summaryrefslogtreecommitdiffstats
path: root/base/kra/shared/conf
Commit message (Collapse)AuthorAgeFilesLines
* Encapsulate server side keygen audit eventsAde Lee2017-05-251-2/+2
| | | | | | | | | This encapsulates key gen events for the token servlets. Consolidated the success and failure cases. Note that this event can likely later be replaced with security_data_keygen events. Leaving separate for now. Change-Id: I6caaeb2231fd2f7410eade03cb5fa93d66444bbf
* Fix failing audit logAde Lee2017-05-241-2/+2
| | | | | | | | | | | | As currently written, the audit log for completing the cert processing on the KRA will always fail because the cert is not yet issued. The cert is only issued after the key is archived. Basically, though, this particular log is only suppposed to be written to the CA audit log. Rather than adding a subsystem check, the simplest solution is to not expose this event on the KRA. Change-Id: I9e658dca15fd87e87c0124c4c9972dbca2910643
* Fix auditing in retrieveKeyAde Lee2017-05-231-1/+1
| | | | | | | | | | | | The auditing in retrieveKey is all messed up. * Added new audit event to track accesses to KeyInfo queries. They may produce a lot of events, especially if events are generated for every listing of data. By default, this event may be turned off. * Added audit events for generation and processing of key recovery requests. Change-Id: Icb695e712bdfadf0a80903aa52bd00b9d4883182
* Encapsulate key retrieval audit eventsAde Lee2017-05-231-2/+2
| | | | | | | | | | | Key retrieval is when the key/secret is extracted and returned to the client (once the recovery request is approved). We combine SECURITY_DATA_RETRIEVE_KEY and a couple of older EXPORT events. Note: an analysis of the key retrieval rest flow (and the auditing there will be done in a subsequent patch). Change-Id: Ibd897772fef154869a721fda55ff7498210ca03c
* Eliminate async recovery audit eventsAde Lee2017-05-231-2/+2
| | | | | | | | | There are now many ways to recover keys. From an auditing point of view, its not helpful to distinguish between sync or async requests. So we just use SECURITY_DATA ... Change-Id: Id64abd56248c07f3f7f7b038ba5ac458af854089
* Encapsulate recovery processed audit eventsAde Lee2017-05-231-2/+2
| | | | | | | | This creates audit events for KEY_RECOVERY_PROCESSED and SECURITY_DATA_RECOVERY_PROCESSED audit logs. We simplify by reducing the logs to the SECURITY_DATA ones. Change-Id: I75968799dec48d1f056ba15f8125d3bd031f31bb
* Encapsulate key recovery audit eventsAde Lee2017-05-231-2/+2
| | | | | | | | Encapsulate SECURITY_DATA_KEY_RECOVERY_REQUEST and KEY_RECOVERY_REQUEST audit events as audit event objects. We have collapse to a single audit event type. Change-Id: I68c27573725cf27c34d008c58847d6a22e0d0bac
* Encapsulate archival processed audit logsAde Lee2017-05-231-1/+1
| | | | | | | | Encapsulate audit logs for SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED and PRIVATE_KEY_ARCHIVAL_REQUEST_PROCESSED. We have merged the two audit events. Change-Id: I2abc7edff076495bb62733b92304fecd4f15b2b7
* Encapsulate the archival audit logAde Lee2017-05-231-2/+2
| | | | | | | | | | | | | This patch encapsulates the SECURITY_DATA_ARCHIVAL_REQUEST and PRIVATE_DATA_ARCHIVAL_REQUEST audit logs as audit events. The PRIVATE_DATA_ARCHIVAL_REQUEST events are mapped to the SECURITY_DATA ones to simplify the whole structure. They used to provide an archivalID parameter which was pretty much meaningless as it was at best just the same as the request id which is alreadty logged. So this is now dropped. Change-Id: I705d25ce716c73f2c954c5715b0aafdad80b99d2
* Added CLIs to access audit log files.Endi S. Dewata2017-04-041-0/+3
| | | | | | | New pki audit commands have been added to list and retrieve audit log files. Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
* Added audit service and CLI to all subsystems.Endi S. Dewata2017-04-042-0/+6
| | | | | | | Previously the audit service and CLI were only available on TPS. Now they have been added to all subsystems. Change-Id: I3b472254641eb887289c5122df390c46ccd97d47
