summaryrefslogtreecommitdiffstats
path: root/base/ocsp
Commit message (Collapse)AuthorAgeFilesLines
* Added LogCategory enumeration.Endi S. Dewata2017-06-221-1/+2
| | | | | | | | | A LogCategory enumeration has been added to replace the integer log category in the Logger class. https://pagure.io/dogtagpki/issue/2689 Change-Id: Ic92e64c3abdf859841eaf1006afc61bbf573086d
* Fixed OCSP service error handling.Endi S. Dewata2017-06-201-2/+1
| | | | | | | | | Some OCSP-related classes have been modified to detect errors and handle exceptions properly. https://pagure.io/dogtagpki/issue/2652 Change-Id: Ifd054c47d04ff106120df2d7f3705366c7de9da9
* Updated OCSP log messages.Endi S. Dewata2017-05-241-3/+7
| | | | | | | | | Some log messages in OCSP-related code have been updated for clarity. https://pagure.io/dogtagpki/issue/2652 Change-Id: Ie81b95906a0d9aef6126fb205a4bcec028731e39
* Added CLIs to access audit log files.Endi S. Dewata2017-04-041-0/+3
| | | | | | | New pki audit commands have been added to list and retrieve audit log files. Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
* Added audit service and CLI to all subsystems.Endi S. Dewata2017-04-044-0/+23
| | | | | | | Previously the audit service and CLI were only available on TPS. Now they have been added to all subsystems. Change-Id: I3b472254641eb887289c5122df390c46ccd97d47
* Added audit logs for SSL/TLS events.Endi S. Dewata2017-03-281-2/+2
| | | | | | | | | | | | | | | The CMSStartServlet has been modified to register an SSL socket listener called PKIServerSocketListener to TomcatJSS. The PKIServerSocketListener will receive the alerts generated by SSL server sockets and generate ACCESS_SESSION_* audit logs. The CS.cfg for all subsystems have been modified to include ACCESS_SESSION_* audit events. https://pagure.io/dogtagpki/issue/2602 Change-Id: If7fb6c1b096ec8c68d1fd08f9132baf099816f11
* Added access banner to OCSP UI.Endi S. Dewata2017-02-2439-20/+254
| | | | | | | All pages in OCSP UI have been modified to retrieve access banner and display it once at the beginning of the SSL connection. https://fedorahosted.org/pki/ticket/2582
* Fixed build problem on RHEL.Endi S. Dewata2017-02-231-9/+9
| | | | | | The CMake create_symlink commands do not work on RHEL if the source does not exist yet, so they have been replaced with regular ln commands.
* Renamed index.html to index.jsp in OCSP UI.Endi S. Dewata2017-02-205-2/+2
| | | | | | | The index.html files in OCSP UI have been renamed to index.jsp such that they can be protected by access banner. https://fedorahosted.org/pki/ticket/2582
* Converted library links creation into CMake scripts.Endi S. Dewata2017-02-151-0/+23
| | | | | | To improve consistency across platforms the code in RPM spec that creates the links to subsystem library files has been converted into CMake scripts.
