| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
The pki pkcs12-cert-find and pki pkcs12-key-find commands have
been added to list the certificates and keys in a PKCS #12 file.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
|
| |
Add CLI commands for creating, listing and showing lightweight CAs.
Part of: https://fedorahosted.org/pki/ticket/1213
|
|
|
|
|
|
|
|
|
|
| |
Due to database upgrade issue the pki <subsystem>-audit CLI has
been removed from all subsystems except TPS.
The AuditModifyCLI has been modified to clarify that the --action
and the --input parameters are mutually exclusive.
https://fedorahosted.org/pki/ticket/1437
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The user-cert-add command has been modified to ask the user for
the CA server URI if the CA is not available locally.
A new SubsystemClient.exists() method has been added to check
whether a subsystem is deployed on the target instance.
The SubsystemCLI has been modified to call logout() only if
the operation is executed successfully.
The certificate approval callback class has been refactored out
of PKIConnection into a separate class to clean up circular
dependency with PKIClient.
https://fedorahosted.org/pki/ticket/1448
|
|
|
|
|
|
|
|
| |
The pki CLI has been modified such that if the security database
location (-d) is not specified, the config.certDatabase will be
initialized with the default value (i.e. ~/.dogtag/nssdb). The
config.certDatabase is needed by the CLI to prepare the client
library for key archival operations.
|
|
|
|
|
|
| |
A new findModules() method has been added to the CLI class to find
the list of modules handling a command. The list will be used by the
pki help CLI to find the proper man page for the specified command.
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CRMFPopClient has been modified to use Apache Commons CLI
library to handle the parameters. The help message has been
rewritten to make it more readable. The submitRequest() will
now display the error reason.
The options in ClientCertRequestCLI have been simplified. A new
option was added to generate CRMF request without POP.
https://fedorahosted.org/pki/ticket/1074
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CRMFPopClient has been refactored such that it is easier
to understand and reuse. The code has been fixed such that it
can read a normal PEM transport certificate. It also has been
fixed to parse the request submission result properly.
The client-cert-request CLI command was modified to support CRMF
requests.
The MainCLI and ClientConfig were modified to accept a security
token name.
The pki_java_command_wrapper.in was modified to include the Apache
Commons IO library.
https://fedorahosted.org/pki/ticket/1074
|
|
|
|
|
|
|
| |
New CLI commands have been added to import/export certificates and
private keys into/from the client security database. The CLI can
also be used to generate the file needed by Python client library
for client certificate authentication.
|
|
|
|
|
|
|
| |
A new CLI has been added to simplify the process to request
a user certificate for client certificate authentication.
Ticket #1148
|
|
|
|
|
|
|
| |
The client-cert-import command has been modified to propertly
initialize the CLI environment to avoid a null pointer exception.
Ticket #1126
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously specifying a security database password in the CLI would
require a certificate nickname to be specified as well. While this
is correct for client certificate authentication, it caused a
problem for operations that do not authenticate against the server
such as client-init. The CLI has been modified to require a security
database password only if the nickname is specified for client
certificate authentication.
Similar changes have been made to require user password only if
the username is specified for basic authentication.
The CLI also has been modified to store all specified parameters
in the config object regardless of parameter validation.
The manual page has been modified accordingly.
Ticket #1125
|
|
|
|
| |
- PKI TRAC Ticket #555 - Other ways to specify CLI password
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the ability to create a subsystem that uses
an existing subtree to create the internal basedn. This is useful
for instance, for IPA which will use the original o=ipaca as the
top level DN for a KRA, which will be situated at o=ipadrm, o=ipaca.
The patch also allows such a system to be cloned, but not to setup the
replication agreements, on the assumption that the data is already being
replicated at the top-level DN or some higher level.
The patch also contains some minor cleanups - removing unused imports and
removal of an invalid reference in the python code.
Ticket 1051
|
|
|
|
|
|
| |
The TPS connection CLI has been renamed to TPS connector.
Ticket #977
|
|
|
|
| |
* PKI TRAC Ticket #843 - Incorrect CLI argument parsing
|
|
|
|
|
| |
* PKI TRAC Ticket #843 - Incorrect CLI argument parsing
* PKI TRAC Ticket #918 - CLI commands does not return code '1' for the failures
|
|
|
|
|
| |
The KeyClient class on the java side is modified to
have a similar design as the KeyClient class on the python side.
|
|
|
|
|
|
|
| |
The CLI help message has been simplified to show the commands as
a single list.
Ticket #839
|
|
|
|
|
|
|
|
| |
A new help command has been added to display the manual page of the
specified command. If the manual page doesn't exist it will try to
display the manual page of the parent command.
Ticket #519
|
|
|
|
|
|
|
|
|
|
|
| |
A new CLI parameter has been added to allow the user select the
REST message format. This is done by setting the default consumes
and produces when creating the client proxy. For this to work the
hard-coded @Consumes and @Produces annotations need to be removed
from the interface definition. A new interceptor has been added
to validate the message format before executing the operation.
Ticket #554
|
|
|
|
|
| |
The man page for pki CLI has been updated to include the commands
for managing the client security database.
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously client-cert-import uses a JSS method that calls NSS
function PK11_ImportDERCertForKey(). To import certificate without
key it should use PK11_ImportCert but it's only available via
certutil. So for now the client-cert-import has been modified to
call certutil until the interface is added to JSS.
The MainCLI has been modified not to call CryptoManager.initialize()
to avoid locking up the security database while importing the
certificate using certutil.
|
|
|
|
|
| |
A new CLI command has been added to simplify the creation of client
certificate database.
|
|
|
|
|
|
|
|
| |
The CLI command parsing has been fixed such that it consumes all
parts of the commands. If there's unprocessed component it means
it is an invalid command.
