| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds some new unit files and targets for starting instances
with nuxwdog, as well as logic within the pki-server nuxwdog module to
switch to/from the old and new systemd unit files.
It also corrects some issues found in additional testing of the nuxwdog
change scripts.
To use nuxwdog to start the instance, a user needs to do the following:
1. Create an instance normally.
2. Run: pki-server instance-nuxwdog-enable <instance_name>
3. Start the instance using:
systemctl start pki-tomcatd-nuxwdog@<instance_name>.service
To revert the instance, simply do the following:
1. Run: pki-server instance-nuxwdog-disable <instance_name>
2. Start the instance using:
systemctl start pki-tomcatd@<instance_name>.service
|
|
|
|
|
|
|
|
|
|
| |
The short term solution to this problem was to remove the man page information and all references to the command line module reponsible for this issue.
The installer already has an alternative method to remove a subsystem from the security domain list. We now assume the alternate method and don't even try to find the token at this point.
A user at the command line of the pki command will no longer be able to attempt this as well.
Tested this to verify that the man page for the "securtydomain" command no longer mentions or documents the "get-install-token" variant. Tested to verify that this command can't be manually called from the command line using "pki". This attempt results in an "unknown module". Tested by installing and uninstalling a subsytem. The security domain was kept up to date as expected for each install over remove attempted.
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the first of several commits. This adds a LifecycleListener
to call init() on the nuxwdog client before any connectors or webapps
start up, and call sendEndInit() once initialization completes.
Code is also added to prompt for and test required passwords on startup.
All that is required to use nuxwdog is to start the server using nuxwdog.
An environment variable will be set that will trigger creation of the
NuxwdogPasswordStore. We expect tags for the required passwords to be in
cms.passwordList
|
|
|
|
|
|
|
| |
The TPS REST service, CLI, and UI have been modified to provide
an interface to search for certificates belonging to a token.
https://fedorahosted.org/pki/ticket/1164
|
|
|
|
|
|
|
|
| |
Update CLI commands for working with the (now LDAP-based)
profiles in the same format as was used by the files, by way of the
--raw option.
Also add the "edit" command to interactively edit a profile.
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CRMFPopClient has been modified to use Apache Commons CLI
library to handle the parameters. The help message has been
rewritten to make it more readable. The submitRequest() will
now display the error reason.
The options in ClientCertRequestCLI have been simplified. A new
option was added to generate CRMF request without POP.
https://fedorahosted.org/pki/ticket/1074
|
|
|
|
|
|
|
| |
The OCSPClient CLI has been refactored into an OCSPProcessor
utility class such that the functionality can be reused.
https://fedorahosted.org/pki/ticket/1202
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CRMFPopClient has been refactored such that it is easier
to understand and reuse. The code has been fixed such that it
can read a normal PEM transport certificate. It also has been
fixed to parse the request submission result properly.
The client-cert-request CLI command was modified to support CRMF
requests.
The MainCLI and ClientConfig were modified to accept a security
token name.
The pki_java_command_wrapper.in was modified to include the Apache
Commons IO library.
https://fedorahosted.org/pki/ticket/1074
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current profile inputs/outputs do not have meaningful IDs
(e.g. i1, i2, o1) and are not used by the client so they should
not be displayed in the CLI output.
In the future the IDs should be renamed into something meaningful
(e.g. keygen, sn, cert) and the inputs/outputs should be retrieved
by ID. New methods have been added to retrieve by ID.
https://fedorahosted.org/pki/ticket/1147
|
|
|
|
| |
TLS v1.2
|
|
|
|
|
|
|
| |
New CLI commands have been added to import/export certificates and
private keys into/from the client security database. The CLI can
also be used to generate the file needed by Python client library
for client certificate authentication.
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new option has been added to the client-cert-import command to
import a certificate from CA by specifying the serial number.
The client-cert-import has also been modified to get the nickname
of the certificate to import from the CLI argument. For backward
compatibility, if no argument is specified the CLI will try to
get the nickname from the authentication option (-n).