* Change default key size for KRA storage unit to 128Ade Lee2017-04-031-1/+1
| | | | | | | Most of the research out there seems to indicate that AES-128 is more than sufficient for security. Use this as default. Change-Id: Ie333282eacc5ce628c90296561e4cd6a76dcbd8e
* Added audit logs for SSL/TLS events.Endi S. Dewata2017-03-281-2/+2
| | | | | | | | | | | | | | | The CMSStartServlet has been modified to register an SSL socket listener called PKIServerSocketListener to TomcatJSS. The PKIServerSocketListener will receive the alerts generated by SSL server sockets and generate ACCESS_SESSION_* audit logs. The CS.cfg for all subsystems have been modified to include ACCESS_SESSION_* audit events. https://pagure.io/dogtagpki/issue/2602 Change-Id: If7fb6c1b096ec8c68d1fd08f9132baf099816f11
* Modify storage unit to generate a new IVAde Lee2017-03-241-1/+1
| | | | | | | | | | | | | | | | | Currently, the storage unit reuses the same IV each time a record is stored. This works (probably) for DES3, but not for AES. The getWrappingParams() method is modified to check the config as follows (in order): -- if the iv is defined, use that iv -- if the length is defined, generate a byte array of that length -- return null To ensure that the same IV used to encrypt the secret is stored in the DB, the wrapping param is defined once in the archival process, and passed in to the wrapping functions in storageUnit. Change-Id: Ia6696adf56fc7a4e90f83948c7549b64a38ab854
* Add config options to allow storage wrappings to be setAde Lee2017-03-151-0/+20
| | | | | | | | | | Wrapping params can now be specified in CS.cfg as per design. The default will be AES. If the parameters are not set, then the old mechanism (DES) will be used instead. A migration script will be created in a separate commit. Change-Id: I01a74b99c4ed127d66e5b766357af59a1147839d
* Removed unused CA and KRA logging.properties.Endi S. Dewata2016-11-181-70/+0
| | | | | | | The logging.properties files in CA and KRA folders are never deployed so they have been removed. https://fedorahosted.org/pki/ticket/1897
* UdnPwdDirAuth authentication plugin instance is not working.Jack Magne2016-06-171-1/+0
| | | | | | | | Ticket #1579 : UdnPwdDirAuth authentication plugin instance is not working. Since this class no longer works, we felt it best to just remove it from the server. This patch removes the references and files associated with this auth method.
* Removed unused Tomcat 6 files.Endi S. Dewata2016-06-171-58/+0
| | | | https://fedorahosted.org/pki/ticket/2363
* New VLV indexes for KRA including realmAde Lee2016-06-021-13/+13
|
* Renamed CS.cfg.in to CS.cfg.Endi S. Dewata2016-05-092-1/+1
| | | | | | | | The CS.cfg.in have been renamed to CS.cfg to clean up the CMake scripts and for consistency. This change does not affect the actual files shipped in the RPM packages. https://fedorahosted.org/pki/ticket/2278
* Add realm schema changesAde Lee2016-04-201-0/+8
| | | | | Added realm attribute and index. Added to request and keyRecord. Part of Trac Ticket 2041
* Add new usn entry to other subsystemsAde Lee2016-04-151-0/+1
|
* Remove vestiges of NISAuth pluginFraser Tweedale2016-02-161-1/+0
| | | | Fixes: https://fedorahosted.org/pki/ticket/1674
* Remove obsolete catalina config filesFraser Tweedale2016-01-212-271/+0
|
* Add code to reindex data during cloning without replicationAde Lee2015-07-312-0/+33
| | | | | | | | | | | | | When setting up a clone, indexes are added before the replication agreements are set up and the consumer is initialized. Thus, as data is replicated and added to the clone db, the data is indexed. When cloning is done with the replication agreements already set up and the data replicated, the existing data is not indexed and cannot be accessed in searches. The data needs to be reindexed. Related to ticket 1414
* TPS add phone home URLs to pkidaemon status message.Jack Magne2015-07-161-265/+0
| | | | | | Ticket # 1466 . Also remove some needless copies of server.xml from the code.
