| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New authority monitor code requires the USN plugin to be
enabled in the database to ensure that the entryUSN attribute
is added to authority entries.
In the case where this plugin was disabled, accessing this
attribute resulted in a null pointer exception whch prevented server
startup.
The code has been changed so as not to throw a null pointer exception
on startup if the entryusn is not present, and also to call an LDIF
to enable the plugin when a subsystem is configured through pkispawn.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For backward compatibility the pki pkcs12-import has been modified
to generate default nicknames and trust flags for CA certificates
if they are not specified in the PKCS #12 file. The PKCS12Util was
also modified to find the certificate corresponding to a key more
accurately using the local ID instead of the subject DN.
The configuration servlet has been modified to provide better
debugging information when updating the security domain.
https://fedorahosted.org/pki/ticket/2255
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds audit logging to TPS REST wrote-specific operations.
The read-specific operations are already captured by AuditEvent=AUTHZ_*
The affected (new or modified) log messages include:
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6
LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8
|
|
|
|
|
|
|
|
|
| |
Due to changes in aaacd71a2f125501645885d3da1de18459782572, when
pki_import_admin_cert is set to False the installation code
performs an unnecessary URL encoding for the admin certificate
request. The extra URL encoding has now been removed.
https://fedorahosted.org/pki/ticket/1803
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation tool has been modified to provide an optional
pki_server_pkcs12_path property to specify a PKCS #12 file
containing certificate chain, system certificates, and third-party
certificates needed by the subsystem being installed.
If the pki_server_pkcs12_path is specified the installation tool
will no longer download the certificate chain from the security
domain directly, and it will no longer import the PKCS #12
containing the entire master NSS database specified in
pki_clone_pkcs12_path.
For backward compatibility, if the pki_server_pkcs12_path is not
specified the installation tool will use the old mechanism to
import the system certificates.
The ConfigurationUtils.verifySystemCertificates() has been modified
not to catch the exception to help troubleshooting.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
| |
In several places we are casting a `Principal' to `PKIPrincpal',
when `GenericPrincpal' or even no cast will suffice. In upcoming
external authentication support externally authenticated principals
will not be instances of `PKIPrincipal', so weaken assumptions about
type of the principal where possible.
Part of: https://fedorahosted.org/pki/ticket/1359
|
|
|
|
|
|
|
|
|
| |
The pki selftest-run command has been modified to execute the
specified selftests, or all selftests if nothing is specified.
The command will also display the status of each test and the
stack trace if it fails.
https://fedorahosted.org/pki/ticket/1502
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to provide a table as an interface
to manage the user profiles. When adding a profile, the profile
can be selected from a list of available profiles.
The UserService and UGSubsystem have been modified to allow adding
a user with no assigned profiles.
https://fedorahosted.org/pki/ticket/1478
|
|
|
|
|
|
|
|
|
|
|
| |
The deployment procedure for external CA has been modified
such that it generates the CA CSR before starting the server.
This allows the same procedure to be used to import CA
certificate from an existing server. It also removes the
requirement to keep the server running while waiting to get
the CSR signed by an external CA.
https://fedorahosted.org/pki/ticket/456
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ConfigurationUtils and CertUtil have been modified to use
PKIConnection which uses Apache HttpClient instead of the legacy
custom HttpClient. The POST request content is now created using
MultivaluedMap.
The PKIConnection has been modified to provide a get() method to
send an HTTP GET request. The post() method was modified to accept
a path parameter.
https://fedorahosted.org/pki/ticket/342
|
|
|
|
|
|
|
|
|
|
| |
The unused configuration wizard servlet has been removed to
simplify refactoring other codes.
The remaining references in CertUtil and ConfigurationUtils
have been removed as well.
https://fedorahosted.org/pki/ticket/1120
|
|
|
|
|
|
|
|
|
|
| |
The SecurityDomainProcessor.getEnterpriseGroupName() has been
added to simplify ConfigurationUtils.getGroupName().
The SecurityDomainProcessor.getInstallToken() has been modified
to validate the user role and to generate safer session ID.
https://fedorahosted.org/pki/ticket/1633
|
| |
|
|
|
|
|
|
|
|
|
| |
The PasswdUserDBAuthentication.authenticate() has been modified
such that it uses the UGSubsystem to find the user in the proper
LDAP subtree to avoid matching other LDAP entries that contain
a uid attribute.
https://fedorahosted.org/pki/ticket/1580
|
|
|
|
|
|
|
|
|
| |
This will help us track whether or not a server has a feature
either offered or enabled. Ultimately, it could be used by
an admin to enable or disable features.
