summaryrefslogtreecommitdiffstats
path: root/base/server/cms
Commit message (Collapse)AuthorAgeFilesLines
* Fixed exception handling in EnrollProfile.Endi S. Dewata2016-03-241-70/+87
| | | | | | | To help troubleshooting the EnrollProfile has been modified to log the stack trace and chain the exception. https://fedorahosted.org/pki/ticket/1654
* Allow multiple ACLs of same name (union of rules)Fraser Tweedale2016-03-221-1/+13
| | | | | | | | | | | Several lightweight CA ACLs share the 'certServer.ca.authorities' name, but when loading ACLs each load overwrites the previous. If multiple resourceACLS values have the same name, instead of replacing the existing ACL with the new one, add the rights and rules to the existing ACL. Part of: https://fedorahosted.org/pki/ticket/1625
* Remove unused class 'RAEnrollProfile'Fraser Tweedale2016-03-221-128/+0
|
* Removed unnecessary URL encoding for admin cert request.Endi S. Dewata2016-03-212-2/+8
| | | | | | | | | Due to changes in aaacd71a2f125501645885d3da1de18459782572, when pki_import_admin_cert is set to False the installation code performs an unnecessary URL encoding for the admin certificate request. The extra URL encoding has now been removed. https://fedorahosted.org/pki/ticket/1803
* Move OCSP digest name lookup to CertID classFraser Tweedale2016-03-032-4/+2
| | | | | | | | | The OCSP digest name lookup is currently defined in IOCSPAuthority and implemented by OCSPAuthority, but /any/ code that deals with CertID might need to know the digest, so move the lookup there. Also refactor the lookup to use a HashMap, and add mappings for SHA2 algorithms.
* Added mechanism to import system certs via PKCS #12 file.Endi S. Dewata2016-02-262-68/+63
| | | | | | | | | | | | | | | | | | | | | | The installation tool has been modified to provide an optional pki_server_pkcs12_path property to specify a PKCS #12 file containing certificate chain, system certificates, and third-party certificates needed by the subsystem being installed. If the pki_server_pkcs12_path is specified the installation tool will no longer download the certificate chain from the security domain directly, and it will no longer import the PKCS #12 containing the entire master NSS database specified in pki_clone_pkcs12_path. For backward compatibility, if the pki_server_pkcs12_path is not specified the installation tool will use the old mechanism to import the system certificates. The ConfigurationUtils.verifySystemCertificates() has been modified not to catch the exception to help troubleshooting. https://fedorahosted.org/pki/ticket/1742
* Lightweight CAs: enrol cert via profile subsystemFraser Tweedale2016-02-222-6/+24
| | | | | | | | | | | | Enrol new CA certs via the profile subsystem to ensure that the usual audit events are logged and to avoid the nasty ConfigStore hack used to generate the cert via CertUtil. This commit also fixes an issue where the new CA certificate does not have the correct Authority Key Identifier extension. Fixes: https://fedorahosted.org/pki/ticket/1624 Fixes: https://fedorahosted.org/pki/ticket/1632
* Weaken PKIPrincipal to superclass in several placesFraser Tweedale2016-02-151-1/+4
| | | | | | | | | | In several places we are casting a `Principal' to `PKIPrincpal', when `GenericPrincpal' or even no cast will suffice. In upcoming external authentication support externally authenticated principals will not be instances of `PKIPrincipal', so weaken assumptions about type of the principal where possible. Part of: https://fedorahosted.org/pki/ticket/1359
* Added resource bundle for token state labels.Endi S. Dewata2016-02-051-0/+41
| | | | | | | | | | | | | | | The labels for token states and the transitions are now stored in token-states.properties. The default file will be stored in the /usr/share/pki/tps/conf, but it can be overriden by copying and customizing the file into <instance>/tps/conf. When the UI retrieves the token data the labels for the current state and the valid transitions will be loaded from the file and returned to the UI. The UI will show the transition labels in the dropdown list for changing token status. https://fedorahosted.org/pki/ticket/1289 https://fedorahosted.org/pki/ticket/1291
* Avoid profile race conditions by tracking entryUSNFraser Tweedale2016-01-191-0/+3
| | | | | | | | | | | | | Avoid race conditions in the LDAPProfileSubsystem by tracking the most recently known entryUSN of profiles' LDAP entries. As part of this change, add the commitProfile method to the IProfileSubsystem interface, remove commit behaviour from the enableProfile and disableProfile methods and update ProfileService and ProfileApproveServlet to commit the profile (using the commitProfile method) where needed. Part of: https://fedorahosted.org/pki/ticket/1700
* Updated CLI to run individual selftests.Endi S. Dewata2016-01-181-3/+55
