| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
| |
The upgrade framework has been modified to support backup and restore
functionality. A new method backup(filename) has been added to save
a file into a backup folder. The CLI's have been modified to accept
a --revert parameter which will restore the backup files one version
at a time.
Ticket #583
|
| |
|
|
|
|
| |
This patch provides an option to generate CRLs with nextUpdate calculated as sum of thisUpdate and an offset.
Ticket #571
|
| |
|
|
|
|
| |
This patch provides plug-in randomizing validity
Ticket #607
|
| |
|
|
|
|
| |
java.security.NoSuchAlgorithmException" when using NetHSM token
- small patch to remove Eclipse warning
|
| |
|
|
|
|
|
|
|
|
| |
The JNI_JAR_DIR is supposed to be architecture-specific but the
pki-base package is architecture-neutral. So, to ensure it has the
correct value, the variable will be set at post installation.
Also, to simplify the upgrade process, the variable has been moved
from /etc/pki/pki.conf into /usr/share/pki/etc/pki.conf. The build,
deployment, startup, and upgrade scripts have been modified
accordingly.
|
| |
|
|
|
|
|
|
|
|
| |
When setting up clones or non-CA subsystems, pkispawn checks if
the security domain is accessible and if the user can log in.
These calls invoke REST URIs, which are not available on older
subsystems. To support these subsystems, we need to attempt the
older legacy servlets if the REST APIs are not available.
Ticket #604
|
| |
|
|
| |
java.security.NoSuchAlgorithmException" when using NetHSM token
|
| |
|
|
|
|
| |
The /etc/pki/pki.conf has been restored. The RPM spec file has
been modified such that it will create system upgrade tracker file
(/etc/pki/pki.version) on install and remove it on uninstall.
|
| |
|
|
|
|
|
|
|
|
| |
A new upgrade scriptlet has been added to add JNI_JAR_DIR into
pki.conf. The code to manipulate property files has been refactored
from PKIUpgradeTracker into a separate PropertyFile class to allow
reuse.
The pki-base package has been modified to deliver a default pki.conf
in /usr/share/pki/etc and copy it into /etc/pki if it doesn't exist.
|
| |
|
|
|
|
|
|
|
| |
Recently the CLI was changed to initialize the default client database
automatically which will create it if it did not exist before. This was
causing a problem since the database was not created with a password.
To create the database properly a separate command is needed. For now
the CLI is reverted to the old behavior where it initializes the database
only if it requires for SSL connection and/or client authentication.
|
| |
|
|
|
|
|
|
| |
Previously the -w option is used to specify the password for
either the username/password authentication or client database
password to do client certificate authentication. Since the
passwords now may be used at the same time, a new -c option
has been added for the client database password.
|
| |
|
|
|
|
|
|
| |
The code used by pkispawn and pkidestroy has been modified to ignore
certificate validity warnings/errors that happens during installation.
The instanceCreationMode is now redundant and has been removed from
ClientConfig.
|
| |
|
|
|
|
|
|
| |
A new method has been added to the PKIClient to download the CA
certificate chain from an alternative location including the admin
interface.
Ticket #491
|
| |
|
|
|
|
|
|
| |
The default client database location for CLI has been changed to
~/.dogtag/nssdb. The database will always be initialized regardless
whether it is actually used.
Ticket #491
|
| |
|
|
|
|
|
|
|
|
| |
The upgrade framework has been split into base and server upgrade
frameworks since they will be run automatically by different RPM
packages during upgrade. The base upgrade framework will upgrade
the system configuration. The server upgrade framework will upgrade
the instances and subsystems.
Ticket #544
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The code to import CA certificate has been moved from PKIConnection
into PKIClient to allow reuse.
The Client classes have been modified such that it uses a shared
PKIClient object instead of PKIConnection.
The return codes in CertFindCLI has been fixed to be more consistent
with other commands.
Ticket #491
|
| |
|
|
|
|
| |
This patch improves cloning in regards to configuration of random certificate serial numbers.
Bug: 922121.
|
| |
|
|
|
|
|
| |
The pki.conf has been moved into the base/common folder to match
the RPM package.
Ticket #553
|
| |
|
|
|
|
| |
This patch corrects JavaScript inability to handle big numbers in key key recovery process.
Bug: 955784.
|
| |
|
|
|
|
|
|
| |
Output the actual result of a revoke/unrevoke operation in CLI. Since
the actual result of the operation can be different from the cert request
status.
Ticket #217
|
| |
|
|
|
|
| |
This patch corrects key IDs miscalculated by JavaScript for key search results and key record views.
Bug: 951501.
|
| |
|
|
|
|
|
|
| |
New options have been added to the CLI to reject or ignore certain
cert validity statuses such as UNTRUSTED_ISSUER or BAD_CERT_DOMAIN.
