summaryrefslogtreecommitdiffstats
path: root/base/server/cms/src/org
Commit message (Collapse)AuthorAgeFilesLines
* Add script to enable USN pluginAde Lee2016-04-151-0/+1
| | | | | | | | | | | | | | New authority monitor code requires the USN plugin to be enabled in the database to ensure that the entryUSN attribute is added to authority entries. In the case where this plugin was disabled, accessing this attribute resulted in a null pointer exception whch prevented server startup. The code has been changed so as not to throw a null pointer exception on startup if the entryusn is not present, and also to call an LDIF to enable the plugin when a subsystem is configured through pkispawn.
* Fixed pki pkcs12-import backward compatibility.Endi S. Dewata2016-04-081-1/+1
| | | | | | | | | | | | | For backward compatibility the pki pkcs12-import has been modified to generate default nicknames and trust flags for CA certificates if they are not specified in the PKCS #12 file. The PKCS12Util was also modified to find the certificate corresponding to a key more accurately using the local ID instead of the subject DN. The configuration servlet has been modified to provide better debugging information when updating the security domain. https://fedorahosted.org/pki/ticket/2255
* Ticket #1006 Audit logging for TPS REST operationsChristina Fu2016-03-281-15/+102
| | | | | | | | | | | | | This patch adds audit logging to TPS REST wrote-specific operations. The read-specific operations are already captured by AuditEvent=AUTHZ_* The affected (new or modified) log messages include: LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6 LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8
* Removed unnecessary URL encoding for admin cert request.Endi S. Dewata2016-03-211-0/+4
| | | | | | | | | Due to changes in aaacd71a2f125501645885d3da1de18459782572, when pki_import_admin_cert is set to False the installation code performs an unnecessary URL encoding for the admin certificate request. The extra URL encoding has now been removed. https://fedorahosted.org/pki/ticket/1803
* Added mechanism to import system certs via PKCS #12 file.Endi S. Dewata2016-02-261-31/+24
| | | | | | | | | | | | | | | | | | | | | | The installation tool has been modified to provide an optional pki_server_pkcs12_path property to specify a PKCS #12 file containing certificate chain, system certificates, and third-party certificates needed by the subsystem being installed. If the pki_server_pkcs12_path is specified the installation tool will no longer download the certificate chain from the security domain directly, and it will no longer import the PKCS #12 containing the entire master NSS database specified in pki_clone_pkcs12_path. For backward compatibility, if the pki_server_pkcs12_path is not specified the installation tool will use the old mechanism to import the system certificates. The ConfigurationUtils.verifySystemCertificates() has been modified not to catch the exception to help troubleshooting. https://fedorahosted.org/pki/ticket/1742
* Weaken PKIPrincipal to superclass in several placesFraser Tweedale2016-02-151-1/+4
| | | | | | | | | | In several places we are casting a `Principal' to `PKIPrincpal', when `GenericPrincpal' or even no cast will suffice. In upcoming external authentication support externally authenticated principals will not be instances of `PKIPrincipal', so weaken assumptions about type of the principal where possible. Part of: https://fedorahosted.org/pki/ticket/1359
* Updated CLI to run individual selftests.Endi S. Dewata2016-01-181-3/+55
| | | | | | | | | The pki selftest-run command has been modified to execute the specified selftests, or all selftests if nothing is specified. The command will also display the status of each test and the stack trace if it fails. https://fedorahosted.org/pki/ticket/1502
* Added table to manage TPS user profiles.Endi S. Dewata2016-01-181-28/+69
| | | | | | | | | | | The TPS UI has been modified to provide a table as an interface to manage the user profiles. When adding a profile, the profile can be selected from a list of available profiles. The UserService and UGSubsystem have been modified to allow adding a user with no assigned profiles. https://fedorahosted.org/pki/ticket/1478
* Added mechanism to import existing CA certificate.Endi S. Dewata2015-11-251-4/+34
| | | | | | | | | | | The deployment procedure for external CA has been modified such that it generates the CA CSR before starting the server. This allows the same procedure to be used to import CA certificate from an existing server. It also removes the requirement to keep the server running while waiting to get the CSR signed by an external CA. https://fedorahosted.org/pki/ticket/456
* Replaced legacy HttpClient.Endi S. Dewata2015-10-221-5/+5
