summaryrefslogtreecommitdiffstats
path: root/base/kra/shared
Commit message (Collapse)AuthorAgeFilesLines
* Encapsulate server side keygen audit eventsAde Lee2017-05-251-2/+2
| | | | | | | | | This encapsulates key gen events for the token servlets. Consolidated the success and failure cases. Note that this event can likely later be replaced with security_data_keygen events. Leaving separate for now. Change-Id: I6caaeb2231fd2f7410eade03cb5fa93d66444bbf
* Fix failing audit logAde Lee2017-05-241-2/+2
| | | | | | | | | | | | As currently written, the audit log for completing the cert processing on the KRA will always fail because the cert is not yet issued. The cert is only issued after the key is archived. Basically, though, this particular log is only suppposed to be written to the CA audit log. Rather than adding a subsystem check, the simplest solution is to not expose this event on the KRA. Change-Id: I9e658dca15fd87e87c0124c4c9972dbca2910643
* Fix auditing in retrieveKeyAde Lee2017-05-231-1/+1
| | | | | | | | | | | | The auditing in retrieveKey is all messed up. * Added new audit event to track accesses to KeyInfo queries. They may produce a lot of events, especially if events are generated for every listing of data. By default, this event may be turned off. * Added audit events for generation and processing of key recovery requests. Change-Id: Icb695e712bdfadf0a80903aa52bd00b9d4883182
* Encapsulate key retrieval audit eventsAde Lee2017-05-231-2/+2
| | | | | | | | | | | Key retrieval is when the key/secret is extracted and returned to the client (once the recovery request is approved). We combine SECURITY_DATA_RETRIEVE_KEY and a couple of older EXPORT events. Note: an analysis of the key retrieval rest flow (and the auditing there will be done in a subsequent patch). Change-Id: Ibd897772fef154869a721fda55ff7498210ca03c
* Eliminate async recovery audit eventsAde Lee2017-05-231-2/+2
| | | | | | | | | There are now many ways to recover keys. From an auditing point of view, its not helpful to distinguish between sync or async requests. So we just use SECURITY_DATA ... Change-Id: Id64abd56248c07f3f7f7b038ba5ac458af854089
* Encapsulate recovery processed audit eventsAde Lee2017-05-231-2/+2
| | | | | | | | This creates audit events for KEY_RECOVERY_PROCESSED and SECURITY_DATA_RECOVERY_PROCESSED audit logs. We simplify by reducing the logs to the SECURITY_DATA ones. Change-Id: I75968799dec48d1f056ba15f8125d3bd031f31bb
* Encapsulate key recovery audit eventsAde Lee2017-05-231-2/+2
| | | | | | | | Encapsulate SECURITY_DATA_KEY_RECOVERY_REQUEST and KEY_RECOVERY_REQUEST audit events as audit event objects. We have collapse to a single audit event type. Change-Id: I68c27573725cf27c34d008c58847d6a22e0d0bac
* Encapsulate archival processed audit logsAde Lee2017-05-231-1/+1
| | | | | | | | Encapsulate audit logs for SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED and PRIVATE_KEY_ARCHIVAL_REQUEST_PROCESSED. We have merged the two audit events. Change-Id: I2abc7edff076495bb62733b92304fecd4f15b2b7
* Encapsulate the archival audit logAde Lee2017-05-231-2/+2
| | | | | | | | | | | | | This patch encapsulates the SECURITY_DATA_ARCHIVAL_REQUEST and PRIVATE_DATA_ARCHIVAL_REQUEST audit logs as audit events. The PRIVATE_DATA_ARCHIVAL_REQUEST events are mapped to the SECURITY_DATA ones to simplify the whole structure. They used to provide an archivalID parameter which was pretty much meaningless as it was at best just the same as the request id which is alreadty logged. So this is now dropped. Change-Id: I705d25ce716c73f2c954c5715b0aafdad80b99d2
* Added CLIs to access audit log files.Endi S. Dewata2017-04-041-0/+3
| | | | | | | New pki audit commands have been added to list and retrieve audit log files. Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
* Added audit service and CLI to all subsystems.Endi S. Dewata2017-04-043-0/+19
| | | | | | | Previously the audit service and CLI were only available on TPS. Now they have been added to all subsystems. Change-Id: I3b472254641eb887289c5122df390c46ccd97d47
* Change default key size for KRA storage unit to 128Ade Lee2017-04-031-1/+1
| | | | | | | Most of the research out there seems to indicate that AES-128 is more than sufficient for security. Use this as default. Change-Id: Ie333282eacc5ce628c90296561e4cd6a76dcbd8e
* Added audit logs for SSL/TLS events.Endi S. Dewata2017-03-281-2/+2
| | | | | | | | | | | | | | | The CMSStartServlet has been modified to register an SSL socket listener called PKIServerSocketListener to TomcatJSS. The PKIServerSocketListener will receive the alerts generated by SSL server sockets and generate ACCESS_SESSION_* audit logs. The CS.cfg for all subsystems have been modified to include ACCESS_SESSION_* audit events. https://pagure.io/dogtagpki/issue/2602 Change-Id: If7fb6c1b096ec8c68d1fd08f9132baf099816f11
