| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Duplicate log() methods for audit events have been merged into the
Logger class.
https://pagure.io/dogtagpki/issue/2689
Change-Id: I7a5147ff3221a52a82e69f56faf2156c04256db2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Signed audit logger creation has been simplified into:
Logger signedAuditLogger = SignedAuditLogger.getLogger();
The null checks on signed audit logger have been removed since
it cannot be null. Audit messages can be logged as follows:
signedAuditLogger.log(message);
https://pagure.io/dogtagpki/issue/2689
Change-Id: I3bf781b0194a6cbb166f71751c098d1c2a3a657a
|
| |
|
|
|
|
|
|
|
| |
A LogSource enumeration has been added to replace the integer
log source in the Logger class.
https://pagure.io/dogtagpki/issue/2689
Change-Id: I6f69219fbbfa00d83f26a32174c75ff2782eb6af
|
| |
|
|
|
|
|
|
|
| |
A LogCategory enumeration has been added to replace the integer
log category in the Logger class.
https://pagure.io/dogtagpki/issue/2689
Change-Id: Ic92e64c3abdf859841eaf1006afc61bbf573086d
|
| |
|
|
|
| |
This patch adds enforcement in CMCUserSignedAuth to make sure SSL client authentication is performed and the authenticated cert matches that of the CMC signing cert.
Some auditing adjustments are also done.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The code that reads the access banner from file has been modified
to explicitly use UTF-8 encoding.
The Info class and the PKI UI have been modified not to encode the
access banner in Base64 since it is not necessary.
https://pagure.io/dogtagpki/issue/2671
Change-Id: I5f41a8ebac0bc91623b27f14608bca294bc9bc38
|
| |
|
|
|
|
|
|
|
|
| |
The PKIService has been modified to trim whitespaces in access
banner before returning the value to the client. The clients
have been modified to no longer trim the banner.
https://pagure.io/dogtagpki/issue/2671
Change-Id: I51c5e78d11c89c711e369328def27bb352aa49e6
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch encapsulates the SECURITY_DATA_ARCHIVAL_REQUEST and
PRIVATE_DATA_ARCHIVAL_REQUEST audit logs as audit events.
The PRIVATE_DATA_ARCHIVAL_REQUEST events are mapped to the
SECURITY_DATA ones to simplify the whole structure. They
used to provide an archivalID parameter which was pretty much
meaningless as it was at best just the same as the request id
which is alreadty logged. So this is now dropped.
Change-Id: I705d25ce716c73f2c954c5715b0aafdad80b99d2
|
| |
|
|
|
|
|
| |
Some log messages have been added to help troubleshoot the cause
of server shutdown.
Change-Id: Ie2a91647a0986fdb11cafed2aec48cce208ef1a2
|
| |
|
|
|
|
|
|
|
| |
A new RoleAssumeEvent class of has been added to encapsulate the
ROLE_ASSUME events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: I12e47ea13198b6532b1fdfee2e20765c0cab15e9
|
| |
|
|
|
|
|
|
|
| |
A new AuthzFailEvent class of has been added to encapsulate the
AUTHZ_FAIL events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: Id4ab9bd889a1a9314264c0ef2ff7b2389aed8f9c
|
| |
|
|
|
|
|
|
|
| |
A new AuthzSuccessEvent class of has been added to encapsulate the
AUTHZ_SUCCESS events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: I2f45fb2c3ba8acdc82777644cf4ad0ec2eff35a5
|
| |
|
|
|
|
|
|
|
| |
A new AuthFailEvent class of has been added to encapsulate the
AUTH_FAIL events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: I870398f6a56df007c9520e50947a7b3c85baf79b
|
| |
|
|
|
|
|
|
|
| |
A new AuthSuccessEvent class of has been added to encapsulate the
AUTH_SUCCESS events.
https://pagure.io/dogtagpki/issue/2641
Change-Id: Ie7cc751728ac079e30ece354ca44c5266474bcd3
|
| |
|
|
|
|
|
| |
New audit(AuditEvent) methods have been added alongside the
existing audit(String) methods.
