| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
* PKI TRAC Ticket #899 - RFE - ipa-server should keep backup of CS.cfg
|
| |
|
|
|
| |
* PKI TRAC Ticket #946 - Installation of IPA hangs up
when LANG is set to tr_TR.UTF8
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously PKIException was not displayed properly in browser
because it doesn't have a writer for HTML. Now the exception mapper
will compute the message format properly, and will default to XML.
The exception mapper itself has been moved into a server package
due to class dependency. The REST application classes have been
updated accordingly.
Ticket #554
|
| |
|
|
|
|
|
| |
Subsystem-specific configuration codes have been moved from the
SystemConfigService into the subsystem-specific installer.
Ticket #890
|
| |
|
|
|
|
|
|
|
| |
New subclasses of SystemConfigService have been added for each
subsystem to replace the base installer. Initially these classes
are blank, so they are identical to the base class. Later they will
store subsystem-specific installation code.
Ticket #890
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the CMSStartServlet always requires a cfgPath parameter
pointing to the CS.cfg location. By default the parameter points to
<instance>/conf/<subsystem>/CS.cfg unless it's manually changed by
the admin after installation.
Recently the servlet has been modified such that if the parameter
is not specified it will generate the default path automatically.
So it is no longer necessary to keep the cfgPath parameter in the
web.xml templates because it will point to the same location.
This patch removes the cfgPath parameters from all web.xml templates.
This way newly created subsystems will not have this parameter, which
will help direct deployment in the future. An upgrade script has been
added to remove the parameter from existing instances if it points to
the default location. If the parameter points to a different location
that means the subsystem has been customized so it will not be changed.
Ticket #748, #499
|
| |
|
|
|
|
|
|
|
|
|
| |
A new CLI parameter has been added to allow the user select the
REST message format. This is done by setting the default consumes
and produces when creating the client proxy. For this to work the
hard-coded @Consumes and @Produces annotations need to be removed
from the interface definition. A new interceptor has been added
to validate the message format before executing the operation.
Ticket #554
|
| |
|
|
|
|
|
|
| |
The REST service classes have been moved into org.dogtagpki.server
namespace. A new upgrade script has been added to update existing
instances.
Ticket #114
|
| |
|
|
|
|
|
|
| |
This patch provides authentication plugin avoiding anonymous access.
Steps to use the plugin:
https://wiki.idm.lab.bos.redhat.com/export/idmwiki/New_Directory_Authentication_Plugin
BZ 861467/ Trac #348.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The location of web application context file has been changed from
<instance>/webapps/<name>/META-INF/context.xml
into
<instance>/conf/Catalina/localhost/<name>.xml.
This will eventually allow deploying the web application directly
from the shared folder.
A new upgrade script has been added to move the context files in
the existing instances.
Ticket #499
|
| |
|
|
|
|
|
| |
New ACL has been added to allow only the administrators in each subsystem
to access the selftests.
Ticket #652
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ACL mapping files have been renamed from auth.properties to
acl.properties to match the actual content and moved into the
subsystem conf folder. The authentication method mapping files
have been extracted from the interceptor into actual files.
The ACLInterceptor and AuthMethodInterceptors have been modified to read
the default mapping first, then overwrite it with custom mapping if it
exists in the subsystem folder.
The UpdateAuthzProperties upgrade script has been replaced with
RemoveAuthProperties that will remove the old auth.properties.
|
| |
|
|
|
| |
The ACL and auth method mapping names in some resources have been
modified to be more consistent with those in other resources.
|
| |
|
|
|
|
|
|
|
|
| |
New ACL has been added to allow only the administrators to access
TPS authenticators.
The set of interceptors in each application has been modified to
preserve the order.
Ticket #652
|
| |
|
|
|
|
|
| |
Due to a regression RESTEasy is unable to find some sub-resources properly.
As a workaround some resources need to be merged into the parent resource.
The UserCertResource and UserMembershipResource have been merged into
UserResource. The GroupMemberResource has been merged into GroupResource.
|
| |
|
|
| |
* TRAC Ticket #762 - Stand-alone DRM (cleanup tasks)
|
| |
|
|
| |
* TRAC Ticket #667 - provide option for ca-less drm install
|
| |
|
|
|
|
|
| |
A new REST service and clients have been added to manage the audit
configuration in all subsystems.
Ticket #652
|
| |
|
|
|
|
|
| |
New REST service and clients have been added for managing selftests
in all subsystems.
Ticket #652
|
| |
|
|
| |
Ticket 719
|
| | |
|
| |
|
|
|
|
| |
The ACLInterceptor and AuthMethodInterceptor interceptors only run
on the server, so they have been moved from the base package into
the server package.
|
| |
|
|
|
| |
This code allows pkispawn to configure a tps in tomcat.
It does not include any config using the web UI panels.
|
| |
|
|
|
|
|
|
|
| |
The authenticator configuration has been modified to store the authentication
info in the session so it can be used by the servlets. An upgrade script has
been added to update the configuration in existing instances.
The SSLAuthenticatorWithFalback was modified to propagate the configuration
to the actual authenticator handling the request.
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously the server certificate name was partially hard-coded as
"Server-Cert cert-[PKI_INSTANCE_NAME]". Now in Tomcat-based subsystems
it can be fully configured using pki_ssl_server_nickname parameter.