* Replaced CryptoManager.getTokenByName().Endi S. Dewata2017-01-271-4/+2
| | | | | | | | | Direct invocations of CryptoManager.getTokenByName() have been replaced with CryptoUtil.getCryptoToken() and getKeyStorageToken() to ensure that internal token names are handled consistently both in normal mode and FIPS mode. https://fedorahosted.org/pki/ticket/2556
* Fixed inconsistent internal token detection.Endi S. Dewata2017-01-261-2/+1
| | | | | | | | The codes that detect internal token name have been modified to use CryptoUtil.isInternalToken() such that the comparison can be done consistently both in normal mode and FIPS mode. https://fedorahosted.org/pki/ticket/2556
* Replaced internal token full name literals.Endi S. Dewata2017-01-241-1/+1
| | | | | | | The internal token full name literals have been replaced with CryptoUtil.INTERNAL_TOKEN_FULL_NAME. https://fedorahosted.org/pki/ticket/2556
* Refactored Constants.PR_INTERNAL_TOKEN.Endi S. Dewata2017-01-211-2/+2
| | | | | | | The Constants.PR_INTERNAL_TOKEN has been replaced with CryptoUtil.INTERNAL_TOKEN_NAME since they are identical. https://fedorahosted.org/pki/ticket/2556
* Removed unused OCSP, TKS, and TPS logging.properties.Endi S. Dewata2016-11-181-70/+0
| | | | | | | The logging.properties files in OCSP, TKS, and TPS folders are never deployed so they have been removed. https://fedorahosted.org/pki/ticket/1897
* Generalized list of files in CMakeLists.txt.Endi S. Dewata2016-11-111-5/+1
| | | | | | | | The list of source and class files in some CMake files have been generalized to allow renaming Java packages without changing the CMake files again. https://fedorahosted.org/pki/ticket/6
* Removed duplicate classes.Endi S. Dewata2016-10-101-2/+2
| | | | | | | The CMake scripts have been modified to store compiled Java classes in separate folders for each JAR files to avoid duplicates. https://fedorahosted.org/pki/ticket/2505
* Troubleshooting improvements for SigningUnit.Endi S. Dewata2016-09-201-22/+22
| | | | | | | To help troubleshooting the SigningUnit for CA and OCSP have been modified to chain the original exceptions. https://fedorahosted.org/pki/ticket/2463
* Fix build on Fedora 25Fraser Tweedale2016-07-011-7/+0
| | | | | | | | Look for the right JAX-RS API JAR (it has moved in Fedora 25). Also remove a lot of redundant 'find_file' operations for this JAR. Fixes: https://fedorahosted.org/pki/ticket/2373
* UdnPwdDirAuth authentication plugin instance is not working.Jack Magne2016-06-171-1/+0
| | | | | | | | Ticket #1579 : UdnPwdDirAuth authentication plugin instance is not working. Since this class no longer works, we felt it best to just remove it from the server. This patch removes the references and files associated with this auth method.
* Removed unused Tomcat 6 files.Endi S. Dewata2016-06-171-58/+0
| | | | https://fedorahosted.org/pki/ticket/2363
* Added log messages for pre-op mode.Endi S. Dewata2016-05-131-14/+22
| | | | | | | To help troubleshooting the code has been modified to log more detailed information in pre-op mode. https://fedorahosted.org/pki/ticket/1654
* Renamed CS.cfg.in to CS.cfg.Endi S. Dewata2016-05-093-3/+1
| | | | | | | | The CS.cfg.in have been renamed to CS.cfg to clean up the CMake scripts and for consistency. This change does not affect the actual files shipped in the RPM packages. https://fedorahosted.org/pki/ticket/2278
* Add new usn entry to other subsystemsAde Lee2016-04-151-0/+1
|
* Remove unused imports from OCSP authority classesFraser Tweedale2016-03-221-1/+0
| | | | | Commit 04214b3d3405750cbbda228554c0d9f087a59170 left some vestigal imports behind; remove them.
* Move OCSP digest name lookup to CertID classFraser Tweedale2016-03-031-21/+0
| | | | | | | | | The OCSP digest name lookup is currently defined in IOCSPAuthority and implemented by OCSPAuthority, but /any/ code that deals with CertID might need to know the digest, so move the lookup there. Also refactor the lookup to use a HashMap, and add mappings for SHA2 algorithms.