Ticket #787
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following commands have been renamed. The old commands will
no longer work.
* profile -> ca-profile
* kraconnector -> ca-kraconnector
The following commands have also been renamed, but the old commands
will continue to work:
* cert -> ca-cert
* key -> kra-key
The user and group commands have already been renamed to <subsytem>-
user and <subsystem>-group. The old commands will continue to work
and will use CA subsystem by default.
Ticket #701
|
|
|
|
|
| |
The CLI framework has been modified to support deprecating CLI
commands by adding @Deprecated to the class name.
|
|
|
|
|
|
|
| |
A new REST service and clients have been added to manage the audit
configuration in all subsystems.
Ticket #652
|
|
|
|
|
| |
The ca-cert-* commands have been added to eventually replace cert-*.
The CATest has been updated to use the CertClient directly.
|
|
|
|
|
|
|
| |
New REST service and clients have been added for managing selftests
in all subsystems.
Ticket #652
|
|
|
|
|
|
|
| |
Previously the CLI authentication could fail because it's using a
fixed default subsystem which may not match the command it's trying
to execute. The CLI has now been modified to use the appropriate
default subsystem depending on the command to be executed.
|
|
|
|
|
|
|
| |
A new REST service and clients have been added to manage the profile
mappings in the TPS configuration file.
Ticket #652
|
|
|
|
|
| |
The CLI framework has been modified to remove duplicate code
in various CLI modules.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new REST service has been added to the TKS to manage shared secrets.
The shared secret is tied to the TKS-TPS connector, and is created at the
end of the TPS configuration. At this point, the TPS contacts the TKS and
requests that the shared secret be generated. The secret is returned to the
TPS, wrapped using the subsystem certificate of the TPS.
The TPS should then decrypt the shared secret and store it in its certificate
database. This operations requires JSS changes, though, and so will be deferred
to a later patch. For now, though, if the TPS and TKS share the same certdb, then
it is sufficient to generate the shared secret.
Clients and CLI are also provided. The CLI in particular is used to remove the
TPSConnector entries and the shared secret when the TPS is pkidestroyed.
|
|
|
|
|
|
|
|
| |
A new REST service and clients have been added to manage the TPS
configuration in CS.cfg. When the configuration is updated, the
previous configuration will be stored as a backup.
Ticket #652
|
|
|
|
|
|
|
| |
A skeleton for TPS authenticator services and the clients have been added.
The service implementation will be added later.
Ticket #652
|
|
|
|
|
|
|
| |
A skeleton for TPS connection services and the clients have been added.
The service implementation will be added later.
Ticket #652
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS classes have been reorganized as follows:
* common: com.netscape.certsrv.tps
* CLI: com.netscape.cmstools.tps
* server: org.dogtagpki.server.tps
TPSConnection and TPSMessage were moved from server package into
common package. The build script and configuration files have been
modified accordingly.
|
|
|
|
|
|
|
|
| |
New TPS services and clients have been added for TPS certificates. The
certificate database is currently implemented as in-memory database with
some sample data. Later it will be converted into LDAP database.
Ticket #652
|
|
|
|
|
|
|
| |
The group client and CLI has been added into each subsystem (e.g. ca-group-*)
while keeping the original command for backward compatibility.
Ticket #652
|
|
|
|
|
|
|
|
| |
The TPS client has been modified to include user client. The TPS CLI
has also been modified to provide user commands. New ACL entries have
been added to grant access rights to TPS administrators.
Ticket #652
|
|
|
|
|
|
|
|
| |
New REST services and clients have been added for TPS activities.
The activity database is currently implemented as in-memory database
with some sample data. Later it will be converted into LDAP database.
Ticket #652
|
|
|
|
|
|
|
|
| |
New CLI modules have been added for each subsystem. The user commands
have been added to these subsystems while keeping the original command
for backward compatibility.
Ticket #701
|
|
|
|
|
|
|
|
|
|
| |
Some common CLI methods and attributes have been refactored into the CLI base
class. A new SubsystemCLI class was added as the base for subsystem CLI
modules. The MainCLI was modified such that it will only perform authentication
if the subsystem is specified in the server URI. If no subsystem is specified
in the URI, the authentication will be done by the subsystem CLI module.
Ticket #701
|
|
|
|
|
|
|
|
| |
A skeleton for token service and the clients has been added. Currently
it's storing the database in memory. The actual implementation using
LDAP database will be added after the TPS configuration code is ready.
Ticket #652
|
|
|
|
|
|
|
|
| |
The CryptoManager.initialize() and CryptoToken.login() invocation has been
moved into the main program as a workaround for the authentication problem
on RHEL and to ensure proper initialization in general.
Bugzilla #985111
|
|
|
|
|
| |
This adds the initial framework for viewing and managing profiles.
Also adds CLI code for viewing/adding/deleting and editing profiles.
|
|
|
|
|
|
|
|
|
| |
Recently the CLI was changed to initialize the default client database
automatically which will create it if it did not exist before. This was
causing a problem since the database was not created with a password.
To create the database properly a separate command is needed. For now
the CLI is reverted to the old behavior where it initializes the database
only if it requires for SSL connection and/or client authentication.
|
|
|
|
|
|
|
|
| |
Previously the -w option is used to specify the password for
either the username/password authentication or client database
password to do client certificate authentication. Since the
passwords now may be used at the same time, a new -c option
has been added for the client database password.
|