The Java client is not included in this commit. Will add in
a subsequent commit.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When setting up a clone, indexes are added before the
replication agreements are set up and the consumer is initialized.
Thus, as data is replicated and added to the clone db, the
data is indexed.
When cloning is done with the replication agreements already set
up and the data replicated, the existing data is not indexed and
cannot be accessed in searches. The data needs to be reindexed.
Related to ticket 1414
|
|
|
|
|
|
|
|
|
| |
The replicationdb password is an instance parameter and should
be created by the first subsystem in the instance. This should
happen independantly of whether replication is being set up
in case it is needed to set up replication (as a master) later.
Related to Ticket 1414
|
|
|
|
| |
shared tomcat subsystems on HSM
|
|
|
|
|
|
| |
The getCloningData() in SystemConfigService has been renamed to
configureClone(). Redundant try-catch blocks have been removed.
Some exception messages have been modified to include more info.
|
|
|
|
|
|
|
|
|
|
| |
The configure() in SystemConfigService method has been modified to
log only the error message in normal responses but log the full
stack trace when unexpected issues occur.
The validateData() in SystemConfigService has been renamed to
validateRequest() for clarity. The log messages have been modified
to include the invalid values entered in the request.
|
| |
|
|
|
|
| |
the token db cert entry
|
|
|
|
|
| |
- PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an
HSM (and provide recommendation); allow clones to share keys
|
|
|
|
|
|
|
|
|
|
| |
The CLI has been modified such that when enrolling a certificate
with key archival it will obtain the transport certificate from
the CA instead of KRA because the KRA may not reside on the same
instance. The CA REST service has been modified such that it will
obtain the transport certificate from the KRA connector.
https://fedorahosted.org/pki/ticket/1384
|
|
|
|
|
|
| |
- (1) REST API auth/authz - this patch addresses the first part of this
ticket where auditing is completely missing for authentication and
authorization at the REST interface.
|
|
|
|
|
|
|
|
| |
The installation code has been modified such that the admin can
optionally specify passwords for internal token and replication.
Otherwise the code will generate random passwords like before.
https://fedorahosted.org/pki/ticket/1354
|
|
|
|
|
|
|
|
|
|
|
| |
The REST methods may be executed by different threads even though
they are invoked in the same session. A new interceptor has been
added to all subsystems to make sure the SessionContext is created
properly for each thread. This will fix the authentication data in
the audit log. The SessionContext has also been improved to use
ThreadLocal instead of a global Hashtable.
https://fedorahosted.org/pki/ticket/1054
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Usage:
* under /usr/share/pki/ca/conf, you will find a new file called
serverCert.profile.exampleWithSANpattern
* copy existing serverCert.profile away and replace with
serverCert.profile.exampleWithSANpattern
* edit serverCert.profile.exampleWithSANpattern
- follow the instruction right above 8.default.
- save and quit
* cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg
- follow the instruction right above policyset.serverCertSet.9
- save and quit
* save away and edit the ca config file for pkispawn: (note: you can
add multiple SAN's delimited by ',' for pki_san_server_cert
- add the following lines, e.g.
pki_san_inject=True
pki_san_server_cert=host1.Example.com
- do the same pkispawn cfg changes for kra or any other instances
that you plan on creating
* create your instance(s)
check the sl sever cert, it should contain something like the
following:
Identifier: Subject Alternative Name - 2.5.29.17
Critical: no
Value:
DNSName: host1.Example.com
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implementation of the nistSP800 dervication feature.
Works for both supported scp01 cards and scp02 cards.
During the various session key and key upgrade functions, the nist dervication code is being called.
Review comments addressed
Cleanup of some input validation on the TKS.
Added some sanity checking on the TPS side for key versions and token cuid's and kdd's.
Final review comments.
Fixed issue with extracting the kdd from the AppletInfo class.
Fixed issue with sending the KDD to the encryptData TKS servlet.
Added requested entries to the CS.cfg .
|
|
|
|
| |
- PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
First cut of gp211 and scp protocol 02 for tokens.
Allow token operations using a GP211 token over secure channel protocol 02.
This patch supports the following:
1. Token operations with a GP211 card and SCP02 protocol, implementation 15.
2. Token still supports GP201 cards with SCP01.
3. SCP02 tested with SC650 gp211/scp02 card.
Things still to do:
1. Right now the SCP02 support has been tested with the current gp201 applet and
enrollment and formatting works just fine. We need to modify and compile the applet
against the GP211 spec and retest to see if any further changes are needed.
2. The nistSP800 key derivation stuff is not completed for the SCP02 protocol. Some
of the routines are self contained vs similar SCP01 ones. We have another ticket to
complete the nistSP800 support from end to end. This work will be done for that ticket.
