summaryrefslogtreecommitdiffstats
path: root/base/server/cms
Commit message (Collapse)AuthorAgeFilesLines
* Fixed mismatching certificate validity calculation.Endi S. Dewata2016-02-221-13/+66
| | | | | | | | | The CAValidityDefault has been modified to use Calendar API to calculate the certificate validity range to be consistent with the ValidityConstraint and ValidityDefault. https://fedorahosted.org/pki/ticket/1682 (cherry picked from commit 9193fe5191d1bd857b7e1f5a398c6a279b42ec84)
* Added mechanism to import existing CA certificate.Endi S. Dewata2016-02-222-4/+135
| | | | | | | | | | | | The deployment procedure for external CA has been modified such that it generates the CA CSR before starting the server. This allows the same procedure to be used to import CA certificate from an existing server. It also removes the requirement to keep the server running while waiting to get the CSR signed by an external CA. https://fedorahosted.org/pki/ticket/456 (cherry picked from commit 20c985ae773b26f653cac6d22bd9d93923e18c8e)
* Avoid profile race conditions by tracking entryUSNFraser Tweedale2016-01-211-0/+3
| | | | | | | | | | | | | Avoid race conditions in the LDAPProfileSubsystem by tracking the most recently known entryUSN of profiles' LDAP entries. As part of this change, add the commitProfile method to the IProfileSubsystem interface, remove commit behaviour from the enableProfile and disableProfile methods and update ProfileService and ProfileApproveServlet to commit the profile (using the commitProfile method) where needed. Part of: https://fedorahosted.org/pki/ticket/1700
* Replaced legacy HttpClient.Endi S. Dewata2015-10-234-307/+261
| | | | | | | | | | | | | | The ConfigurationUtils and CertUtil have been modified to use PKIConnection which uses Apache HttpClient instead of the legacy custom HttpClient. The POST request content is now created using MultivaluedMap. The PKIConnection has been modified to provide a get() method to send an HTTP GET request. The post() method was modified to accept a path parameter. https://fedorahosted.org/pki/ticket/342 (cherry picked from commit aaacd71a2f125501645885d3da1de18459782572)
* Removed unused WizardServlet.Endi S. Dewata2015-10-2326-6975/+59
| | | | | | | | | | | The unused configuration wizard servlet has been removed to simplify refactoring other codes. The remaining references in CertUtil and ConfigurationUtils have been removed as well. https://fedorahosted.org/pki/ticket/1120 (cherry picked from commit 60fa66aa04ec61350420d95a554c0cec7834ebbd)
* Fixed user search in PasswdUserDBAuthentication.Endi S. Dewata2015-10-062-23/+20
| | | | | | | | | | The PasswdUserDBAuthentication.authenticate() has been modified such that it uses the UGSubsystem to find the user in the proper LDAP subtree to avoid matching other LDAP entries that contain a uid attribute. https://fedorahosted.org/pki/ticket/1580 (cherry picked from commit 017d582ba50fe4ffc4bedf40a5229fb6aa381b37)
* Refactored certificate processors.Endi S. Dewata2015-09-307-48/+103
| | | | | | | | | | | | | | The CertProcessor.setCredentialsIntoContext() and CAProcessor. authenticate() methods have been modified such that they can accept credentials provided via the AuthCredentials (for REST services) or via the HttpServletRequest (for legacy servlets). The CertEnrollmentRequest has been modified to inherit from ResourceMessage such that REST clients can provide the credentials via request attributes. https://fedorahosted.org/pki/ticket/1463 (cherry picked from commit 6c5fc90ffedcd7be17a2d014915f8e908e2488d5)
* Relocated legacy cert enrollment methods.Endi S. Dewata2015-09-304-51/+72
| | | | | | | | | | The EnrollmentProcessor.processEnrollment() and RenewalProcessor. processRenewal() methods that take CMSRequest object have been moved into ProfileSubmitServlet because they are only used by the legacy servlet. https://fedorahosted.org/pki/ticket/1463 (cherry picked from commit 0e728a28c1a5515bb7dbf5ee799c093bd6db6813)
* Fixed pkidbuser group memberships.Matthew Harmsen2015-09-231-28/+59
| | | | | | | | | | | | | | | | | | Due to a certificate mapping issue the subsystem certificate can be mapped into either the subsystem user or pkidbuser, which may cause problems since the users don't belong to the same groups. As a temporary solution the pkidbuser is now added into the same groups. This way the client subsystem can always access the services regardless of which user the certificate is actually mapped to. Bugzilla Bug #1258634 - CA fails to authenticate to KRA for archival https://fedorahosted.org/pki/ticket/1595 (cherry picked from commit e6f8b52e97926e7b6c30a6ce958a7e590c2e6b76) Conflicts: base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
* setpin utility doesn't set the pin for users.Jack Magne2015-08-141-0/+5
