| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
The ACL and auth method mapping names in some resources have been
modified to be more consistent with those in other resources.
|
| |
|
|
|
|
|
| |
New ACL has been added to allow only the administrators to access
TPS selftests.
Ticket #652
|
| |
|
|
|
|
|
| |
New ACL has been added to allow only the administrators to access
TPS connections.
Ticket #652
|
| |
|
|
|
|
|
| |
New ACL has been added to allow only the administrators to access
TPS configuration.
Ticket #652
|
| |
|
|
|
|
|
|
|
|
| |
New ACL has been added to allow only the administrators to access
TPS authenticators.
The set of interceptors in each application has been modified to
preserve the order.
Ticket #652
|
| |
|
|
|
|
| |
The find commands in some REST services have been modified to support
paging to be consistent with others. The other find commands have been
cleaned up as well.
|
| |
|
|
|
|
|
|
|
|
|
| |
Some of the REST services have been fixed to consistently return a
DataCollection which contains the total count, the requested subset
of results, and links to request other subsets of the results.
The TPSConnectorFindCLI has been split into separate find and show
commands.
Ticket #749
|
| |
|
|
|
|
|
|
|
| |
The user and group services have been modified to return consistent HTTP
return codes under various situations. The UGSubsystem has been modified
to capture any LDAP exceptions and throw the proper PKIException subclass
that represents the appropriate HTTP error code for the situation.
Ticket #669, #749
|
| |
|
|
| |
Ticket 749
|
| |
|
|
| |
Also added some missing checks, and some missing options in the Key Request CLI
|
| |
|
|
| |
Ticket 749
|
| |
|
|
|
|
|
| |
A new REST service and clients have been added to manage the profiles
in the TPS configuration file.
Ticket #652
|
| |
|
|
|
|
|
| |
The ACL and ACLEntry in com.netscape.cmscore.realm are duplicates
of the ones in com.netscape.certsrv.acls. They have been removed
since they are no longer used. All differences have been merged
into the remaining copy.
|
| |
|
|
|
|
|
|
|
| |
The upgrade framework has been modified to backup the files used
to track the upgrade progress. If the tracker file is also modified
by the upgrade scriptlet, it will only keep the initial backup
(before any modifications were made).
Ticket #763
|
| |
|
|
|
| |
The test classes have been moved from base/common/test to base/server/test
and into the cmscore package because they are dependent on server classes.
|
| |
|
|
|
|
|
|
|
| |
Previously the CMS.shutdown() was called multiple times during Tomcat
shutdown, one by CMSStarServlet.destroy() and the other by the shutdown
hook, causing some errors. The shutdown hook should only be used in a
standalone application, so it has been moved into CMS.main().
Bugzilla #1018628
|
| |
|
|
|
|
|
| |
The TPS token REST interface has been modified to require client certificate
authentication. TPS admins, agents, and operators are allowed to view tokens,
but only admins are allowed to add and remove tokens, and only agents are
allowed to modify tokens.
|
| |
|
|
|
| |
The CertEnrollmentRequest, ProfileInput, ProfileAttribute, and Descriptor
have been cleaned up to fix some bugs and minor formatting issues.
|
| |
|
|
|
| |
The tomcat, cms, and cmscore packages have been moved from base/common
into separate folders in base/server so that they can be built separately.
|
| |
|
|
|
|
|
| |
Due to a regression RESTEasy is unable to find some sub-resources properly.
As a workaround some resources need to be merged into the parent resource.
The UserCertResource and UserMembershipResource have been merged into
UserResource. The GroupMemberResource has been merged into GroupResource.
|
| |
|
|
|
| |
The PKIPrincipal is in cmscore package but it's needed by the REST
services in cms package so the class has been moved into cms package.
|
| |
|
|
|
|
|
| |
The CertUserDBAuthentication and PasswdUserDBAuthentication are authentication
managers in cmscore package but they are needed by PKIRealm that is now in cms
package, so new interfaces have been refactored from these classes so they
can be used without causing dependency issue.
|
| |
|
|
|
| |
PKIRealm has been moved from pki-cmscore into pki-cms package because
it's needed by CMSStartServlet which is in the pki-cms package.
|
| |
|
|
| |
* TRAC Ticket #667 - provide option for ca-less drm install
|
| | |
|
| |
|
|
| |
Ticket 727
|
| |
|
|
|
|
|
| |
A new REST service and clients have been added to manage the audit
configuration in all subsystems.
Ticket #652
|
| |
|
|
|
| |
The ca-cert-* commands have been added to eventually replace cert-*.