| | | | | | | | | | | | | The ConfigurationUtils and CertUtil have been modified to use PKIConnection which uses Apache HttpClient instead of the legacy custom HttpClient. The POST request content is now created using MultivaluedMap. The PKIConnection has been modified to provide a get() method to send an HTTP GET request. The post() method was modified to accept a path parameter. https://fedorahosted.org/pki/ticket/342
* Removed unused WizardServlet.Endi S. Dewata2015-10-221-20/+19
| | | | | | | | | | The unused configuration wizard servlet has been removed to simplify refactoring other codes. The remaining references in CertUtil and ConfigurationUtils have been removed as well. https://fedorahosted.org/pki/ticket/1120
* Refactored SecurityDomainProcessor.Endi S. Dewata2015-10-131-3/+13
| | | | | | | | | | The SecurityDomainProcessor.getEnterpriseGroupName() has been added to simplify ConfigurationUtils.getGroupName(). The SecurityDomainProcessor.getInstallToken() has been modified to validate the user role and to generate safer session ID. https://fedorahosted.org/pki/ticket/1633
* Added Java client and CLI support for Feature resource.Ade Lee2015-10-021-3/+3
|
* Fixed user search in PasswdUserDBAuthentication.Endi S. Dewata2015-10-021-0/+10
| | | | | | | | | The PasswdUserDBAuthentication.authenticate() has been modified such that it uses the UGSubsystem to find the user in the proper LDAP subtree to avoid matching other LDAP entries that contain a uid attribute. https://fedorahosted.org/pki/ticket/1580
* Added Features REST API resourceAde Lee2015-09-271-0/+66
| | | | | | | | | This will help us track whether or not a server has a feature either offered or enabled. Ultimately, it could be used by an admin to enable or disable features. The Java client is not included in this commit. Will add in a subsequent commit.
* Add code to reindex data during cloning without replicationAde Lee2015-07-311-0/+1
| | | | | | | | | | | | | When setting up a clone, indexes are added before the replication agreements are set up and the consumer is initialized. Thus, as data is replicated and added to the clone db, the data is indexed. When cloning is done with the replication agreements already set up and the data replicated, the existing data is not indexed and cannot be accessed in searches. The data needs to be reindexed. Related to ticket 1414
* Fix code to add replicationdb password unless already presentAde Lee2015-07-241-1/+1
| | | | | | | | | The replicationdb password is an instance parameter and should be created by the first subsystem in the instance. This should happen independantly of whether replication is being set up in case it is needed to set up replication (as a master) later. Related to Ticket 1414
* Ticket 1447 pkispawn: findCertByNickname fails to find cert in creating ↵Christina Fu2015-07-061-5/+9
| | | | shared tomcat subsystems on HSM
* Cleaned up SystemConfigService.configureClone().Endi S. Dewata2015-07-011-50/+22
| | | | | | The getCloningData() in SystemConfigService has been renamed to configureClone(). Redundant try-catch blocks have been removed. Some exception messages have been modified to include more info.
* Cleaned up SystemConfigService.validateRequest().Endi S. Dewata2015-07-011-31/+38
| | | | | | | | | | The configure() in SystemConfigService method has been modified to log only the error message in normal responses but log the full stack trace when unexpected issues occur. The validateData() in SystemConfigService has been renamed to validateRequest() for clarity. The log messages have been modified to include the invalid values entered in the request.
* Fix for HSM cloning issueMatthew Harmsen2015-06-171-0/+8
|
* Ticket 1309 Recovering of a revoked cert erroneously reflects "active" in ↵Christina Fu2015-05-221-0/+1
| | | | the token db cert entry
* disable backup keys and share master keys when using an HSMMatthew Harmsen2015-05-221-0/+12
| | | | | - PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an HSM (and provide recommendation); allow clones to share keys
* Fixed key archival problem in CLI with separate KRA instance.Endi S. Dewata2015-05-221-30/+83
| | | | | | | | | | The CLI has been modified such that when enrolling a certificate with key archival it will obtain the transport certificate from the CA instead of KRA because the KRA may not reside on the same instance. The CA REST service has been modified such that it will obtain the transport certificate from the KRA connector. https://fedorahosted.org/pki/ticket/1384
* Ticket 1160 audit logging needed: REST API auth/authz; kra for getKeyInfoChristina Fu2015-05-131-36/+188
| | | | | | - (1) REST API auth/authz - this patch addresses the first part of this ticket where auditing is completely missing for authentication and authorization at the REST interface.