| | | | | | | | | The pki selftest-run command has been modified to execute the specified selftests, or all selftests if nothing is specified. The command will also display the status of each test and the stack trace if it fails. https://fedorahosted.org/pki/ticket/1502
* Added table to manage TPS user profiles.Endi S. Dewata2016-01-181-28/+69
| | | | | | | | | | | The TPS UI has been modified to provide a table as an interface to manage the user profiles. When adding a profile, the profile can be selected from a list of available profiles. The UserService and UGSubsystem have been modified to allow adding a user with no assigned profiles. https://fedorahosted.org/pki/ticket/1478
* Fixed mismatching certificate validity calculation.Endi S. Dewata2016-01-081-13/+66
| | | | | | | | The CAValidityDefault has been modified to use Calendar API to calculate the certificate validity range to be consistent with the ValidityConstraint and ValidityDefault. https://fedorahosted.org/pki/ticket/1682
* Remove unused constantFraser Tweedale2015-12-221-3/+0
|
* Fixed selftest error handling.Endi S. Dewata2015-12-013-20/+25
| | | | | | | | The selftest has been modified to throw an exception and provide more specific error message if a test fails in order to help troubleshoot the problem. https://fedorahosted.org/pki/ticket/1328
* Added mechanism to import existing CA certificate.Endi S. Dewata2015-11-252-4/+135
| | | | | | | | | | | The deployment procedure for external CA has been modified such that it generates the CA CSR before starting the server. This allows the same procedure to be used to import CA certificate from an existing server. It also removes the requirement to keep the server running while waiting to get the CSR signed by an external CA. https://fedorahosted.org/pki/ticket/456
* Refactored LDAPSecurityDomainSessionTable.Endi S. Dewata2015-10-292-15/+14
| | | | | | | The LDAPSecurityDomainSessionTable has been modified to throw an exception if there is a failure. https://fedorahosted.org/pki/ticket/1633
* Replaced legacy HttpClient.Endi S. Dewata2015-10-224-307/+261
| | | | | | | | | | | | | The ConfigurationUtils and CertUtil have been modified to use PKIConnection which uses Apache HttpClient instead of the legacy custom HttpClient. The POST request content is now created using MultivaluedMap. The PKIConnection has been modified to provide a get() method to send an HTTP GET request. The post() method was modified to accept a path parameter. https://fedorahosted.org/pki/ticket/342
* Removed unused WizardServlet.Endi S. Dewata2015-10-2226-6975/+59
| | | | | | | | | | The unused configuration wizard servlet has been removed to simplify refactoring other codes. The remaining references in CertUtil and ConfigurationUtils have been removed as well. https://fedorahosted.org/pki/ticket/1120
* Refactored SecurityDomainProcessor.Endi S. Dewata2015-10-133-45/+47
| | | | | | | | | | The SecurityDomainProcessor.getEnterpriseGroupName() has been added to simplify ConfigurationUtils.getGroupName(). The SecurityDomainProcessor.getInstallToken() has been modified to validate the user role and to generate safer session ID. https://fedorahosted.org/pki/ticket/1633
* Added Java client and CLI support for Feature resource.Ade Lee2015-10-021-3/+3
|
* Fixed user search in PasswdUserDBAuthentication.Endi S. Dewata2015-10-022-23/+20
| | | | | | | | | The PasswdUserDBAuthentication.authenticate() has been modified such that it uses the UGSubsystem to find the user in the proper LDAP subtree to avoid matching other LDAP entries that contain a uid attribute. https://fedorahosted.org/pki/ticket/1580
* Refactored certificate processors.Endi S. Dewata2015-09-307-47/+100
| | | | | | | | | | | | | The CertProcessor.setCredentialsIntoContext() and CAProcessor. authenticate() methods have been modified such that they can accept credentials provided via the AuthCredentials (for REST services) or via the HttpServletRequest (for legacy servlets). The CertEnrollmentRequest has been modified to inherit from ResourceMessage such that REST clients can provide the credentials via request attributes. https://fedorahosted.org/pki/ticket/1463
* Relocated legacy cert enrollment methods.Endi S. Dewata2015-09-304-52/+73
| | | | | | | | | The EnrollmentProcessor.processEnrollment() and RenewalProcessor. processRenewal() methods that take CMSRequest object have been moved into ProfileSubmitServlet because they are only used by the legacy servlet. https://fedorahosted.org/pki/ticket/1463
* Added Features REST API resourceAde Lee2015-09-271-0/+66
| | | | | | | | | This will help us track whether or not a server has a feature either offered or enabled. Ultimately, it could be used by an admin to enable or disable features. The Java client is not included in this commit. Will add in a subsequent commit.
