| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Ticket 437. Also moved a bunch of client path parameters to
default.cfg template file.
|
|
|
|
| |
Ticket 393
|
|
|
|
|
|
|
|
| |
Previously, we archived the default config file when an instance
was created, and used that file in running pkidestroy. We plan
to replace this mechanism in favor of actually reading the instance's
config files. For now, we return to using the standard default config
template, so that we can change it without breaking pkidestroy.
|
|
|
|
|
|
|
|
|
|
| |
Tomcat in f17 expects the file under /etc/sysconfig/foo to be a
set of environment variables being set, and parses it that way.
We recently added some logic to source the global pki.conf file.
This works in f18, but breaks instance startup in f17.
While this works in f18, its an indication that we are using the
tomcat config file incorrectly. Reverting to hardcoding resteasy lib.
|
| |
|
| |
|
| |
|
|
|
|
| |
Ticket 435
|
|
|
|
|
|
|
|
|
| |
The paths to RESTEasy jar files have been modified such that it can
be configured globally at build time using the spec file to support
different distributions, and at deployment time using a system-wide
configuration in /etc/pki/pki.conf.
Ticket #422, #423.
|
|
|
|
| |
* TRAC Ticket #231 - Dogtag 10: Update PKI Deployment to handle external CA
|
|
|
|
|
|
|
|
|
|
|
| |
The default deployment configuration has been renamed and moved to
/etc/pki/default.cfg to make it more accessible to users. The pkispawn
has been modified to archive the default deployment configuration
along with the user-provided configuration in the registry. The
pkidestroy will now use both archived configuration files to ensure
proper removal of the subsystem.
Ticket #399
|
|
|
|
|
|
|
|
|
|
|
| |
We currently run a restorecon on the instance log directory, but not
on the top level log directory. Restorecon is required for the top
level log directory since pkispawn creates it. Without running a
restorecon, it gets the label of the parent directory (var_log_t)
instead of consulting the fcontext rule in the base policy and using
pki_var_log_t.
Ticket #431
|
| |
|
|
|
|
|
|
| |
This patch replaces the code in pkiparser with defaults that are
built up using ConfigParser interpolation. The patch gets most
(but not all) default parameters.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The messages in ProfileList.template in CA EE has been extracted
into a properties file which can be translated separately.
The original messages in the template have been marked as follows:
<span class="message" name="...key...">...message...</span>
When the page is loaded into the browser, the original message will
be replaced with the translated messages.
Ticket #406
|
|
|
|
|
| |
We need to keep the admin cert and p12 file in case the client directory
is purged.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously to create a subsystem the admin would have to copy the
entire default deployment configuration, which contains many
parameters, and then customize it. Now the deployment code has been
changed such that the default config file will be used to provide
the default values, so the admin will only need to provide the
non-default parameters, thus reducing the size of the file.
Sample configuration files are provided in /usr/share/pki/
deployment/config.
Ticket #399
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously sensitive parameters are stored in the Sensitive section in
the configuration file, separate from the hierarchical structure used
by non-sensitive parameters. To allow defining multiple subsystems in
a single configuration file the sensitive and non-sensitive parameters
have been reorganized into the same hierarchical structure.
To maintain the security a new meta-parameter has been added to list
all sensitive parameter names. This way the deployment code will know
whether a parameter is sensitive, which then will mask the value before
displaying it to the screen or storing it in a log file.
Ticket #399
|
|
|
|
|
|
|
|
|
| |
The deployment code has been modified such that if the security
domain user is not specified it will use the CA admin uid, or
Common uid, if it is defined. Otherwise it will use the default
"caadmin".
Ticket #399
|
|
|
|
|
|
|
| |
The code in pkiparser.py has been converted into PKIConfigParser
class to facilitate further improvements.
Ticket #399
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
All remaining theme files for Tomcat subsystems which include
the templates and JS files have been moved from the theme folder
at <subsystem>-ui/shared/webapps/<subsystem> into the subsystem
webapp folder at base/<subsystem>/shared/webapps/<subsystem>.
The deployment tools have been updated to use the new location.
Ticket #407
|
|
|
|
|
|
|
| |
The common templates have moved from common-ui into base/common.
The deployment tools have been updated to use the new location.
Ticket #407
|
|
|
|
|
|
|
|
|
|
|
| |
The pkispawn and pkicreate have been updated to deploy the
combined images and CSS files from the common-ui into /pki/images
and /pki/css.
The common Velocity templates and JavaScript files still need to
be deployed from the <subsystem>-ui packages into each subsystem.
Ticket #328
|
|
|
|
|
| |
This fixes an error in a previous commit which breaks creation
and removal of non-CA subsystems
|
|
|
|
| |
Ticket 411
|
|
|
|
| |
Ticket 412
|
|
|
|
|
|
| |
* TRAC Ticket #395 - Dogtag 10: Add a Tomcat 7 runtime requirement to
'pki-server'
* TRAC Ticket #398 - Move default location for client certificate database
|
|
|
|
| |
* TRAC Ticket #185 - Dogtag 10: Update PKI Deployment to handle subordinate CA
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the theme files are copied into each subsystem during
deployment creating duplicates. To reduce the problem the files
should be combined into a common folder /pki.