* Added options for internal token and replication passwords.Endi S. Dewata2015-05-111-14/+9
| | | | | | | | The installation code has been modified such that the admin can optionally specify passwords for internal token and replication. Otherwise the code will generate random passwords like before. https://fedorahosted.org/pki/ticket/1354
* Fixed authentication data in audit log.Endi S. Dewata2015-05-051-0/+100
| | | | | | | | | | | The REST methods may be executed by different threads even though they are invoked in the same session. A new interceptor has been added to all subsystems to make sure the SessionContext is created properly for each thread. This will fix the authentication data in the audit log. The SessionContext has also been improved to use ThreadLocal instead of a global Hashtable. https://fedorahosted.org/pki/ticket/1054
* Ticket 1316 Allow adding SAN to server cert during the install processChristina Fu2015-04-211-0/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Usage: * under /usr/share/pki/ca/conf, you will find a new file called serverCert.profile.exampleWithSANpattern * copy existing serverCert.profile away and replace with serverCert.profile.exampleWithSANpattern * edit serverCert.profile.exampleWithSANpattern - follow the instruction right above 8.default. - save and quit * cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg - follow the instruction right above policyset.serverCertSet.9 - save and quit * save away and edit the ca config file for pkispawn: (note: you can add multiple SAN's delimited by ',' for pki_san_server_cert - add the following lines, e.g. pki_san_inject=True pki_san_server_cert=host1.Example.com - do the same pkispawn cfg changes for kra or any other instances that you plan on creating * create your instance(s) check the sl sever cert, it should contain something like the following: Identifier: Subject Alternative Name - 2.5.29.17 Critical: no Value: DNSName: host1.Example.com
* NISTSP8000 feature.Jack Magne2015-03-171-0/+1
| | | | | | | | | | | | | | | | | | | Implementation of the nistSP800 dervication feature. Works for both supported scp01 cards and scp02 cards. During the various session key and key upgrade functions, the nist dervication code is being called. Review comments addressed Cleanup of some input validation on the TKS. Added some sanity checking on the TPS side for key versions and token cuid's and kdd's. Final review comments. Fixed issue with extracting the kdd from the AppletInfo class. Fixed issue with sending the KDD to the encryptData TKS servlet. Added requested entries to the CS.cfg .
* Allow use of secure LDAPS connectionMatthew Harmsen2015-03-131-2/+2
| | | | - PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap
* Ticket: TPS Rewrite: Implement Secure Channel Protocol 02 (#883).Jack Magne2015-02-271-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | First cut of gp211 and scp protocol 02 for tokens. Allow token operations using a GP211 token over secure channel protocol 02. This patch supports the following: 1. Token operations with a GP211 card and SCP02 protocol, implementation 15. 2. Token still supports GP201 cards with SCP01. 3. SCP02 tested with SC650 gp211/scp02 card. Things still to do: 1. Right now the SCP02 support has been tested with the current gp201 applet and enrollment and formatting works just fine. We need to modify and compile the applet against the GP211 spec and retest to see if any further changes are needed. 2. The nistSP800 key derivation stuff is not completed for the SCP02 protocol. Some of the routines are self contained vs similar SCP01 ones. We have another ticket to complete the nistSP800 support from end to end. This work will be done for that ticket. 3. One of the new scp02 deriviation functions can make use of a new NSS derive mechanism. As of now this work is done by simple encryption, this can be done later. 4. The security APDU level of "RMAC" is not supported because the card does not support it. It could have been done to the spec, but it having the card to test is more convenient and there were more crucial issues to this point.
* Ticket#1028 Phase1:TPS rewrite: provide externalReg functionalityChristina Fu2015-02-101-1/+3
|
* Added support for exception chains in EBaseException.Endi S. Dewata2015-01-211-9/+9
| | | | | | | | | | | The EBaseException has been modified to provide constructors that can be used to chain the cause of the exception. This way the root cause of the exception can be traced back to help troubleshooting. Some codes have been modified to utilize the proper exception chaining as examples. https://fedorahosted.org/pki/ticket/915
* Fixed problem importing renewed system certificate.Endi S. Dewata2014-12-121-5/+7
| | | | | | | | | | | | Previously during clone installation if the PKCS12 file contains both expired and renewed certificates the code might incorrectly import the expired certificate instead of the renewed one, thus failing the installation. The code has been fixed to validate the certificates in the PKCS12 file such that only the valid ones will be imported into the clone. https://fedorahosted.org/pki/ticket/1093
* Fix sub-CA installation with own security domainAde Lee2014-10-011-83/+141
| | | | | | | | | Installation code failed to anticipate installation of a subordinate CA that would host its own security domain. This patch includes changes to python installation code, java configuration servlet and changes to man pages. Ticket 1132
