/1164
* Update pki-profile CLI commands to work with "raw" formatFraser Tweedale2015-04-072-1/+61
| | | | | | | | Update CLI commands for working with the (now LDAP-based) profiles in the same format as was used by the files, by way of the --raw option. Also add the "edit" command to interactively edit a profile.
* Add ability to enable/disable dynamic subsystemsFraser Tweedale2015-04-072-0/+31
| | | | | | | | | | | | | | | | | The CA installation process requires starting with the profile subsystem disabled, then enabling it once profiles have been loaded into the database. Accordingly, to avoid hacks with hardcoded offsets, add the "enabled" CS.cfg configuration parameter along with methods to enable or disable a subsystem based on the subsystem ID. A disabled subsystem does not have its `init` method called, but it is still instantiated and added to the registry so that other code can look up a subsystem by name and find out its class. Subsystems are enabled by default. This commit also removes an assumption that the subsystem config sub-store names are sequential numbers beginning at `0`.
* Add LDAPProfileSubsystem to store profiles in LDAPFraser Tweedale2015-04-073-18/+7
| | | | | | | | | | | | Add the LDAPProfileSubsystem as another IProfileSubsystem implementation that can be used instead of ProfileSubsystem (which stores profiles on the file system) to store files in LDAP so that changes can be replicated. Extract common behaviour in to new AbstractProfileSubsystem superclass. Also address the minor issue #1220.
* PKI TRAC Ticket #1319 - Invalid upgrade script in 10.2.1Matthew Harmsen2015-03-251-0/+0
|
* Store groups on AuthToken and update group evaluatorFraser Tweedale2015-03-161-0/+2
| | | | | | | | | | | | | Update the UidPwdDirAuthentication plugin to retrieve all the user's groups from a directory and store them on the AuthToken. Also update the group evaluator to match against all the groups stored in the AuthToken. The "gid" and "groups" are merged into a single collection, if the ACL operation is "=" the collection is checked under disjunction, and if the operation is "!=", then conjunction. Fixes https://fedorahosted.org/pki/ticket/1174
* Allow use of secure LDAPS connectionMatthew Harmsen2015-03-131-1/+1
| | | | - PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap
* Ticket: TPS Rewrite: Implement Secure Channel Protocol 02 (#883).Jack Magne2015-02-2710-5/+576
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | First cut of gp211 and scp protocol 02 for tokens. Allow token operations using a GP211 token over secure channel protocol 02. This patch supports the following: 1. Token operations with a GP211 card and SCP02 protocol, implementation 15. 2. Token still supports GP201 cards with SCP01. 3. SCP02 tested with SC650 gp211/scp02 card. Things still to do: 1. Right now the SCP02 support has been tested with the current gp201 applet and enrollment and formatting works just fine. We need to modify and compile the applet against the GP211 spec and retest to see if any further changes are needed. 2. The nistSP800 key derivation stuff is not completed for the SCP02 protocol. Some of the routines are self contained vs similar SCP01 ones. We have another ticket to complete the nistSP800 support from end to end. This work will be done for that ticket. 3. One of the new scp02 deriviation functions can make use of a new NSS derive mechanism. As of now this work is done by simple encryption, this can be done later. 4. The security APDU level of "RMAC" is not supported because the card does not support it. It could have been done to the spec, but it having the card to test is more convenient and there were more crucial issues to this point.