The process will be done over several patches. Initially this patch
will copy the images and CSS files into /pki/images and /pki/css.
Subsequent patches will update references to these files to the new
location. When it's done, the files no longer need to be copied
into each subsystem.
Ticket #328
|
|
|
|
|
| |
Sometimes importing the ascii admin cert into th client certdb fails.
The binary always appears to work though.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch, it will be possible to install a default instance
simply by adding the passwords in the pkideployment.cfg. This file
can then be used without additional alteration to add subsystems to the
same instance, by re-running pkispawn against the config file.
The patch makes sure that cert nicknames, database and baseDN , admin users
and client db are unique per subsystem. An option is added to reuse the
existing server cert generated by the first subsystem and copy the
required data to all subsystems.
Ticket 379, 385
|
|
|
|
|
| |
* TRAC Ticket #286 - Dogtag 10: Create parameter for optionally allowing
a user to skip configuration . . .
|
| |
|
|
|
|
|
| |
Added permissions to certmonger to access the certdb. Also added
some missing selinux permissions for pki_tomcat_t
|
|
|
|
|
|
|
| |
The "shared" folder in /usr/share/pki has been renamed
to "server" since it contains only server files.
Ticket #353
|
|
|
|
|
| |
remove runcon from operations, add rules for spawn/destroy,
add mgrepl changes to policy
|
|
|
|
|
|
|
| |
The pkispawn has been modified such that it will check whether
the package for the subsystem being created has been installed.
Ticket #332
|
|
|
|
|
|
|
|
|
|
|
|
| |
* TRAC Ticket #338 - Dogtag 10: pkihelper.py directory.set_mode()
does not resolve symlinks correctly
This patch fixes the problem that although top-level symlinks
are correctly identified as symbolic links, symlinks which
exist under a subdirectory are incorrectly identified as files,
and thus the 'chown' and 'chmod' commands are applied to the
symlink which in turn actually get applied to the target file
instead.
|
|
|
|
|
|
|
|
|
| |
The <instance>/lib link has been replaced with a real folder
which contains links to the files in /usr/share/tomcat/lib. This
way the log4j.properties can be placed in this folder without
causing conflicts with other instances.
Ticket: #284
|
|
|
|
|
|
|
|
| |
The deployment and init scripts have been fixed to create and check
the link to symkey.jar if a TKS instance is added, and remove the
link if the instance is removed.
Ticket #331
|
|
|
|
| |
* TRAC Ticket #311 - Unable to deregister subsystem in merged instance
|
|
|
|
|
|
|
| |
Added logging so that we can see what is passed in to server from pkispawn.
Fixed incorrect dbuser specification.
Added required replication config items to pkispawn.
Initial refactoring of construct_pki_configuration_data in pkijython.py
|
|
|
|
|
|
|
|
|
| |
When removing a subsystem the pkidestroy would also remove the SELinux
contexts for the instance regardless of whether there are still other
subsystems in the instance. The code has been fixed such that it's
removing the SELinux contexts when deleting the last subsystem only.
Ticket #89
|
|
|
|
|
|
|
|
|
|
|
| |
The current ROOT webapp will redirect users coming to the root
URL path to the proper path of the subsystem's webapp.
Since now a single Tomcat instance may have multiple subsystems,
a new ROOT webapp has been added to present the user with a menu
of all available webapps from all subsystems in the instance.
Ticket #89
|
|
|
|
|
|
|
|
|
| |
A new theme webapp has been added to store the theme files for
all PKI webapps. In the future the subsystem webapps can be
modified to use the theme files provided by this common webapp
instead of having to include duplicate files in each webapp.
Ticket #89
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CMS engine is a singleton and it's used by PKI realm to authenticate
users accessing the subsystem. Since a Tomcat instance may contain
multiple subsystems, each having separate realm, the PKI JAR links
need to be moved into WEB-INF/lib so that they will run inside
separate class loaders.
Tomcat also requires that the authenticator and realm classes be
available in common/lib. To address this a new package pki-tomcat.jar
has been added. The package contains the authenticator and a proxy
realm. When the subsystems start running, they will register their
own realms into the proxy realms such that the authentications will
be forwarded to the appropriate subsystems.
Ticket #89
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the WAR files were generated at build time, so it would
include theme files that were installed on the build machine.
The code has been changed such that instead of generating WAR files
pkispawn will copy the webapp files from the theme folders and combine
them with subsystem webapp files at deployment time. This way it will
use the actual theme files installed on the deployment machine.
Ticket #89
|
|
|
|
|
|
|
|
|
|
| |
The pki-client.jar has been split and merged into pki-certsrv.jar
and pki-tools.jar. The REST client classes are now packaged in
com.netscape.certsrv.<component> packages. The REST CLI classes
are now packaged in com.netscape.cmstools.<component> packages.
The "pki" script has been moved into pki-tools RPM package.
Ticket #215
|