* ticket #1110 pkispawn (configuration) does not provide CA extensions in ↵Christina Fu2014-09-251-0/+9
| | | | subordinate certificate signing requests (CSR)
* ticket 941 Renewal/Reenroll/Recovery/Renew policy 3rd cut; Renewal code; ↵Christina Fu2014-08-291-0/+3
| | | | RetrieveCert code
* Fixed problems in group operations.Endi S. Dewata2014-08-271-5/+10
| | | | | | | | | | | | | Previously modifying the description of an empty group failed because the server tried to delete a uniqueMember attribute that did not exist because the group was already empty. The servlets and group subsystem has been fixed to retrieve the existing group data first, perform the changes on it, then save it back to the database. Also adding a new group will no longer require a description because it's not required by the LDAP object class. Ticket #818
* Add ability to create database as subtree of existing treeAde Lee2014-07-171-13/+17
| | | | | | | | | | | | | | | | This patch adds the ability to create a subsystem that uses an existing subtree to create the internal basedn. This is useful for instance, for IPA which will use the original o=ipaca as the top level DN for a KRA, which will be situated at o=ipadrm, o=ipaca. The patch also allows such a system to be cloned, but not to setup the replication agreements, on the assumption that the data is already being replicated at the top-level DN or some higher level. The patch also contains some minor cleanups - removing unused imports and removal of an invalid reference in the python code. Ticket 1051
* Added transport cert attributes.Endi S. Dewata2014-07-091-9/+14
| | | | | | | | The REST service has been modified to return additional attributes for transport certificate including serial number, issuer DN, subject DN, and resource link. Ticket #1065
* ticket #941 Part1 TPS Rewrite: Enrollment, Recovery, KeyRecovery, ↵Christina Fu2014-06-161-4/+4
| | | | revoke/unrevoke processor
* Added minimum search keyword length requirement.Endi S. Dewata2014-05-124-24/+39
| | | | | | | | | | Some REST services that accept search keywords have been modified to require a minimum length of 3 characters. The DEFAULT_SIZE constant has been moved into the base PKIService class to reduce multiple declarations. Ticket #920
* Added filter to UserService.findUserMemberships().Endi S. Dewata2014-05-081-2/+5
| | | | | | | | The UserService.findUserMemberships() has been modified to accept an additional parameter to filter the groups in which the user is a member. The CLI has been updated accordingly. Ticket #920
* Added filter to GroupService.findGroupMembers().Endi S. Dewata2014-05-081-2/+4
| | | | | | | | The GroupService.findGroupMembers() has been modified to accept an additional parameter to filter the group members to be returned. The CLI has been modified accordingly. Ticket #920
* Replace filter in UGSubsystem.listGroups().Endi S. Dewata2014-05-081-2/+0
| | | | | | | | | | The UGSubsystem.listGroups() has been modified to generate an LDAP filter from a keyword. The filter itself cannot contain wildcards. The wildcard will be added in listGroups(). In the future the filter will be made configurable to allow searching different attributes. Ticket #920
* Fixed message format for PKIException.Endi S. Dewata2014-05-071-0/+26
| | | | | | | | | | | Previously PKIException was not displayed properly in browser because it doesn't have a writer for HTML. Now the exception mapper will compute the message format properly, and will default to XML. The exception mapper itself has been moved into a server package due to class dependency. The REST application classes have been updated accordingly. Ticket #554
* Replaced filter in UGSubsystem.findUsers().Endi S. Dewata2014-05-051-2/+0
| | | | | | | | | The findUsers() method in UGSubsystem has been modified to search additional attributes in the user database. This method is only used by the UserService, so the impact is limited to user-find CLI command in all subsystems and TPS UI. Ticket #920
* Fixed TPS connector configuration.Endi S. Dewata2014-04-301-23/+4
| | | | | | | | | | | | | | | | | | | | The code that configures the TPS connectors during installation has been modified to use the ConnectionDatabase, which is also used by the CLI/UI after the installation. The code has also been fixed to configure the correct properties as defined in CS.cfg. The static properties have been removed from CS.cfg because now they will be generated dynamically by the ConnectionDatabase. Due to class dependency issue, the methods for configuring the TPS connectors have been moved from ConfigurationUtils into a new TPSInstaller class. The URI's in ConfigurationRequest have been converted from String into URI to simplify validation. Ticket #890
* Updated REST interface for security domain.Endi S. Dewata2014-04-281-4/+8
| | | | | | | The REST interface for security domain has been modified to return Response objects to allow better handling of server responses. Ticket #554
* Refactored SystemConfigService (part 12).Endi S. Dewata2014-04-251-127/+3
| | | | | | | Subsystem-specific configuration codes have been moved from the SystemConfigService into the subsystem-specific installer. Ticket #890
generated by cgit (git 2.34.1) at 2024-05-20 01:59:36 +0000