* Remove vestiges of NISAuth pluginFraser Tweedale2016-02-161-1/+0
| | | | Fixes: https://fedorahosted.org/pki/ticket/1674
* Remove obsolete catalina config filesFraser Tweedale2016-01-212-271/+0
|
* Ticket #1593 auto-shutdown - for HSM failover supportChristina Fu2015-10-012-0/+7
| | | | | | | | | | | | | | | This is an interim solution for supporting HSM failover by automatically shutting down the server when signing key becomes inaccessible. At auto-shutdown, a crumb fiile will be left in the instance directory for an external daemon to detect and restart, if necessary. Due to limitation of the watch dog (nuxwdog) at present time, the restart option currently only works if started with watch dog (nuxwdog), and it will prompt for passwords on the terminals. The restart counter is to prevent the server from going into an infinite restart loop. Administrator will have to reset autoShutdown.restart.count to 0 when max is reached. (cherry picked from commit 5a9ecad9172f76ca1b94b40aedcdd49d009aceb1)
* Add code to reindex data during cloning without replicationAde Lee2015-07-312-0/+33
| | | | | | | | | | | | | When setting up a clone, indexes are added before the replication agreements are set up and the consumer is initialized. Thus, as data is replicated and added to the clone db, the data is indexed. When cloning is done with the replication agreements already set up and the data replicated, the existing data is not indexed and cannot be accessed in searches. The data needs to be reindexed. Related to ticket 1414
* Removed audit CLI from non-TPS subsystems.Endi S. Dewata2015-07-171-4/+0
| | | | | | | | | | Due to database upgrade issue the pki <subsystem>-audit CLI has been removed from all subsystems except TPS. The AuditModifyCLI has been modified to clarify that the --action and the --input parameters are mutually exclusive. https://fedorahosted.org/pki/ticket/1437
* TPS add phone home URLs to pkidaemon status message.Jack Magne2015-07-161-258/+0
| | | | | | Ticket # 1466 . Also remove some needless copies of server.xml from the code.
* Cleaned up links in main page.Endi S. Dewata2015-06-111-2/+1
| | | | | | | | | | | | | The ROOT's index.jsp has been modified to show the links to all subsystems installed on the instance. When opened, it will show the services provided by the subsystem. The pkispawn output has been modified to show the subsystem URL more consistently: https://<hostname>:<port>/<subsystem> In all subsystems except TPS the page will redirect to: https://<hostname>:<port>/<subsystem>/services
* Fixed authentication data in audit log.Endi S. Dewata2015-05-051-1/+3
| | | | | | | | | | | The REST methods may be executed by different threads even though they are invoked in the same session. A new interceptor has been added to all subsystems to make sure the SessionContext is created properly for each thread. This will fix the authentication data in the audit log. The SessionContext has also been improved to use ThreadLocal instead of a global Hashtable. https://fedorahosted.org/pki/ticket/1054
* OCSP and CA minor cloning fixesJack Magne2015-05-011-2/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Tickets #1294, #1058 The patch does the following: 1. Allows an OCSP clone to actually install and operate. It also sets a param appropriate for an OCSP clone. Ticket #1058 The controversial part of this one is the fact that I have disabled having OCSP clones register themselves to the CA as publishing target. The master is already getting the updates and we rely upon replication to keep the clones updated. The current downside is the master is on an island with respect to updates and could be considered a single point of failure. Thus my proposal for this simple patch is to get the OCSP clone working as in existing functionality. Then we come back and propose a ticket to allow the installer OCSP clones to set up the publishers in such a way that all clones and master are registered, but when it is actually time to publish, the CRL publisher has the smarts to know that members of a clone cluster are in a group and the first successfull publish should end the processing of that group. 2. Allows the CA clone to set some params to disable certain things that a clone should not do. This was listed as a set of misc post install tasks that we are trying to automate. Code tested to work. 1. OCSP clones can be installed and the CRL were checked to be in sync when an update occured to the master. 2. The CA clone has been seen to have the required params and it looks to come up just fine. Final review minor changes to tickets, 1294, and 1058.
