| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously to create a subsystem the admin would have to copy the
entire default deployment configuration, which contains many
parameters, and then customize it. Now the deployment code has been
changed such that the default config file will be used to provide
the default values, so the admin will only need to provide the
non-default parameters, thus reducing the size of the file.
Sample configuration files are provided in /usr/share/pki/
deployment/config.
Ticket #399
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously sensitive parameters are stored in the Sensitive section in
the configuration file, separate from the hierarchical structure used
by non-sensitive parameters. To allow defining multiple subsystems in
a single configuration file the sensitive and non-sensitive parameters
have been reorganized into the same hierarchical structure.
To maintain the security a new meta-parameter has been added to list
all sensitive parameter names. This way the deployment code will know
whether a parameter is sensitive, which then will mask the value before
displaying it to the screen or storing it in a log file.
Ticket #399
|
| |
|
|
|
|
|
|
|
| |
The deployment code has been modified such that if the security
domain user is not specified it will use the CA admin uid, or
Common uid, if it is defined. Otherwise it will use the default
"caadmin".
Ticket #399
|
| |
|
|
|
|
|
| |
The code in pkiparser.py has been converted into PKIConfigParser
class to facilitate further improvements.
Ticket #399
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
All remaining theme files for Tomcat subsystems which include
the templates and JS files have been moved from the theme folder
at <subsystem>-ui/shared/webapps/<subsystem> into the subsystem
webapp folder at base/<subsystem>/shared/webapps/<subsystem>.
The deployment tools have been updated to use the new location.
Ticket #407
|
| |
|
|
|
|
|
| |
The common templates have moved from common-ui into base/common.
The deployment tools have been updated to use the new location.
Ticket #407
|
| |
|
|
|
|
|
|
|
|
|
| |
The pkispawn and pkicreate have been updated to deploy the
combined images and CSS files from the common-ui into /pki/images
and /pki/css.
The common Velocity templates and JavaScript files still need to
be deployed from the <subsystem>-ui packages into each subsystem.
Ticket #328
|
| |
|
|
|
| |
This fixes an error in a previous commit which breaks creation
and removal of non-CA subsystems
|
| |
|
|
| |
Ticket 411
|
| |
|
|
| |
Ticket 412
|
| |
|
|
|
|
| |
* TRAC Ticket #395 - Dogtag 10: Add a Tomcat 7 runtime requirement to
'pki-server'
* TRAC Ticket #398 - Move default location for client certificate database
|
| |
|
|
| |
* TRAC Ticket #185 - Dogtag 10: Update PKI Deployment to handle subordinate CA
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently the theme files are copied into each subsystem during
deployment creating duplicates. To reduce the problem the files
should be combined into a common folder /pki.
The process will be done over several patches. Initially this patch
will copy the images and CSS files into /pki/images and /pki/css.
Subsequent patches will update references to these files to the new
location. When it's done, the files no longer need to be copied
into each subsystem.
Ticket #328
|
| |
|
|
|
| |
Sometimes importing the ascii admin cert into th client certdb fails.
The binary always appears to work though.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
With this patch, it will be possible to install a default instance
simply by adding the passwords in the pkideployment.cfg. This file
can then be used without additional alteration to add subsystems to the
same instance, by re-running pkispawn against the config file.
The patch makes sure that cert nicknames, database and baseDN , admin users
and client db are unique per subsystem. An option is added to reuse the
existing server cert generated by the first subsystem and copy the
required data to all subsystems.
Ticket 379, 385
|
| |
|
|
|
| |
* TRAC Ticket #286 - Dogtag 10: Create parameter for optionally allowing
a user to skip configuration . . .
|
| | |
|
| |
|
|
|
| |
Added permissions to certmonger to access the certdb. Also added
some missing selinux permissions for pki_tomcat_t
|
| |
|
|
|
|
|
| |
The "shared" folder in /usr/share/pki has been renamed
to "server" since it contains only server files.
Ticket #353
|
| |
|
|
|
| |
remove runcon from operations, add rules for spawn/destroy,
add mgrepl changes to policy
|
| |
|
|
|
|
|
| |
The pkispawn has been modified such that it will check whether
the package for the subsystem being created has been installed.
Ticket #332
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* TRAC Ticket #338 - Dogtag 10: pkihelper.py directory.set_mode()
does not resolve symlinks correctly
This patch fixes the problem that although top-level symlinks
are correctly identified as symbolic links, symlinks which
exist under a subdirectory are incorrectly identified as files,
and thus the 'chown' and 'chmod' commands are applied to the
symlink which in turn actually get applied to the target file
instead.
|
| |
|
|
|
|
|
|
|
| |
The <instance>/lib link has been replaced with a real folder
which contains links to the files in /usr/share/tomcat/lib. This
way the log4j.properties can be placed in this folder without
causing conflicts with other instances.