Change-Id: Ia02a7daa8b9e8693208fe34309d8d727cc32ce54
|
| |
|
|
| |
Change-Id: Ie05572677de0e8eb1244dc6caf2b4a48514a2542
|
| |
|
|
| |
Change-Id: Iade8cb7fdf3c3f93afb13ff814da0f72dc8f8049
|
| |
|
|
| |
Change-Id: Id7845ebf2a14cebe25189a8363cee759030a16cb
|
| |
|
|
|
|
|
| |
New pki audit commands have been added to list and retrieve audit
log files.
Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CMSStartServlet has been modified to register an SSL socket
listener called PKIServerSocketListener to TomcatJSS.
The PKIServerSocketListener will receive the alerts generated by
SSL server sockets and generate ACCESS_SESSION_* audit logs.
The CS.cfg for all subsystems have been modified to include
ACCESS_SESSION_* audit events.
https://pagure.io/dogtagpki/issue/2602
Change-Id: If7fb6c1b096ec8c68d1fd08f9132baf099816f11
|
| |
|
|
|
|
|
|
|
|
|
| |
New REST services classes have been added to PKIApplication.
The InfoService provides general information about the server
including version number and access banner. The LoginService
provides a way to notify the server that the banner has been
displayed on the client, which in that case the InfoService
will no longer return the banner again in the same session.
https://fedorahosted.org/pki/ticket/2582
|
| |
|
|
|
|
|
|
|
| |
The subsystem-based methods and fields in PKIService class have
been moved into a new SubsystemService class to allow creating
more generic non-subsystem-based services.
The classes that use these methods and fields have been updated
accordingly.
|
| | |
|
| |
|
|
|
|
|
| |
This patch comments out unneeded data in TMS debug logs (TPS&TKS);
It reduces the size of the debug logs by a lot.
Note that for ease of later development debugging, the debug lines
are commented out instead of being removed
|
| |
|
|
|
|
|
| |
We add authz realm checks as appropriate for each
operation.
Part of Trac Ticket #2041
|
| |
|
|
|
|
|
|
| |
The CertificateAuthority.getCACert() has been modified to re-throw
the exception instead of ignoring it. All callers have been
modified to bubble up the exception.
https://fedorahosted.org/pki/ticket/1654
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds audit logging to TPS REST wrote-specific operations.
The read-specific operations are already captured by AuditEvent=AUTHZ_*
The affected (new or modified) log messages include:
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6
LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The labels for token states and the transitions are now stored
in token-states.properties. The default file will be stored
in the /usr/share/pki/tps/conf, but it can be overriden by
copying and customizing the file into <instance>/tps/conf.
When the UI retrieves the token data the labels for the current
state and the valid transitions will be loaded from the file
and returned to the UI. The UI will show the transition labels
in the dropdown list for changing token status.
https://fedorahosted.org/pki/ticket/1289
https://fedorahosted.org/pki/ticket/1291
|
| | |
|
| |
|
|
|
|
|
| |
The LDAPSecurityDomainSessionTable has been modified to throw
an exception if there is a failure.
https://fedorahosted.org/pki/ticket/1633
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds initial support for "lightweight CAs" - CAs that
inhabit an existing CA instance and share the request queue and
certificate database of the "top-level CA".
We initially support only sub-CAs under the top-level CA - either
direct sub-CAs or nested. The general design will support hosting
unrelated CAs but creation or import of unrelated CAs is not yet
implemented.
Part of: https://fedorahosted.org/pki/ticket/1213
|
| |
|
|
|
|
|
|
|
|
| |
The CLI has been modified such that when enrolling a certificate
with key archival it will obtain the transport certificate from
the CA instead of KRA because the KRA may not reside on the same
instance. The CA REST service has been modified such that it will
obtain the transport certificate from the KRA connector.
https://fedorahosted.org/pki/ticket/1384
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code to remove the connector from the pki CLI was found to be broken
because of invalid message type (partly due to void returns).
On uninstall, we need to remove the kra-connector from all relevant CA's
in the security domain. The best way to do this is to keep kra-connector
info in LDAP, so that only one call is needed. Until that change has
been made, we are adding a hack to remove the connector from all CA's
in the secutrity domain (if it exists).