* Remove duplicate prompt on nuxwdog startupAde Lee2015-04-231-1/+1
|
* Added missing "logo" theme properties to OCSP and TKS "ports.template".Matthew Harmsen2015-04-221-1/+1
|
* OCSP Parameterized.Jack Magne2015-04-225-28/+128
|
* Moved color settings to CSS.Endi S. Dewata2015-04-226-6/+9
| | | | | | | The templates have been modified to remove hard-coded background color settings and use the styles defined in a new CSS file. https://fedorahosted.org/pki/ticket/1296
* Added direct deployment for all subsystems.Endi S. Dewata2015-04-223-3/+3
| | | | | | | | The deployment tool has been modified to deploy all subsystems directly from the /usr/share/pki. This will simplify updating the templates in the web applications. https://fedorahosted.org/pki/ticket/499
* Parameterized service.template in all subsystems.Endi S. Dewata2015-04-221-2/+28
| | | | https://fedorahosted.org/pki/ticket/1296
* Changes to config files to support nuxwdogAde Lee2015-04-221-0/+1
| | | | Specifically changes to CS.cfg, server.xml and tomcat.conf
* Added support for Tomcat 8.Endi S. Dewata2015-04-215-0/+59
| | | | | | | | | | | | The Dogtag code has been modified to support both Tomcat 7 and 8. All files depending on a specific Tomcat version are now stored in separate folders. The build scripts have been modified to use the proper folder for the target platform. The tomcatjss dependency has been updated as well. The upgrade script will be added in a separate patch. https://fedorahosted.org/pki/ticket/1264
* Allow use of secure LDAPS connectionMatthew Harmsen2015-03-131-1/+1
| | | | - PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap
* Removed unnecessary EBaseException constructor.Endi S. Dewata2015-01-211-8/+0
| | | | | | | | | The EBaseException(String msgFormat, String param) constructor has been removed because it's only used once and can be substituted with another constructor. All subclasses of EBaseException have been updated accordingly. https://fedorahosted.org/pki/ticket/915
* Fix-for-Bug-1170867-TPS-Installation-FailedJack Magne2014-12-164-549/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix now includes last review comments where we decided to consolidate 3 of the ldif files: schema.ldif,database.ldif, and manager.ldif. Each one of these 3 files contains the data needed for any subsystem for that file. The subsystem specific files for these 3 go away in the source tree. The first iteration of this fix was copying these 3 files into an undesirable directory. This is no longer the case. Extra code in the python installer allows one to establish a "file exclusion" callback to keep a set of desired files from being copied when the installer does a directory copy. All subsystems have been tested, including TPS with a brand new DS (which was the original reason for this fix), and they appear to work fine. Addressed further review comments: 1. Removed trailing whitespace instances from schema.ldif which had some. 2. Used pycharm to remove the few PEP violations I had previously added to the Python code. 3. Changed the format of the schema.ldif file to make all the entries use the same style. Previously the TPS entries was using an all in one syntax. No more since now each entry is separate. 4. Changed the name of an argument in one of the new Python methods to get rid of a camelCase instance. 5. Tested everything to work as before, including basic TPS operations such as Format. Fixed a method comment string and fixed some typos.
* Revert "Enabled certificate revocation checking by default."Endi S. Dewata2014-09-041-4/+0
| | | | | | | This reverts commit 223d15539b7bcc0df025025036af2935726e52e3. The patch does not work for subsystems installed on separate instance since it will require additional OCSP setup.
* Enabled certificate revocation checking by default.Endi S. Dewata2014-09-031-0/+4
| | | | | | | | The CS.cfg templates for all subsystems have been modified to enable certificate revocation checking during authentication. This will affect new installations only. Ticket #1117, #1134
* Disable PKI GUI ConfigurationMatthew Harmsen2014-08-281-37/+0
| | | | - PKI TRAC Ticket #1120 - Remove Firefox PKI GUI Configuration Panel Interface
* Remove legacy 'systemctl' filesMatthew Harmsen2014-07-034-142/+0
| | | | - PKI TRAC Ticket #832 - Remove legacy 'systemctl' files . . .
generated by cgit (git 2.34.1) at 2025-09-26 01:07:07 +0000