Ticket: #284
|
| |
|
|
|
|
|
|
| |
The deployment and init scripts have been fixed to create and check
the link to symkey.jar if a TKS instance is added, and remove the
link if the instance is removed.
Ticket #331
|
| |
|
|
| |
* TRAC Ticket #311 - Unable to deregister subsystem in merged instance
|
| |
|
|
|
|
|
| |
Added logging so that we can see what is passed in to server from pkispawn.
Fixed incorrect dbuser specification.
Added required replication config items to pkispawn.
Initial refactoring of construct_pki_configuration_data in pkijython.py
|
| |
|
|
|
|
|
|
|
| |
When removing a subsystem the pkidestroy would also remove the SELinux
contexts for the instance regardless of whether there are still other
subsystems in the instance. The code has been fixed such that it's
removing the SELinux contexts when deleting the last subsystem only.
Ticket #89
|
| |
|
|
|
|
|
|
|
|
|
| |
The current ROOT webapp will redirect users coming to the root
URL path to the proper path of the subsystem's webapp.
Since now a single Tomcat instance may have multiple subsystems,
a new ROOT webapp has been added to present the user with a menu
of all available webapps from all subsystems in the instance.
Ticket #89
|
| |
|
|
|
|
|
|
|
| |
A new theme webapp has been added to store the theme files for
all PKI webapps. In the future the subsystem webapps can be
modified to use the theme files provided by this common webapp
instead of having to include duplicate files in each webapp.
Ticket #89
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CMS engine is a singleton and it's used by PKI realm to authenticate
users accessing the subsystem. Since a Tomcat instance may contain
multiple subsystems, each having separate realm, the PKI JAR links
need to be moved into WEB-INF/lib so that they will run inside
separate class loaders.
Tomcat also requires that the authenticator and realm classes be
available in common/lib. To address this a new package pki-tomcat.jar
has been added. The package contains the authenticator and a proxy
realm. When the subsystems start running, they will register their
own realms into the proxy realms such that the authentications will
be forwarded to the appropriate subsystems.
Ticket #89
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously the WAR files were generated at build time, so it would
include theme files that were installed on the build machine.
The code has been changed such that instead of generating WAR files
pkispawn will copy the webapp files from the theme folders and combine
them with subsystem webapp files at deployment time. This way it will
use the actual theme files installed on the deployment machine.
Ticket #89
|
| |
|
|
|
|
|
|
|
|
| |
The pki-client.jar has been split and merged into pki-certsrv.jar
and pki-tools.jar. The REST client classes are now packaged in
com.netscape.certsrv.<component> packages. The REST CLI classes
are now packaged in com.netscape.cmstools.<component> packages.
The "pki" script has been moved into pki-tools RPM package.
Ticket #215
|
| |
|
|
|
|
|
| |
* TRAC Ticket #301 - Need to modify init scripts to verify needed
symlinks in an instance
* TRAC Ticket #303 - Dogtag 10: CS.cfg parameters for Dogtag 9 instance
running under Dogtag 10 packages . . .
|
| |
|
|
|
|
|
|
|
|
|
| |
* TRAC Ticket #266 - for non-master CA subsystems, pkidestroy needs to
contact the security domain to update the domain
* Made Fedora 17 rely upon tomcatjss 7.0.0 or later
* Changed Dogtag 10 build-time and runtime requirements for 'pki-deploy'
* Altered PKI Package Dependency Chain (top-to-bottom):
pki-ca, pki-kra, pki-ocsp, pki-tks --> pki-deploy --> pki-common
* Changed TPS to require a build-time dependency of 'httpd-devel >= 2.4.2'
* Clarified RPM build script's usage message
|
| |
|
|
|
|
|
| |
A new pki-client.jar has been created to package the REST client
and CLI classes.
Ticket #215
|
| |
|
|
|
|
|
| |
The common classes used by REST client and services have been moved
into the com.netscape.certsrv.<component> packages.
Ticket #215
|
| |
|
|
|
|
|
| |
The REST client classes have been moved into the
com.netscape.cms.client.<component> packages.
Ticket #215
|
| |
|
|
|
|
|
| |
The REST common classes have been renamed for better clarity
and consistency.
Ticket #259
|
| |
|
|
|
|
|
| |
The REST client classes have been renamed for better clarity
and consistency.
Ticket #259
|
| |
|
|
|
|
|
| |
* TRAC Ticket #184 - Dogtag 10: Update PKI Deployment to handle
cloning CA/KRA/OCSP/TKS . . .