In Apache-based subsystems it's left unchanged.
Unused serverCertNick.conf files have been removed.
Ticket #631
|
| |
|
|
|
| |
The PKI_SUBSYSTEM_DIR variable is redundant and can be replaced
with PKI_SUBSYSTEM_TYPE.
|
| |
|
|
|
| |
The PKI_INSTANCE_ID variable has been renamed into PKI_INSTANCE_NAME
for consistency.
|
| |
|
|
|
| |
The SERVER_NAME and PKI_MACHINE_NAME variables have been renamed
into PKI_HOSTNAME for consistency.
|
| |
|
|
|
|
|
|
|
|
|
| |
The upgrade framework has been modified to use pki.conf to track
system upgrade, tomcat.conf to track instance upgrade, and CS.cfg
to track subsystem upgrade.
The preop.product.version in CS.cfg has been renamed into
cms.product.version and is now used to track upgrade.
Ticket #544
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Connection is now made to the installation servlet through a python
client using JSON. The code to construct the ConfgurationRequest and
parse the results has been moved to pkihelper.py, and configuration.py
no longer calls a separate jython process to create the Configuration
object and parse the results. The jython code has therefore been removed.
Also added status servlet to other java subsystems, to be tested prior
to starting configuration.
Trac Ticket 532
|
| |
|
|
|
|
|
|
|
|
| |
By default Tomcat relies on /dev/random as a random number generator
to generate the session ID's. Under certain conditions /dev/random
may block, which will block Tomcat as well. To solve the problem all
webapps in Tomcat have been configured to use the random number
generator provided by JSS.
Ticket #524
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new mechanism has been added to specify the authentication methods that
can be used to invoke the REST methods. The AuthMethodMapping annotation
maps each REST method to a list of allowed authentication methods. When a
client calls a REST method, the AuthMethodInterceptor will intercept the
call and verify that the client uses an allowed authentication method.
Most REST methods that require authentication have been configured to
require client certificate authentication. Authentication using username
and password will only be used to get the installation token from security
domain.
Ticket #477
|
| |
|
|
|
|
|
|
| |
New CLI's have been added to search, add, and remove user membership.
The group member management code has been refactored into a processor
to allow reuse.
Ticket #190
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The paths to RESTEasy jar files have been modified such that it can
be configured globally at build time using the spec file to support
different distributions, and at deployment time using a system-wide
configuration in /etc/pki/pki.conf.
Ticket #422, #423.
|
| |
|
|
|
|
|
| |
1. Modified cmake dependency
2. Corrected conditionals in spec file
3. Added paths for resteasy-base
4. Added paths to policy for resteasy-base
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
All remaining theme files for Tomcat subsystems which include
the templates and JS files have been moved from the theme folder
at <subsystem>-ui/shared/webapps/<subsystem> into the subsystem
webapp folder at base/<subsystem>/shared/webapps/<subsystem>.
The deployment tools have been updated to use the new location.
Ticket #407
|
| |
|
|
|
|
|
|
|
| |
Previously ACL checking was done in PKIRealm by matching the URL.
This code has been replaced by ACLInterceptor which will intercept
RESTEasy method invocations. This allows more precise mapping of
REST methods to ACL entries in acl.ldif.
Ticket #287
|
| | |
|
| |
|
|
| |
* TRAC Ticket #350 - Dogtag 10: Remove version numbers from PKI jar files . . .
|
| |
|
|
|
|
|
| |
The REST account service has been added to TKS and OCSP to enable
authentication.
Ticket #375
|
| |
|
|
| |
Ticket 369
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The RPM spec files have been modified to pass the full RPM version
number to CMake. The version number contains the product version
number, release number, milestone, and platform. The CMake scritps
will parse and use this version number to generate Java manifest
files. The product version number will be used as the specification
version and full version number will be used as the implementation
version.
Ticket #339
|
| |
|
|
|
|
|
|
|
|
|
| |
The CMake scripts have been modified to store the version number
in /usr/share/pki/VERSION and in JAR manifest files. These files
can be read by PKI applications to obtain the version number
without having to query the RPM database.
Fixed warnings in Java.cmake file.
Ticket #339
|
| |
|
|
|
|
|
|
|
|
|
| |
The current ROOT webapp will redirect users coming to the root
URL path to the proper path of the subsystem's webapp.
Since now a single Tomcat instance may have multiple subsystems,
a new ROOT webapp has been added to present the user with a menu
of all available webapps from all subsystems in the instance.
Ticket #89
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CMS engine is a singleton and it's used by PKI realm to authenticate
users accessing the subsystem. Since a Tomcat instance may contain
multiple subsystems, each having separate realm, the PKI JAR links
need to be moved into WEB-INF/lib so that they will run inside
separate class loaders.
Tomcat also requires that the authenticator and realm classes be
available in common/lib. To address this a new package pki-tomcat.jar
has been added. The package contains the authenticator and a proxy
realm. When the subsystems start running, they will register their
own realms into the proxy realms such that the authentications will
be forwarded to the appropriate subsystems.
Ticket #89
|
| |
|
|
|
|
|
| |
The common classes used by REST client and services have been moved
into the com.netscape.certsrv.<component> packages.
Ticket #215
|