Ticket #1152
|
|
|
|
|
|
|
|
| |
The user-cert-add CLI has been modified to provide an option to
specify the serial number of the certificate to be imported from
the CA.
Ticket #1151
|
|
|
|
|
|
|
| |
The ca-cert-request-review CLI has been modified to show the
request status after completing the operation.
Ticket #1149
|
|
|
|
|
|
|
| |
A new CLI has been added to simplify the process to request
a user certificate for client certificate authentication.
Ticket #1148
|
| |
|
| |
|
|
|
|
|
|
| |
All the secrets/keys retrieved using the client API's using Java/python
clients will be of the type - byte array. This applies to output of the
retrieveKey method and the public key attribute of the KeyInfo object.
|
|
|
|
|
| |
Addresses upstream issues in the pki key-* CLI commands.
Updates the man page in all the required cases.
|
|
|
|
|
|
|
| |
The client-cert-import command has been modified to propertly
initialize the CLI environment to avoid a null pointer exception.
Ticket #1126
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously specifying a security database password in the CLI would
require a certificate nickname to be specified as well. While this
is correct for client certificate authentication, it caused a
problem for operations that do not authenticate against the server
such as client-init. The CLI has been modified to require a security
database password only if the nickname is specified for client
certificate authentication.
Similar changes have been made to require user password only if
the username is specified for basic authentication.
The CLI also has been modified to store all specified parameters
in the config object regardless of parameter validation.
The manual page has been modified accordingly.
Ticket #1125
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously modifying the description of an empty group failed
because the server tried to delete a uniqueMember attribute that
did not exist because the group was already empty. The servlets and
group subsystem has been fixed to retrieve the existing group data
first, perform the changes on it, then save it back to the database.
Also adding a new group will no longer require a description because
it's not required by the LDAP object class.
Ticket #818
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds methods to key client to generate asymmetric keys using
algorithms RSA and DSA for a valid key sizes of 512, 1024, 2048,4096.
The generated keys are archived in the database.
Using the CLI, the public key(base64 encoded) can be retrieved by using
the key-show command.
The private key(base64 encoded) can be retrieved using the key-retrieve
command.
Ticket #1023
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously emptying a field in TPS UI could not be saved because
the change was not saved and sent to the server. The UI framework
now has been fixed to save and send the empty field to the server
such that the database can be updated properly.
Additional parameters have been added to the tps-token-mod command
to modify all editable fields.
Ticket #1085
|
|
|
|
|
|
|
|
| |
The missing token policy attribute has been added to token database. The
REST services, CLI, and UI have been fixed accordingly. Other missing
attributes in tokenRecord object class are unused.
Ticket #1085
|
|
|
|
| |
- PKI TRAC Ticket #555 - Other ways to specify CLI password
|
|
|
|
|
|
|
| |
The new command allows users to view the information about
kra connectors registered with the CA.
Ticket #479
|
|
|
|
|
|
|
|
|
|
| |
Updated man page for all the new CLI commands added
for the Key and KeyRequest resources.
Also added missing code to retrieve a secret wrapped in a
user specified passphrase.
Ticket #945
|
|
|
|
|
| |
- PKI TRAC Ticket #992 - pki cert-request-profile-find doesn't display list
of profiles by default
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the ability to create a subsystem that uses
an existing subtree to create the internal basedn. This is useful
for instance, for IPA which will use the original o=ipaca as the
top level DN for a KRA, which will be situated at o=ipadrm, o=ipaca.
The patch also allows such a system to be cloned, but not to setup the
replication agreements, on the assumption that the data is already being
replicated at the top-level DN or some higher level.
The patch also contains some minor cleanups - removing unused imports and
removal of an invalid reference in the python code.
Ticket 1051
|
|
|
|
|
|
|
|
| |
The ActivityService has been fixed to return the missing TPS activity
attributes including IP, operation, result, and message. The TPS CLI
and UI has been fixed to display the activity date in UTC format.