* Modify storage unit to generate a new IVAde Lee2017-03-241-1/+1
| | | | | | | | | | | | | | | | | Currently, the storage unit reuses the same IV each time a record is stored. This works (probably) for DES3, but not for AES. The getWrappingParams() method is modified to check the config as follows (in order): -- if the iv is defined, use that iv -- if the length is defined, generate a byte array of that length -- return null To ensure that the same IV used to encrypt the secret is stored in the DB, the wrapping param is defined once in the archival process, and passed in to the wrapping functions in storageUnit. Change-Id: Ia6696adf56fc7a4e90f83948c7549b64a38ab854
* Add config options to allow storage wrappings to be setAde Lee2017-03-151-0/+20
| | | | | | | | | | Wrapping params can now be specified in CS.cfg as per design. The default will be AES. If the parameters are not set, then the old mechanism (DES) will be used instead. A migration script will be created in a separate commit. Change-Id: I01a74b99c4ed127d66e5b766357af59a1147839d
* Added access banner to KRA UI.Endi S. Dewata2017-02-2452-29/+346
| | | | | | | All pages in KRA UI have been modified to retrieve access banner and display it once at the beginning of the SSL connection. https://fedorahosted.org/pki/ticket/2582
* Renamed index.html to index.jsp in KRA UI.Endi S. Dewata2017-02-206-4/+4
| | | | | | | The index.html files in KRA UI have been renamed to index.jsp such that they can be protected by access banner. https://fedorahosted.org/pki/ticket/2582
* Removed unused CA and KRA logging.properties.Endi S. Dewata2016-11-181-70/+0
| | | | | | | The logging.properties files in CA and KRA folders are never deployed so they have been removed. https://fedorahosted.org/pki/ticket/1897
* UdnPwdDirAuth authentication plugin instance is not working.Jack Magne2016-06-171-1/+0
| | | | | | | | Ticket #1579 : UdnPwdDirAuth authentication plugin instance is not working. Since this class no longer works, we felt it best to just remove it from the server. This patch removes the references and files associated with this auth method.
* Removed unused Tomcat 6 files.Endi S. Dewata2016-06-171-58/+0
| | | | https://fedorahosted.org/pki/ticket/2363
* Ticket #2352 [TMS] missing netkeyKeyRecovery requests option in KRA agent ↵Christina Fu2016-06-031-3/+4
| | | | for "List Request" This patch allows KRA agent to list netkeyKeyRecovery requests.
* New VLV indexes for KRA including realmAde Lee2016-06-021-13/+13
|
* Renamed CS.cfg.in to CS.cfg.Endi S. Dewata2016-05-092-1/+1
| | | | | | | | The CS.cfg.in have been renamed to CS.cfg to clean up the CMake scripts and for consistency. This change does not affect the actual files shipped in the RPM packages. https://fedorahosted.org/pki/ticket/2278
* Add realm schema changesAde Lee2016-04-201-0/+8
| | | | | Added realm attribute and index. Added to request and keyRecord. Part of Trac Ticket 2041
* Add new usn entry to other subsystemsAde Lee2016-04-151-0/+1
|
* Remove vestiges of NISAuth pluginFraser Tweedale2016-02-161-1/+0
| | | | Fixes: https://fedorahosted.org/pki/ticket/1674
* Remove obsolete catalina config filesFraser Tweedale2016-01-212-271/+0
|
* remove extra space from Base 64 encoded cert displaysMatthew Harmsen2015-07-311-2/+2
| | | | | - PKI TRAC Ticket #1522 - CA UI adds extra space in Base 64 encoded certificate display
* Add code to reindex data during cloning without replicationAde Lee2015-07-312-0/+33
| | | | | | | | | | | | | When setting up a clone, indexes are added before the replication agreements are set up and the consumer is initialized. Thus, as data is replicated and added to the clone db, the data is indexed. When cloning is done with the replication agreements already set up and the data replicated, the existing data is not indexed and cannot be accessed in searches. The data needs to be reindexed. Related to ticket 1414
* TPS add phone home URLs to pkidaemon status message.Jack Magne2015-07-161-265/+0
| | | | | | Ticket # 1466 . Also remove some needless copies of server.xml from the code.
* Cleaned up links in main page.Endi S. Dewata2015-06-111-2/+1
| | | | | | | | | | | | | The ROOT's index.jsp has been modified to show the links to all subsystems installed on the instance. When opened, it will show the services provided by the subsystem. The pkispawn output has been modified to show the subsystem URL more consistently: https://<hostname>:<port>/<subsystem> In all subsystems except TPS the page will redirect to: https://<hostname>:<port>/<subsystem>/services
* Ticket 1160 audit needed for getKeyInfo; audit missing for auth/authz at ↵Christina Fu2015-05-141-2/+2
| | | | REST. This patch addresses: (2) audit needed for getKeyInfo, the 2nd part of this ticket where the key services are missing some auditing.