| | | | | | | | | | | | | | | | | | | | There were some things wrong with the setpin utility. 1. There were some syntax violations that had to be dealt with or a DS with syntax checking would not be pleased. 2. The back end is expecting a byte of hash data at the beginning of the pin. In our case we are sending NO hash so we want this code at the beginning '-' 3. We also need to prepend the dn in front of the pin so the back end can verify the set pin. Tested to work during both steps of the setpin process: 1) Creating the schema, 2) creating the pin. Tested to work with actual PinBased Enrollment. 4. Fix also now supports the SHA256 hashing method only, with the sha256 being the default hash. The no hash option is supported but puts the pin in the clear. (cherry picked from commit f60846e025ff5492e8c05ccf525fe8df1b59bba6)
* Fixed missing query parameters in ListCerts page.Endi S. Dewata2015-08-141-31/+29
| | | | | | | | | | The ListCerts servlet and the templates have been fixed to pass the skipRevoked and skipNonValid parameters to the subsequent page. Some debugging messages have been cleaned up as well. https://fedorahosted.org/pki/ticket/1538 (cherry picked from commit 24d7d88bd0d8b79fe5b8b6dfd84238399bc1433c)
* Ticket 1531 Directory auth plugin requires LDAP anonymous bindsChristina Fu2015-08-075-10/+92
| | | | | | | | | | | | | | | | | | | | - This patch adds a feature to allow a directory based authentication plugin to use bound ldap conneciton instead of anonymous. Two files need to be edited 1. <instance>/conf/password.conf add a "tag" and the password of the binding user dn to the file e.g. externalLDAP=password123 2. <instance>/ca/CS.cfg add the tag to cms.passwordlist: e.g. cms.passwordlist=internaldb,replicationdb,externalLDAP add the authPrefix of the auths entry for the authentication instance e.g. externalLDAP.authPrefix=auths.instance.UserDirEnrollment add relevant entries to the authentication instance e.g. auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=uid=rhcs,ou=serviceaccounts,dc=EXAMPLE,dc=com auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP
* Fixed missing cert request hostname and address.Endi S. Dewata2015-08-054-27/+33
| | | | | | | | | | | | The CA services have been modified to inject request hostname and address into the certificate request object such that they will be stored in the database. This fixes the problem with requests submitted either via the UI or the CLI. An unused method in CertRequestResource has been removed. Some debug messages have been cleaned as well. https://fedorahosted.org/pki/ticket/1535
* Add code to reindex data during cloning without replicationAde Lee2015-07-312-30/+68
| | | | | | | | | | | | | When setting up a clone, indexes are added before the replication agreements are set up and the consumer is initialized. Thus, as data is replicated and added to the clone db, the data is indexed. When cloning is done with the replication agreements already set up and the data replicated, the existing data is not indexed and cannot be accessed in searches. The data needs to be reindexed. Related to ticket 1414
* Fix code to add replicationdb password unless already presentAde Lee2015-07-241-1/+1
| | | | | | | | | The replicationdb password is an instance parameter and should be created by the first subsystem in the instance. This should happen independantly of whether replication is being set up in case it is needed to set up replication (as a master) later. Related to Ticket 1414
* Fix exception when talking to dogtag 9 systemsAde Lee2015-07-161-6/+3
| | | | | | | | | | | | | When getting a token from the security domain for a Dogtag 9 system, we first attempt to reach the REST interfaces. When this fails (with 404 exception), we catch the exception and try the old interfaces. The exception being thrown has been changed from the deprecated ClientResponseFailure to being wrapped in a PKIException, so the code catching the exception needs to be modified accordingly. Ticket 1495
* Fixed PKCS12Export output.Endi S. Dewata2015-07-151-1/+3
| | | | | | | | | | | | The PKCS12Export has been modified such that if an error occurs in normal mode it will display the error message and in debug mode it will display the full stack trace. The code has also been refactored such that it can be reused as a library in addition to command-line tool. The code will now throw exceptions instead of exiting to the system. https://fedorahosted.org/pki/ticket/1224
* Fixed cert-find performance.Endi S. Dewata2015-07-151-21/+65
| | | | | | | | The CertService.searchCerts() has been modified to use the VLV properly to retrieve just the entries in the requested page, thus reducing the response time and memory requirement. Some classes have been modified to clean up the debugging logs.