* TRAC Ticket #285 - Dogtag 10: Fix installation issues for
KRA, OCSP, and TKS
|
| |
|
|
|
|
| |
'tomcat7jss.jar' in Fedora 18 tomcatjss package
* Requires tomcatjss 7.0.0-3 as links for instances created by 'pkispawn' will
now point to 'tomcat7jss.jar'
|
| |
|
|
|
|
|
|
|
|
|
| |
The SSL connection has been configured with clientAuth="want" so
users can choose whether to provide a client certificate or username
and password. The authentication and authorization will be handled
by the SSL authenticator with fallback and PKI realm. New access
control rules have been added for users, groups, and certs REST
services.
Ticket #107
|
| |
|
|
|
|
|
|
|
| |
* PKI TRAC Ticket #279 - Dogtag 10: Fix remaining 'cloning' issues in
'pkispawn' . . .
* PKI TRAC Ticket #280 - Dogtag 10: Fix remaining issues in 'pkidestroy'
related to deletion of more than one instance . . .
* PKI TRAC Ticket #281 - Dogtag 10: Fix 'pkidaemon'/'operations' issue to
handle individual instance . . .
|
| |
|
|
|
|
|
| |
Selinux policy has been changed to use standard tomcat ports. Corresponding
changes have been made in the pki-deploy scripts.
Minor change in config script for password check.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* TRAC Ticket #263 - Dogtag 10: Fix 'pkidestroy' problem of sporadically "not"
removing "/etc/sysconfig/{pki_instance_id}" . . .
* TRAC Ticket #264 - Dogtag 10: Enable various other subsystems for
configuration . . .
* TRAC Ticket #261 - Dogtag 10: Revisit command-line options of 'pkispawn' and
'pkidestroy' . . .
* TRAC Ticket #268 - Dogtag 10: Create a parameter for optional restart of
configured PKI instance . . .
* TRAC Ticket #270 - Dogtag 10: Add missing parameters to
'pkideployment.cfg' . . .
* TRAC Ticket #265 - Dogtag 10: Provide configurable options for PKI client
information . . .
* TRAC Ticket #275 - Dogtag 10: Add debug information (comments) to Tomcat 7
"logging.properties"
* TRAC Ticket #276 - Dogtag 10: Relocate all 'pin' data to the 'sensitive'
dictionary
* TRAC Ticket #277 - Dogtag 10: Create an 'archive' for 'manifest' and
'pkideployment.cfg' files
* TRAC Ticket #278 - Dogtag 10: Fix Miscellaneous PKI Deployment Scriptlet
Issues . . .
|
| |
|
|
|
|
|
|
| |
A new ClientConfig class has been added to encapsulate client
configuration parameters. These parameters include server URI,
certificate database, certificate nickname, and password.
Ticket #107
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* PKI TRAC Ticket #244 - Non-user-friendly message when deleting non-existent
subsystem with pkidestroy
* PKI TRAC Ticket #246 - Incorrect parameter names in pkispawn configuration
* PKI TRAC Ticket #248 - pki_ds_database should not be a DN
* PKI TRAC Ticket #249 - pki_ds_base_dn causing pkispawn failure
* PKI TRAC Ticket #250 - Creating/removing custom instances should not require
http/ajp ports
* PKI TRAC Ticket #251 - Instance name may conflict with other files
* PKI TRAC Ticket #253 - Fix pki-destroy removal of
'/var/log/pki/{pki_instance_id}' directory . . .
* PKI TRAC Ticket #254 - Dogtag 10: Fix spec file to build successfully via mock
on Fedora 17 . . .
* PKI TRAC Ticket #255 - Missing resteasy-atom-provider.jar
* PKI TRAC Ticket #260 - Dogtag 10: Change the layout of 'pki_instance_id' . . .
|
| |
|
|
|
|
| |
Added tomcat_t for java processes. Added aliases for old types to allow
compatibility of existng subsystems. Added install scripts for pkispawn
and pkidestroy
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* In 'catalina.properties', removed commented out jars
for each of the subsystems in the 'common.loader'
* In 'server.xml', removed the line containing a '1'
* Moved all parameters from the [Mandatory] and [Optional]
sections of the 'pkideployment.cfg' file to other more
appropriate sections (e.g. - [Common], [CA], [KRA], etc.),
and removed these sections and all of their associated
logic from the 'pki-deploy' package
* Resolved Dogtag TRAC Ticket #225
Dogtag 10: Move "pkispawn"/"pkidestroy" logs
* Removed all security domain references from
external CA logic
* Added new 'pki_subsystem_name' parameter to
'pkideployment.cfg' file, and applied logic
throughout 'pki-deploy'
* Added new error message in the case of an
unset DNS domain name, and replaced the
log message with a simple print in the
case of a 'domainname' exception
|