* Remove duplicate prompt on nuxwdog startupAde Lee2015-04-231-1/+1
|
* Moved color settings to CSS.Endi S. Dewata2015-04-225-5/+7
| | | | | | | The templates have been modified to remove hard-coded background color settings and use the styles defined in a new CSS file. https://fedorahosted.org/pki/ticket/1296
* Added direct deployment for all subsystems.Endi S. Dewata2015-04-221-1/+1
| | | | | | | | The deployment tool has been modified to deploy all subsystems directly from the /usr/share/pki. This will simplify updating the templates in the web applications. https://fedorahosted.org/pki/ticket/499
* Fixed typos.Matthew Harmsen2015-04-222-2/+2
|
* Parameterized KRAMatthew Harmsen2015-04-225-28/+122
| | | | - PKI TRAC Ticket #1296 - RHCS 9.0 theme
* Parameterized service.template in all subsystems.Endi S. Dewata2015-04-221-2/+28
| | | | https://fedorahosted.org/pki/ticket/1296
* Changes to config files to support nuxwdogAde Lee2015-04-221-0/+1
| | | | Specifically changes to CS.cfg, server.xml and tomcat.conf
* Added support for Tomcat 8.Endi S. Dewata2015-04-211-37/+0
| | | | | | | | | | | | The Dogtag code has been modified to support both Tomcat 7 and 8. All files depending on a specific Tomcat version are now stored in separate folders. The build scripts have been modified to use the proper folder for the target platform. The tomcatjss dependency has been updated as well. The upgrade script will be added in a separate patch. https://fedorahosted.org/pki/ticket/1264
* Allow use of secure LDAPS connectionMatthew Harmsen2015-03-131-1/+1
| | | | - PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap
* Fix-for-Bug-1170867-TPS-Installation-FailedJack Magne2014-12-164-544/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix now includes last review comments where we decided to consolidate 3 of the ldif files: schema.ldif,database.ldif, and manager.ldif. Each one of these 3 files contains the data needed for any subsystem for that file. The subsystem specific files for these 3 go away in the source tree. The first iteration of this fix was copying these 3 files into an undesirable directory. This is no longer the case. Extra code in the python installer allows one to establish a "file exclusion" callback to keep a set of desired files from being copied when the installer does a directory copy. All subsystems have been tested, including TPS with a brand new DS (which was the original reason for this fix), and they appear to work fine. Addressed further review comments: 1. Removed trailing whitespace instances from schema.ldif which had some. 2. Used pycharm to remove the few PEP violations I had previously added to the Python code. 3. Changed the format of the schema.ldif file to make all the entries use the same style. Previously the TPS entries was using an all in one syntax. No more since now each entry is separate. 4. Changed the name of an argument in one of the new Python methods to get rid of a camelCase instance. 5. Tested everything to work as before, including basic TPS operations such as Format. Fixed a method comment string and fixed some typos.
* Added missing audit event ASYMKEY_GENERATION_REQUEST to KRA CS.cfgAde Lee2014-09-241-2/+2
|
* Revert "Enabled certificate revocation checking by default."Endi S. Dewata2014-09-041-3/+1
| | | | | | | This reverts commit 223d15539b7bcc0df025025036af2935726e52e3. The patch does not work for subsystems installed on separate instance since it will require additional OCSP setup.
* Enabled certificate revocation checking by default.Endi S. Dewata2014-09-031-1/+3
| | | | | | | | The CS.cfg templates for all subsystems have been modified to enable certificate revocation checking during authentication. This will affect new installations only. Ticket #1117, #1134
* Disable PKI GUI ConfigurationMatthew Harmsen2014-08-281-38/+0
| | | | - PKI TRAC Ticket #1120 - Remove Firefox PKI GUI Configuration Panel Interface
* Generate asymmetric keys in the DRM.Abhishek Koneru2014-08-271-0/+3
| | | | | | | | | | | | Adds methods to key client to generate asymmetric keys using algorithms RSA and DSA for a valid key sizes of 512, 1024, 2048,4096. The generated keys are archived in the database. Using the CLI, the public key(base64 encoded) can be retrieved by using the key-show command. The private key(base64 encoded) can be retrieved using the key-retrieve command. Ticket #1023
* UI scrubMatthew Harmsen2014-08-221-10/+0
| | | | * PKI TRAC Ticket #567 - ui needs to be scrubbed for missing images
* Remove legacy 'systemctl' filesMatthew Harmsen2014-07-033-108/+0
| | | | - PKI TRAC Ticket #832 - Remove legacy 'systemctl' files . . .
* Backup and Archive CS.cfgMatthew Harmsen2014-07-021-0/+1
| | | | * PKI TRAC Ticket #899 - RFE - ipa-server should keep backup of CS.cfg
generated by cgit (git 2.34.1) at 2025-09-26 18:36:23 +0000