The CATest has been updated to use the CertClient directly.
|
| |
|
|
|
|
|
| |
New REST service and clients have been added for managing selftests
in all subsystems.
Ticket #652
|
| |
|
|
| |
Ticket 97
|
| |
|
|
|
|
|
| |
Previously the CLI authentication could fail because it's using a
fixed default subsystem which may not match the command it's trying
to execute. The CLI has now been modified to use the appropriate
default subsystem depending on the command to be executed.
|
| |
|
|
|
|
|
| |
A new REST service and clients have been added to manage the profile
mappings in the TPS configuration file.
Ticket #652
|
| |
|
|
|
|
|
| |
The implementation of the TPS connection service has been modified to
use the configuration database to read and write the configuration file.
Ticket #652
|
| |
|
|
|
|
|
| |
The implementation of the TPS authenticator service has been modified to
use the configuration database to read and write the configuration file.
Ticket #652
|
| |
|
|
|
|
|
|
| |
The REST interface for TPS configuration has been modified to provide access
to TPS general configuration as originally designed. The configuration database
has been modified such that it can be reused by other configuration resources.
Ticket #652
|
| |
|
|
|
| |
The CLI framework has been modified to remove duplicate code
in various CLI modules.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch provides basic support for DRM Transport Key Rotation described
in http://pki.fedoraproject.org/wiki/DRM_Transport_Key_Rotation
This patch provides implementation for tickets:
- 729 - CA to include transport certificate when submitting archival request to DRM
- 730 - DRM to detect presence of transport certificate attribute in submitted archival
request and validate transport certificate against DRM's transport key list
- 731 - DRM to provide handling for alternative transport key based on detected
and validated transport certificate arriving as a part of extended archival request
|
| |
|
|
|
| |
Also changed permissions to allow admin users to delete a connector
and its associated shared secret.
|
| | |
|
| |
|
|
|
|
|
|
| |
The self tests and TokenServlet are modified to use the new shared secret
names. A parameter has been added to allow legacy systems to continue running
as-is. With a new system, the TKS self test will not fail on startup if
no shared secret keys are configured. It will fail, however, if the keys are
configured, but the ComputeSessionKey operation fails.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new REST service has been added to the TKS to manage shared secrets.
The shared secret is tied to the TKS-TPS connector, and is created at the
end of the TPS configuration. At this point, the TPS contacts the TKS and
requests that the shared secret be generated. The secret is returned to the
TPS, wrapped using the subsystem certificate of the TPS.
The TPS should then decrypt the shared secret and store it in its certificate
database. This operations requires JSS changes, though, and so will be deferred
to a later patch. For now, though, if the TPS and TKS share the same certdb, then
it is sufficient to generate the shared secret.
Clients and CLI are also provided. The CLI in particular is used to remove the
TPSConnector entries and the shared secret when the TPS is pkidestroyed.
|
| |
|
|
|
|
|
|
| |
A new REST service and clients have been added to manage the TPS
configuration in CS.cfg. When the configuration is updated, the
previous configuration will be stored as a backup.
Ticket #652
|
| |
|
|
|
|
| |
Up to now, only pkispawn with a config file worked for tomcat-tps
installation. This patch adds the functionality for the interactive
installation.
|
| |
|
|
|
|
| |
Resteasy 3.0.1 is not populating the @Context parameters if they are
defined in a super class. This is a workaround until that problem is fixed.
See https://issues.jboss.org/browse/RESTEASY-952
|
| |
|
|
|
| |
Resteasy 3.0.1 uses apache-commons-io. Also fixed PKIErrorInterceptor
with correct method call and reformatted the interceptors.
|
| |
|
|
|
|
|
|
| |
RESTEasy 3.0.1 provides JAX-RS 2.0 interceptors. We need to either use these
or the proprietary ones in order to compile. These ones appear to be working just fine.
It does turn out that the change to getStringHeaders() is not yet implemented in 3.0.1
so we'll have to fix that.
|
| |
|
|
|
|
|
| |
A new LDAPDatabase class was added as a base class for LDAP-based
databases. A new DBRecord class was added to provide the default
implementation for record classes. New annotation classes were added
to specify the object class and attribute mappings.
|
| |
|
|
|
|
| |
The RenewableCertificateCollection class is in the server package but
it's used by ICertificateRepository in the base package, so the class
has been moved into the base package.
|
| |
|
|
|
|
| |
The ProfilePolicy is in the server package but it's used by IProfile
interface in the base package. The interface have been modified to use
IProfilePolicy instead.
|
| | |
|