The options can also be defined in pki.conf as a system-wide policy.
Ticket #491
|
| |
|
|
|
|
|
|
|
| |
The CLI has been modified such that when it connects to an untrusted
server it will ask the user whether to import the CA certificate and
also ask for the location of the CA server from which to download
the CA certificate.
Ticket #491
|
| |
|
|
|
|
|
|
| |
Changed the status check and restart commands to systemctl.
The text $errorString will not be seen when the security domain login panel
is launched for the first time.
Ticket #452
|
| |
|
|
|
|
|
|
|
|
| |
D9 instances run on tomcat6, which does not have support for the
autheticator and realm. We are not supporting the REST operations
on D9 style instances. They will need to be migrated.
The migration framework has been modified to process d9 or d10
style instances, and a migration script has been added to add the new
servlet to existing d9 instances.
|
| |
|
|
|
|
| |
This patch adds support for random certificate serial numbers.
Bug 912554.
|
| |
|
|
|
|
|
|
|
|
|
| |
The upgrade framework has been modified to use pki.conf to track
system upgrade, tomcat.conf to track instance upgrade, and CS.cfg
to track subsystem upgrade.
The preop.product.version in CS.cfg has been renamed into
cms.product.version and is now used to track upgrade.
Ticket #544
|
| |
|
|
|
|
|
| |
Some common constants and methods in pki.upgrade have been moved
into the pki module.
Ticket #544
|
| |
|
|
|
|
|
| |
Modified code to use this interface by default. Added required
migration script code.
Ticket 546
|
| |
|
|
|
|
|
|
| |
A new Python library has been added to provide a framework to develop
upgrade scriptlets. A new CLI has been added to execute the upgrade
scriptlets.
Ticket #544
|
| |
|
|
|
|
| |
SubjectAltNameExtDefault gname is empty, not added in cert ext during configuration
Bug 927545 - Transport Cert signing Algorithm doesn't show ECC Signing Algorithms during DRM configuration with ECC
|
| |
|
|
| |
NSCertTypeExtension bits (patch from mpoole)
|
| | |
|
| |
|
|
|
|
|
| |
A new option has been added to the CLI to capture HTTP requests
and responses and store them in the specified folder.
Ticket #523
|
| |
|
|
|
|
|
| |
The class registration for JSON encoding has been moved after the
class definitions to avoid problems.
Ticket #532
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Connection is now made to the installation servlet through a python
client using JSON. The code to construct the ConfgurationRequest and
parse the results has been moved to pkihelper.py, and configuration.py
no longer calls a separate jython process to create the Configuration
object and parse the results. The jython code has therefore been removed.
Also added status servlet to other java subsystems, to be tested prior
to starting configuration.
Trac Ticket 532
|
| |
|
|
|
|
|
|
|
|
| |
By default Tomcat relies on /dev/random as a random number generator
to generate the session ID's. Under certain conditions /dev/random
may block, which will block Tomcat as well. To solve the problem all
webapps in Tomcat have been configured to use the random number
generator provided by JSS.
Ticket #524
|
| |
|
|
|
|
|
|
| |
The Python REST client has been modified to parse JSON data using a method
that is compatible with python-requests 1.1. The RPM spec file has been
modified to require python-requests 1.1 package.
Ticket #535
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The installer script has been modified to validate security domain
info in both interactive and silent installation.
A basic Python API has been added to access the REST interface.
Ticket #473
|
| | |
|
| |
|
|
|
|
|
| |
A new cert-request-show command has been added to allow EE users to
check certificate request status.
Ticket #511
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new mechanism has been added to specify the authentication methods that
can be used to invoke the REST methods. The AuthMethodMapping annotation
maps each REST method to a list of allowed authentication methods. When a
client calls a REST method, the AuthMethodInterceptor will intercept the
call and verify that the client uses an allowed authentication method.
Most REST methods that require authentication have been configured to
require client certificate authentication. Authentication using username
and password will only be used to get the installation token from security
domain.
Ticket #477
|
| |
|
|
|
|
|
|
| |
New CLI's have been added to search, add, and remove user membership.
The group member management code has been refactored into a processor
to allow reuse.
Ticket #190
|
| |
|
|
|
|
|
| |
The cert-find command has been modified to provide an option to
search by certificate status.
Ticket #501
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
The cert-find command has been modified to include some additional
attributes including certificate type and version, key algorithm
name and length, validity dates, creation time and issuer.
Ticket #498
|
| |
|
|
|
|
|
|
|
| |
The cert-find command has been fixed to show better error messages
on missing validity duration options. The validity duration unit
has been changed to take "day", "week", "month", or "year" and
convert it into milliseconds.
Ticket #291, #500
|