* Lightweight CAs: REST cert request param to specify authorityFraser Tweedale2015-09-261-3/+9
| | | | | | | | Add the optional "ca" query parameter for REST cert request submission. Also update the ca-cert-request-submit CLI command with an option to provide an AuthorityID. Part of: https://fedorahosted.org/pki/ticket/1213
* Lightweight CAs: initial supportFraser Tweedale2015-09-269-30/+114
| | | | | | | | | | | | | This commit adds initial support for "lightweight CAs" - CAs that inhabit an existing CA instance and share the request queue and certificate database of the "top-level CA". We initially support only sub-CAs under the top-level CA - either direct sub-CAs or nested. The general design will support hosting unrelated CAs but creation or import of unrelated CAs is not yet implemented. Part of: https://fedorahosted.org/pki/ticket/1213
* Fixed pkidbuser group memberships.Endi S. Dewata2015-09-151-28/+59
| | | | | | | | | | | | Due to a certificate mapping issue the subsystem certificate can be mapped into either the subsystem user or pkidbuser, which may cause problems since the users don't belong to the same groups. As a temporary solution the pkidbuser is now added into the same groups. This way the client subsystem can always access the services regardless of which user the certificate is actually mapped to. https://fedorahosted.org/pki/ticket/1595
* setpin utility doesn't set the pin for users.Jack Magne2015-08-131-0/+5
| | | | | | | | | | | | | | | | | | There were some things wrong with the setpin utility. 1. There were some syntax violations that had to be dealt with or a DS with syntax checking would not be pleased. 2. The back end is expecting a byte of hash data at the beginning of the pin. In our case we are sending NO hash so we want this code at the beginning '-' 3. We also need to prepend the dn in front of the pin so the back end can verify the set pin. Tested to work during both steps of the setpin process: 1) Creating the schema, 2) creating the pin. Tested to work with actual PinBased Enrollment. 4. Fix also now supports the SHA256 hashing method only, with the sha256 being the default hash. The no hash option is supported but puts the pin in the clear.
* Fixed missing query parameters in ListCerts page.Endi S. Dewata2015-08-121-31/+29
| | | | | | | | | The ListCerts servlet and the templates have been fixed to pass the skipRevoked and skipNonValid parameters to the subsequent page. Some debugging messages have been cleaned up as well. https://fedorahosted.org/pki/ticket/1538
* Ticket 1531 Directory auth plugin requires LDAP anonymous bindsChristina Fu2015-08-075-10/+92
| | | | | | | | | | | | | | | | | | | | - This patch adds a feature to allow a directory based authentication plugin to use bound ldap conneciton instead of anonymous. Two files need to be edited 1. <instance>/conf/password.conf add a "tag" and the password of the binding user dn to the file e.g. externalLDAP=password123 2. <instance>/ca/CS.cfg add the tag to cms.passwordlist: e.g. cms.passwordlist=internaldb,replicationdb,externalLDAP add the authPrefix of the auths entry for the authentication instance e.g. externalLDAP.authPrefix=auths.instance.UserDirEnrollment add relevant entries to the authentication instance e.g. auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=uid=rhcs,ou=serviceaccounts,dc=EXAMPLE,dc=com auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP
* Fixed missing cert request hostname and address.Endi S. Dewata2015-08-054-27/+33
| | | | | | | | | | | | The CA services have been modified to inject request hostname and address into the certificate request object such that they will be stored in the database. This fixes the problem with requests submitted either via the UI or the CLI. An unused method in CertRequestResource has been removed. Some debug messages have been cleaned as well. https://fedorahosted.org/pki/ticket/1535
* Add code to reindex data during cloning without replicationAde Lee2015-07-312-30/+68
| | | | | | | | | | | | | When setting up a clone, indexes are added before the replication agreements are set up and the consumer is initialized. Thus, as data is replicated and added to the clone db, the data is indexed. When cloning is done with the replication agreements already set up and the data replicated, the existing data is not indexed and cannot be accessed in searches. The data needs to be reindexed. Related to ticket 1414
* Fix code to add replicationdb password unless already presentAde Lee2015-07-241-1/+1
| | | | | | | | | The replicationdb password is an instance parameter and should be created by the first subsystem in the instance. This should happen independantly of whether replication is being set up in case it is needed to set up replication (as a master) later. Related to Ticket 1414
* Fix exception when talking to dogtag 9 systemsAde Lee2015-07-161-6/+3
| | | | | | | | | | | | | When getting a token from the security domain for a Dogtag 9 system, we first attempt to reach the REST interfaces. When this fails (with 404 exception), we catch the exception and try the old interfaces. The exception being thrown has been changed from the deprecated ClientResponseFailure to being wrapped in a PKIException, so the code catching the exception needs to be modified accordingly. Ticket 1495
* Fixed PKCS12Export output.Endi S. Dewata2015-07-151-1/+3
| | | | | | | | | | | | The PKCS12Export has been modified such that if an error occurs in normal mode it will display the error message and in debug mode it will display the full stack trace. The code has also been refactored such that it can be reused as a library in addition to command-line tool. The code will now throw exceptions instead of exiting to the system. https://fedorahosted.org/pki/ticket/1224
* Fixed cert-find performance.Endi S. Dewata2015-07-151-21/+65
| | | | | | | | The CertService.searchCerts() has been modified to use the VLV properly to retrieve just the entries in the requested page, thus reducing the response time and memory requirement. Some classes have been modified to clean up the debugging logs.