Ticket #1050
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There seems to be no use of the requestID parameter in both revoke
and unrevoke request. Removed requestID attribute in CertRevokeRequest
remove the class CertUnrevokeRequest.
Also made changes in RevocationProcesor to use the requestID of the
request created in it.
The setRequestID() is being called in the DoRevoke and DoUnRevoke servlets.
Removed the call and a function auditRequesterId in both the classes.
The auditRequestorId method tries to get a "requestID" stored as a INPUT field
in the reasonToRequest page. The ReasonToRevoke class which generates
this page does not set the value.
|
|
|
|
|
|
| |
The TPS connection REST service has been renamed to TPS connector.
Ticket #977
|
|
|
|
|
|
| |
The TPS connection client library has been renamed to TPS connector.
Ticket #977
|
|
|
|
|
|
| |
The TPS connection CLI has been renamed to TPS connector.
Ticket #977
|
|
|
|
|
|
|
|
| |
The UserService.findUserMemberships() has been modified to accept
an additional parameter to filter the groups in which the user
is a member. The CLI has been updated accordingly.
Ticket #920
|
|
|
|
|
|
|
|
| |
The GroupService.findGroupMembers() has been modified to accept an
additional parameter to filter the group members to be returned.
The CLI has been modified accordingly.
Ticket #920
|
|
|
|
|
| |
* PKI TRAC Ticket #585 - 'pki cert-request-review' --output creates a file
only when --action attribute is not present
|
|
|
|
| |
* PKI TRAC Ticket #843 - Incorrect CLI argument parsing
|
|
|
|
|
| |
* PKI TRAC Ticket #843 - Incorrect CLI argument parsing
* PKI TRAC Ticket #918 - CLI commands does not return code '1' for the failures
|
| |
|
| |
|
|
|
|
|
| |
key-archive, key-retrieve, key-recover, key-generate,
key-request-review, key-template-show, key-template-find
|
|
|
|
|
| |
This patch adds three new CLI commands -
KeyShowCLI, KeyRequestShowCLI, KeyModifyCLI
|
|
|
|
|
|
|
|
|
| |
A new method has been added to TPS audit REST service to enable or
disable audit logging. The CLI and UI have been modified to provide
a way to acces this functionality. Also, new ACL entries have been
added for audit.
Ticket #955
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new dialog has been added to change the token status. The status
can be changed by clicking the Status value in the tokens table.
Initially the status is Uninitialized. The status can be changed
according to the allowed status transitions defined in the CS.cfg.
The status and reason fields in TokenRecord is now translated into
a single status field in TokenData. This way the UI only needs to
handle a single status field.
A new field has also been added to the database for token type.
Some issues displaying and updating some token attributes have been
fixed as well.
Ticket #654
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new page has been added to manage general TPS configuration
properties. The properties are read-only by default. In edit
mode the property name will become a link which will show a
dialog to edit the property value.
The config REST service has been updated to use PATCH for
update operation and handle possible null collection of
properties.
Fixed a bug in TableItem.reset() where the code didn't clear
the table cell properly.
Fixed a bug in ConfigDatabase.getProperties() where the code
didn't handle null property key properly.
Ticket #654
|
|
|
|
|
|
|
|
|
|
| |
A new page has been added to the TPS UI to manage audit configuration.
The audit REST service has been modified to use PATCH like the other
services. The audit events will now have 3 possible values: mandatory,
enabled, disabled. Mandatory events cannot be edited. Optional events
can be edited in edit mode.
Ticket #654
|
|
|
|
|
|
|
|
| |
A new profile mapping page has been added to TPS UI. The page is fully
functional like other existing pages. The REST service for profile
mappings has been updated to be more consistent with other resources.
Ticket #654
|
|
|
|
|
|
|
|
|
|
| |
The TPS authenticators has been modified to use PATCH for update operation
as required by Backbone. The AuthenticatorData class has been modified to
accept null properties to indicate that the properties are not being
updated. The AuthenticatorModel class has been modified to use JSON data
type for enable and disable operations.
Ticket #654
|