* Fixed problem cloning Dogtag 10.1.x to 10.2.x.Endi S. Dewata2015-02-061-12/+53
| | | | | | | | The JSON format of security domain info has changed between Dogtag 10.1.x and 10.2.x, so the Python client library has been changed to accommodate both formats. https://fedorahosted.org/pki/ticket/1235
* Fixed pylint report.Endi S. Dewata2015-02-058-138/+138
| | | | | | | | | | | | | | | Previously pylint report was saved it into a file which may not be accessible on a build system. The pylint-build-scan.sh has been changed to display the report so it will appear in the build log. The pylint configuration has also been modified to disable C and R messages by default. This way when other errors or warnings occur the build will fail without having to check for specific codes. Some Python codes have been modified to reduce the number of pylint warnings. https://fedorahosted.org/pki/ticket/703
* Refactored CRMFPopClient.Endi S. Dewata2015-01-281-0/+22
| | | | | | | | | | | | | | | | | | The CRMFPopClient has been refactored such that it is easier to understand and reuse. The code has been fixed such that it can read a normal PEM transport certificate. It also has been fixed to parse the request submission result properly. The client-cert-request CLI command was modified to support CRMF requests. The MainCLI and ClientConfig were modified to accept a security token name. The pki_java_command_wrapper.in was modified to include the Apache Commons IO library. https://fedorahosted.org/pki/ticket/1074
* Added server management CLI.Endi S. Dewata2015-01-281-0/+145
| | | | | | | | | | | | | A new pki-server CLI has been added to manage the instances and subsystems using the server management library. This CLI manages the system files directly, so it can only be run locally on the server by the system administrator. The autoDeploy setting in server.xml has been enabled by default. An upgrade script has been added to enable the autoDeploy setting in existing instances. https://fedorahosted.org/pki/ticket/1183
* Added server management library.Endi S. Dewata2015-01-281-3/+3
| | | | | | | | | | | | | | | The PKISubsystem and PKIInstance classes used by the upgrade framework have been converted into a server management library. They have been enhanced to provide the following functionalities: * starting and stopping instances * enabling and disabling subsystems * checking instance and subsystem statuses The validate() invocation has been moved out of the constructors into the upgrade framework such that these objects can be created to represent subsystems and instances that do not exist yet. https://fedorahosted.org/pki/ticket/1183
* Moved web application deployment locations.Endi S. Dewata2015-01-282-0/+8
| | | | | | | | | | | | | Currently web applications are deployed into Host's appBase (i.e. <instance>/webapps). To allow better control of individual subsystem deployments, the web applications have to be moved out of the appBase so that the autoDeploy can work properly later. This patch moves the common web applications to <instance>/ common/webapps and subsystem web applications to <instance>/ <subsystem>/webapps. An upgrade script has been added to update existing deployments. https://fedorahosted.org/pki/ticket/1183
* Added support for exception chains in EBaseException.Endi S. Dewata2015-01-212-23/+51
| | | | | | | | | | | The EBaseException has been modified to provide constructors that can be used to chain the cause of the exception. This way the root cause of the exception can be traced back to help troubleshooting. Some codes have been modified to utilize the proper exception chaining as examples. https://fedorahosted.org/pki/ticket/915
* Removed unnecessary EBaseException constructor.Endi S. Dewata2015-01-2114-143/+0
| | | | | | | | | The EBaseException(String msgFormat, String param) constructor has been removed because it's only used once and can be substituted with another constructor. All subclasses of EBaseException have been updated accordingly. https://fedorahosted.org/pki/ticket/915
* Remove legacy multilib JNI_JAR_DIR logicMatthew Harmsen2014-12-041-1/+1
| | | | | | | | | | | | | | | | * Bugzilla Bug #1165351 - Errata TPS test fails due to dependent packages not found (cherry picked from commit d7a0807b7493fc3d86900ee4aaf8199efd824907) Conflicts: base/java-tools/templates/pki_java_command_wrapper.in base/java-tools/templates/pretty_print_cert_command_wrapper.in base/java-tools/templates/pretty_print_crl_command_wrapper.in base/server/python/pki/server/deployment/pkiparser.py base/server/scripts/operations (cherry picked from commit c8d73ade2c651fd5ca01226c89d5d19828bfc9b7)
* Improvements for KeyClient.archive_encrypted_data().Endi S. Dewata2014-11-251-26/+41
| | | | | | | | | The archive_encrypted_data() in KeyClient has been modified to have a default value for the algorithm OID and to take a nonce IV object instead of the base-64 encoded value. https://fedorahosted.org/pki/ticket/1155 https://fedorahosted.org/pki/ticket/1156
* Removed profile input/output IDs from CLI output.Endi S. Dewata2014-11-251-0/+26
| | | | | | | | | | | | The current profile inputs/outputs do not have meaningful IDs (e.g. i1, i2, o1) and are not used by the client so they should not be displayed in the CLI output. In the future the IDs should be renamed into something meaningful (e.g. keygen, sn, cert) and the inputs/outputs should be retrieved by ID. New methods have been added to retrieve by ID. https://fedorahosted.org/pki/ticket/1147
* Ticket 1198 Bugzilla 1158410 add TLS range support to server.xml by default ↵Christina Fu2014-11-241-0/+0
| | | | and upgrade
* bugzilla 871171 (client-side code) Provide Tomcat support for TLS v1.1 and ↵Christina Fu2014-11-211-0/+19
| | | | TLS v1.2
* Fixed incorrect Python API docs format.Endi S. Dewata2014-10-282-51/+55
| | | | | | | The Python API docs in some classes/methods have been fixed to remove the errors and warnings generated by python-sphinx. https://fedorahosted.org/pki/ticket/1157
* Updates to some python client classes for prettier API docs.Ade Lee2014-10-279-41/+398
| | | | | Added missing .rst annotations and missing docstrings. Added log file for sphinx runs.