Due to issues with proxy configurations, we will continue to use sslget
and a url-encoded-form version of the servlet.
In addition, it was found that when removing a KRA from a shared subsystem,
the updateDomainXML servlet was erroneously returning failure when it
was unsuccessful in removing a non-existent user from a group.
Ticket 1113
|
| |
|
|
|
|
|
|
| |
The REST service has been modified to return additional attributes
for transport certificate including serial number, issuer DN,
subject DN, and resource link.
Ticket #1065
|
| |
|
|
|
|
|
|
|
|
| |
The REST service and client library have been fixed to use the correct
delimiters for transport certificate.
The REST service was also modified to insert a new line between the
header and the certificate data.
Ticket #1063
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To simplify the usage, the SystemCertClient.get_transport_cert()
has been modified to parse and decode the PEM certificate in
CertData object, store the DER certificate back into the object,
and return the CertData object to the client. This way the client
will have access to the certificate attributes and both PEM and
DER certificates.
The PKIService.sendConditionalGetResponse() has been fixed to use
the requested format. This is needed to display the transport
certificate properly in the browser.
Ticket #1062
|
| |
|
|
|
|
|
|
|
|
| |
Some REST services that accept search keywords have been modified to
require a minimum length of 3 characters.
The DEFAULT_SIZE constant has been moved into the base PKIService
class to reduce multiple declarations.
Ticket #920
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously PKIException was not displayed properly in browser
because it doesn't have a writer for HTML. Now the exception mapper
will compute the message format properly, and will default to XML.
The exception mapper itself has been moved into a server package
due to class dependency. The REST application classes have been
updated accordingly.
Ticket #554
|
| |
|
|
|
|
|
| |
Some clients might not send the Accept header when invoking the
REST services. To handle this the REST services have been modified
to use the Content-type if the Accept header is missing, or use a
default message format if Content-type is not specified.
|
| |
|
|
|
| |
The KeyClient class on the java side is modified to
have a similar design as the KeyClient class on the python side.
|
| |
|
|
|
|
|
|
| |
The CMSStartServlet has been modified to remove the code that calls
GenericServlet.destroy() because it is an empty default implementation
which was intended to provide convenience for writing servlets.
Ticket #896
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The deployment tool has been modified to deploy TPS directly from the
share folder. This way the TPS UI can be upgraded automatically with
RPM upgrade without having to write upgrade scripts.
For this to work, the TPS web application files cannot contain any slot
parameters. So, the cfgPath parameter has been removed from web.xml,
and the CMSStartServlet has been modified such that if the parameter is
missing it would generate a default path matching the original value in
web.xml. Also, the velocity.properties has been modified to use a fixed
value for the file.resource.loader.path parameter pointing to the share
folder.
In the future other subsystems may be modified to use the same
deployment mechanism.
Ticket #748, #752, #499
|
| |
|
|
| |
subsystem
|
| |
|
|
|
|
|
|
|
|
|
| |
A new CLI parameter has been added to allow the user select the
REST message format. This is done by setting the default consumes
and produces when creating the client proxy. For this to work the
hard-coded @Consumes and @Produces annotations need to be removed
from the interface definition. A new interceptor has been added
to validate the message format before executing the operation.
Ticket #554
|
| |
|
|
|
|
|
|
|
|
| |
The REST interface for users has been modified to return Response objects
to allow better handling of server responses. Other REST interfaces will
be modified in subsequent patches. Once all interfaces are updated, the
client library can be updated to use RESTEasy 3.0 API. Clients using the
client library or XML/JSON directly are not affected by these changes.
Ticket #554
|
| |
|
|
|
|
|
|
|
| |
Previously the CMS.shutdown() was called multiple times during Tomcat
shutdown, one by CMSStarServlet.destroy() and the other by the shutdown
hook, causing some errors. The shutdown hook should only be used in a
standalone application, so it has been moved into CMS.main().
Bugzilla #1018628
|
|
|
The tomcat, cms, and cmscore packages have been moved from base/common
into separate folders in base/server so that they can be built separately.
|