* Ticket 1160 audit needed for getKeyInfo; audit missing for auth/authz at ↵Christina Fu2015-05-141-2/+2
| | | | REST. This patch addresses: (2) audit needed for getKeyInfo, the 2nd part of this ticket where the key services are missing some auditing.
* Remove duplicate prompt on nuxwdog startupAde Lee2015-04-231-1/+1
|
* Changes to config files to support nuxwdogAde Lee2015-04-221-0/+1
| | | | Specifically changes to CS.cfg, server.xml and tomcat.conf
* Added support for Tomcat 8.Endi S. Dewata2015-04-211-37/+0
| | | | | | | | | | | | The Dogtag code has been modified to support both Tomcat 7 and 8. All files depending on a specific Tomcat version are now stored in separate folders. The build scripts have been modified to use the proper folder for the target platform. The tomcatjss dependency has been updated as well. The upgrade script will be added in a separate patch. https://fedorahosted.org/pki/ticket/1264
* Allow use of secure LDAPS connectionMatthew Harmsen2015-03-131-1/+1
| | | | - PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap
* Fix-for-Bug-1170867-TPS-Installation-FailedJack Magne2014-12-164-544/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix now includes last review comments where we decided to consolidate 3 of the ldif files: schema.ldif,database.ldif, and manager.ldif. Each one of these 3 files contains the data needed for any subsystem for that file. The subsystem specific files for these 3 go away in the source tree. The first iteration of this fix was copying these 3 files into an undesirable directory. This is no longer the case. Extra code in the python installer allows one to establish a "file exclusion" callback to keep a set of desired files from being copied when the installer does a directory copy. All subsystems have been tested, including TPS with a brand new DS (which was the original reason for this fix), and they appear to work fine. Addressed further review comments: 1. Removed trailing whitespace instances from schema.ldif which had some. 2. Used pycharm to remove the few PEP violations I had previously added to the Python code. 3. Changed the format of the schema.ldif file to make all the entries use the same style. Previously the TPS entries was using an all in one syntax. No more since now each entry is separate. 4. Changed the name of an argument in one of the new Python methods to get rid of a camelCase instance. 5. Tested everything to work as before, including basic TPS operations such as Format. Fixed a method comment string and fixed some typos.
* Added missing audit event ASYMKEY_GENERATION_REQUEST to KRA CS.cfgAde Lee2014-09-241-2/+2
|
* Revert "Enabled certificate revocation checking by default."Endi S. Dewata2014-09-041-3/+1
| | | | | | | This reverts commit 223d15539b7bcc0df025025036af2935726e52e3. The patch does not work for subsystems installed on separate instance since it will require additional OCSP setup.