* Added Python Client API Docs to buildAde Lee2014-10-275-0/+462
| | | | | | | This patch builds HTML and man page builds for the python client API delivered in pki-base. Ticket 1157
* Fixed pylint failure on F21.Endi S. Dewata2014-10-271-2/+2
| | | | | The build failed on F21 due to stricter pylint requirements which generate new warnings. For now they are marked to be ignored.
* Updated version to 10.2.1-0.1.Endi S. Dewata2014-10-271-0/+4
| | | | https://fedorahosted.org/pki/ticket/1191
* Bug1151147 issuerDN encoding correctionChristina Fu2014-10-231-0/+5
|
* Updated KRA Python client library.Endi S. Dewata2014-10-092-13/+30
| | | | | | | | | | | | | | | The Python client library for KRA has been modified to simplify the usage. The NSSCryptoProvider's setup_database() and __init__() now take a password file parameter. The import_cert() now can take either cert binary/encoded data or CertData object. It also provides a default value for the trust attribute. The KRAClient now stores the crypto provider object. The KRA test has been updated to provide options to override the default test configuration (e.g. hostname, port). It also has been modified to use a temporary NSS database. The setup document has been updated to describe the process to run the test as root and as a regular user.
* Added CLI to import/export certificates with private keys.Endi S. Dewata2014-10-091-0/+6
| | | | | | | New CLI commands have been added to import/export certificates and private keys into/from the client security database. The CLI can also be used to generate the file needed by Python client library for client certificate authentication.
* Fix sub-CA installation with own security domainAde Lee2014-10-011-0/+15
| | | | | | | | | Installation code failed to anticipate installation of a subordinate CA that would host its own security domain. This patch includes changes to python installation code, java configuration servlet and changes to man pages. Ticket 1132
* ticket #1110 pkispawn (configuration) does not provide CA extensions in ↵Christina Fu2014-09-251-0/+40
| | | | subordinate certificate signing requests (CSR)
* Added idempotent 01-MoveWebApplicationContextFile migration scriptAde Lee2014-09-191-0/+4
| | | | Added to 10.1.1 to be consistent with 10.1 branch.
* Added option to import client cert from CA.Endi S. Dewata2014-09-191-0/+13
| | | | | | | | | | | | A new option has been added to the client-cert-import command to import a certificate from CA by specifying the serial number. The client-cert-import has also been modified to get the nickname of the certificate to import from the CLI argument. For backward compatibility, if no argument is specified the CLI will try to get the nickname from the authentication option (-n). Ticket #1152
* ticket #882 unique certID for certificate recordsChristina Fu2014-09-021-0/+36
|
* Fix kra-connector-removeAde Lee2014-09-022-8/+12
| | | | | | | | | | | | | | | | | | | | The code to remove the connector from the pki CLI was found to be broken because of invalid message type (partly due to void returns). On uninstall, we need to remove the kra-connector from all relevant CA's in the security domain. The best way to do this is to keep kra-connector info in LDAP, so that only one call is needed. Until that change has been made, we are adding a hack to remove the connector from all CA's in the secutrity domain (if it exists). Due to issues with proxy configurations, we will continue to use sslget and a url-encoded-form version of the servlet. In addition, it was found that when removing a KRA from a shared subsystem, the updateDomainXML servlet was erroneously returning failure when it was unsuccessful in removing a non-existent user from a group. Ticket 1113
generated by cgit (git 2.34.1) at 2025-09-27 00:25:26 +0000