3. One of the new scp02 deriviation functions can make use of a new NSS derive mechanism.
As of now this work is done by simple encryption, this can be done later.
4. The security APDU level of "RMAC" is not supported because the card does not support it.
It could have been done to the spec, but it having the card to test is more convenient and there
were more crucial issues to this point.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The EBaseException has been modified to provide constructors that
can be used to chain the cause of the exception. This way the root
cause of the exception can be traced back to help troubleshooting.
Some codes have been modified to utilize the proper exception
chaining as examples.
https://fedorahosted.org/pki/ticket/915
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously during clone installation if the PKCS12 file contains
both expired and renewed certificates the code might incorrectly
import the expired certificate instead of the renewed one, thus
failing the installation.
The code has been fixed to validate the certificates in the PKCS12
file such that only the valid ones will be imported into the clone.
https://fedorahosted.org/pki/ticket/1093
|
|
|
|
|
|
|
|
|
| |
Installation code failed to anticipate installation of a subordinate
CA that would host its own security domain. This patch includes changes
to python installation code, java configuration servlet and
changes to man pages.
Ticket 1132
|
|
|
|
| |
subordinate certificate signing requests (CSR)
|
|
|
|
| |
RetrieveCert code
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously modifying the description of an empty group failed
because the server tried to delete a uniqueMember attribute that
did not exist because the group was already empty. The servlets and
group subsystem has been fixed to retrieve the existing group data
first, perform the changes on it, then save it back to the database.
Also adding a new group will no longer require a description because
it's not required by the LDAP object class.
Ticket #818
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the ability to create a subsystem that uses
an existing subtree to create the internal basedn. This is useful
for instance, for IPA which will use the original o=ipaca as the
top level DN for a KRA, which will be situated at o=ipadrm, o=ipaca.
The patch also allows such a system to be cloned, but not to setup the
replication agreements, on the assumption that the data is already being
replicated at the top-level DN or some higher level.
The patch also contains some minor cleanups - removing unused imports and
removal of an invalid reference in the python code.
Ticket 1051
|
|
|
|
|
|
|
|
| |
The REST service has been modified to return additional attributes
for transport certificate including serial number, issuer DN,
subject DN, and resource link.
Ticket #1065
|
|
|
|
| |
revoke/unrevoke processor
|
|
|
|
|
|
|
|
|
|
| |
Some REST services that accept search keywords have been modified to
require a minimum length of 3 characters.
The DEFAULT_SIZE constant has been moved into the base PKIService
class to reduce multiple declarations.
Ticket #920
|
|
|
|
|
|
|
|
| |
The UserService.findUserMemberships() has been modified to accept
an additional parameter to filter the groups in which the user
is a member. The CLI has been updated accordingly.
Ticket #920
|
|
|
|
|
|
|
|
| |
The GroupService.findGroupMembers() has been modified to accept an
additional parameter to filter the group members to be returned.
The CLI has been modified accordingly.
Ticket #920
|
|
|
|
|
|
|
|
|
|
| |
The UGSubsystem.listGroups() has been modified to generate an
LDAP filter from a keyword. The filter itself cannot contain
wildcards. The wildcard will be added in listGroups(). In the
future the filter will be made configurable to allow searching
different attributes.
Ticket #920
|
|
|
|
|
|
|
|
|
|
|
| |
Previously PKIException was not displayed properly in browser
because it doesn't have a writer for HTML. Now the exception mapper
will compute the message format properly, and will default to XML.
The exception mapper itself has been moved into a server package
due to class dependency. The REST application classes have been
updated accordingly.
Ticket #554
|
|
|
|
|
|
|
|
|
| |
The findUsers() method in UGSubsystem has been modified to search
additional attributes in the user database. This method is only
used by the UserService, so the impact is limited to user-find
CLI command in all subsystems and TPS UI.
Ticket #920
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code that configures the TPS connectors during installation
has been modified to use the ConnectionDatabase, which is also
used by the CLI/UI after the installation.
The code has also been fixed to configure the correct properties
as defined in CS.cfg. The static properties have been removed
from CS.cfg because now they will be generated dynamically by
the ConnectionDatabase.
Due to class dependency issue, the methods for configuring the TPS
connectors have been moved from ConfigurationUtils into a new
TPSInstaller class.
The URI's in ConfigurationRequest have been converted from String
into URI to simplify validation.
Ticket #890
|
|
|
|
|
|
|
| |
The REST interface for security domain has been modified to return
Response objects to allow better handling of server responses.
Ticket #554
|
|
|
|
|
|
|
| |
Subsystem-specific configuration codes have been moved from the
SystemConfigService into the subsystem-specific installer.
Ticket #890
|