* Fixed user-cert-add --serial with remote CA.Endi S. Dewata2015-07-091-6/+4
| | | | | | | | | | | | | | | | | The user-cert-add command has been modified to ask the user for the CA server URI if the CA is not available locally. A new SubsystemClient.exists() method has been added to check whether a subsystem is deployed on the target instance. The SubsystemCLI has been modified to call logout() only if the operation is executed successfully. The certificate approval callback class has been refactored out of PKIConnection into a separate class to clean up circular dependency with PKIClient. https://fedorahosted.org/pki/ticket/1448
* Fixed default cert-find filter.Endi S. Dewata2015-07-061-120/+128
| | | | | | | | To improve the performance the default LDAP filter generated by cert-find has been changed to (certStatus=*) to match an existing VLV index. https://fedorahosted.org/pki/ticket/1449
* Ticket 1447 pkispawn: findCertByNickname fails to find cert in creating ↵Christina Fu2015-07-061-5/+9
| | | | shared tomcat subsystems on HSM
* Cleaned up SystemConfigService.configureClone().Endi S. Dewata2015-07-011-50/+22
| | | | | | The getCloningData() in SystemConfigService has been renamed to configureClone(). Redundant try-catch blocks have been removed. Some exception messages have been modified to include more info.
* Cleaned up SystemConfigService.validateRequest().Endi S. Dewata2015-07-011-31/+38
| | | | | | | | | | The configure() in SystemConfigService method has been modified to log only the error message in normal responses but log the full stack trace when unexpected issues occur. The validateData() in SystemConfigService has been renamed to validateRequest() for clarity. The log messages have been modified to include the invalid values entered in the request.
* Fixed selftests log message.Endi S. Dewata2015-06-2310-627/+269
| | | | | | | | | | | | | The SelfTestSubsystem has been modified to display a 'successful' message only if all tests have passed. If a test fails, it will log a failure, subsequent tests will not be executed, and the subsystem will shutdown immediately. The runSelfTest() in various tests have been cleaned up to throw the original exception to help troubleshooting. The unused RAPresence test has been removed. https://fedorahosted.org/pki/ticket/1249
* Fixed thread leaks during shutdown.Endi S. Dewata2015-06-1816-35/+47
| | | | | | | | Various codes have been modified to properly stop threads during shutdown. A new ID attribute has been added to the LDAP connection factory classes to help identify leaking threads. https://fedorahosted.org/pki/ticket/1327
* Fix for HSM cloning issueMatthew Harmsen2015-06-172-0/+47
|
* Make pki group-member-show case insensitiveChristian Heimes2015-06-161-2/+2
| | | | | | | | Make the memberID argument of getGroupMember() case insensitive. The groupID argument is already case insensitive. The groupID string is used as CN element in an LDAP query, which is case insensitive by definition. https://fedorahosted.org/pki/ticket/1069
* Ticket 1410 Issue with Generic Extension being criticalChristina Fu2015-06-152-2/+26
| | | | - patch ported from https://bugzilla.redhat.com/show_bug.cgi?id=1011984
* Ticket 1309 Recovering of a revoked cert erroneously reflects "active" in ↵Christina Fu2015-05-221-0/+1
| | | | the token db cert entry
* disable backup keys and share master keys when using an HSMMatthew Harmsen2015-05-221-0/+12
| | | | | - PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an HSM (and provide recommendation); allow clones to share keys
* Fixed key archival problem in CLI with separate KRA instance.Endi S. Dewata2015-05-222-54/+96
| | | | | | | | | | The CLI has been modified such that when enrolling a certificate with key archival it will obtain the transport certificate from the CA instead of KRA because the KRA may not reside on the same instance. The CA REST service has been modified such that it will obtain the transport certificate from the KRA connector. https://fedorahosted.org/pki/ticket/1384
generated by cgit (git 2.34.1) at 2024-06-27 02:34:18 +0000