* Enabled certificate revocation checking by default.Endi S. Dewata2014-09-031-1/+3
| | | | | | | | The CS.cfg templates for all subsystems have been modified to enable certificate revocation checking during authentication. This will affect new installations only. Ticket #1117, #1134
* Generate asymmetric keys in the DRM.Abhishek Koneru2014-08-271-0/+3
| | | | | | | | | | | | Adds methods to key client to generate asymmetric keys using algorithms RSA and DSA for a valid key sizes of 512, 1024, 2048,4096. The generated keys are archived in the database. Using the CLI, the public key(base64 encoded) can be retrieved by using the key-show command. The private key(base64 encoded) can be retrieved using the key-retrieve command. Ticket #1023
* Backup and Archive CS.cfgMatthew Harmsen2014-07-021-0/+1
| | | | * PKI TRAC Ticket #899 - RFE - ipa-server should keep backup of CS.cfg
* Fix identities for security data storage, retrieval and generationAde Lee2014-06-131-2/+2
| | | | | | | | | | | | For the new security data storage and retrieval, and for symmetric key generation, we need to store the identity of the agent that is requesting and approving each operation, both in the ldap record and in the audit logs. (Tickets 806 and 807) This patch also adds required logic to check that the owner of the recovery request is the same agent that retrieves the key. It also adds missing audit log constants for symmmetric key generation so that they will show up in the audit log.
* Change LDAP Attributes to allow for tr_TR localeMatthew Harmsen2014-05-202-88/+88
| | | | | * PKI TRAC Ticket #946 - Installation of IPA hangs up when LANG is set to tr_TR.UTF8
* authentication pluginAndrew Wnuk2014-01-021-0/+1
| | | | | | | | This patch provides authentication plugin avoiding anonymous access. Steps to use the plugin: https://wiki.idm.lab.bos.redhat.com/export/idmwiki/New_Directory_Authentication_Plugin BZ 861467/ Trac #348.
* Moved web application context file.Endi S. Dewata2013-12-161-15/+12
| | | | | | | | | | | | | | The location of web application context file has been changed from <instance>/webapps/<name>/META-INF/context.xml into <instance>/conf/Catalina/localhost/<name>.xml. This will eventually allow deploying the web application directly from the shared folder. A new upgrade script has been added to move the context files in the existing instances. Ticket #499
* Added ACL for selftests.Endi S. Dewata2013-12-052-0/+3
| | | | | | | New ACL has been added to allow only the administrators in each subsystem to access the selftests. Ticket #652
* Replaced auth.properties with acl.properties.Endi S. Dewata2013-11-202-0/+28
| | | | | | | | | | | | | | The ACL mapping files have been renamed from auth.properties to acl.properties to match the actual content and moved into the subsystem conf folder. The authentication method mapping files have been extracted from the interceptor into actual files. The ACLInterceptor and AuthMethodInterceptors have been modified to read the default mapping first, then overwrite it with custom mapping if it exists in the subsystem folder. The UpdateAuthzProperties upgrade script has been replaced with RemoveAuthProperties that will remove the old auth.properties.
* Stand-alone DRMMatthew Harmsen2013-10-251-2/+2
| | | | * TRAC Ticket #762 - Stand-alone DRM (cleanup tasks)
* Stand-alone DRMMatthew Harmsen2013-10-153-0/+14
| | | | * TRAC Ticket #667 - provide option for ca-less drm install
* Add audit logging for new security data operations in kraAde Lee2013-10-071-2/+2
| | | | Ticket 97
* manager.ldif referenced incorrectly in CS.cfgAde Lee2013-09-041-1/+1
| | | | Ticket 719
* TRAC Ticket #641 - Incorrect interface labels in pkidaemon outputMatthew Harmsen2013-09-041-5/+5
|
* Initial code to configure a TPS in tomcatAde Lee2013-08-131-1/+1
| | | | | This code allows pkispawn to configure a tps in tomcat. It does not include any config using the web UI panels.
* Fixed hard-coded server certificate nickname.Endi Sukma Dewata2013-06-032-2/+1
| | | | | | | | | | | Previously the server certificate name was partially hard-coded as "Server-Cert cert-[PKI_INSTANCE_NAME]". Now in Tomcat-based subsystems it can be fully configured using pki_ssl_server_nickname parameter. In Apache-based subsystems it's left unchanged. Unused serverCertNick.conf files have been removed. Ticket #631
generated by cgit (git 2.34.1) at 2026-01-06 01:22:27 +0000