* Fixed user-cert-add --serial with remote CA.Endi S. Dewata2015-07-091-6/+4
| | | | | | | | | | | | | | | | | The user-cert-add command has been modified to ask the user for the CA server URI if the CA is not available locally. A new SubsystemClient.exists() method has been added to check whether a subsystem is deployed on the target instance. The SubsystemCLI has been modified to call logout() only if the operation is executed successfully. The certificate approval callback class has been refactored out of PKIConnection into a separate class to clean up circular dependency with PKIClient. https://fedorahosted.org/pki/ticket/1448
* Fixed default cert-find filter.Endi S. Dewata2015-07-061-120/+128
| | | | | | | | To improve the performance the default LDAP filter generated by cert-find has been changed to (certStatus=*) to match an existing VLV index. https://fedorahosted.org/pki/ticket/1449
* Ticket 1447 pkispawn: findCertByNickname fails to find cert in creating ↵Christina Fu2015-07-061-5/+9
| | | | shared tomcat subsystems on HSM
* Cleaned up SystemConfigService.configureClone().Endi S. Dewata2015-07-011-50/+22
| | | | | | The getCloningData() in SystemConfigService has been renamed to configureClone(). Redundant try-catch blocks have been removed. Some exception messages have been modified to include more info.
* Cleaned up SystemConfigService.validateRequest().Endi S. Dewata2015-07-011-31/+38
| | | | | | | | | | The configure() in SystemConfigService method has been modified to log only the error message in normal responses but log the full stack trace when unexpected issues occur. The validateData() in SystemConfigService has been renamed to validateRequest() for clarity. The log messages have been modified to include the invalid values entered in the request.
* Fixed selftests log message.Endi S. Dewata2015-06-2310-627/+269
| | | | | | | | | | | | | The SelfTestSubsystem has been modified to display a 'successful' message only if all tests have passed. If a test fails, it will log a failure, subsequent tests will not be executed, and the subsystem will shutdown immediately. The runSelfTest() in various tests have been cleaned up to throw the original exception to help troubleshooting. The unused RAPresence test has been removed. https://fedorahosted.org/pki/ticket/1249
* Fixed thread leaks during shutdown.Endi S. Dewata2015-06-1816-35/+47
| | | | | | | | Various codes have been modified to properly stop threads during shutdown. A new ID attribute has been added to the LDAP connection factory classes to help identify leaking threads. https://fedorahosted.org/pki/ticket/1327
* Fix for HSM cloning issueMatthew Harmsen2015-06-172-0/+47
|
* Make pki group-member-show case insensitiveChristian Heimes2015-06-161-2/+2
| | | | | | | | Make the memberID argument of getGroupMember() case insensitive. The groupID argument is already case insensitive. The groupID string is used as CN element in an LDAP query, which is case insensitive by definition. https://fedorahosted.org/pki/ticket/1069
* Ticket 1410 Issue with Generic Extension being criticalChristina Fu2015-06-152-2/+26
| | | | - patch ported from https://bugzilla.redhat.com/show_bug.cgi?id=1011984
* Ticket 1309 Recovering of a revoked cert erroneously reflects "active" in ↵Christina Fu2015-05-221-0/+1
| | | | the token db cert entry
* disable backup keys and share master keys when using an HSMMatthew Harmsen2015-05-221-0/+12
| | | | | - PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an HSM (and provide recommendation); allow clones to share keys
* Fixed key archival problem in CLI with separate KRA instance.Endi S. Dewata2015-05-222-54/+96
| | | | | | | | | | The CLI has been modified such that when enrolling a certificate with key archival it will obtain the transport certificate from the CA instead of KRA because the KRA may not reside on the same instance. The CA REST service has been modified such that it will obtain the transport certificate from the KRA connector. https://fedorahosted.org/pki/ticket/1384
* Cleaned up log messages in ConfigurationUtils.getPortFromSecurityDomain().Endi S. Dewata2015-05-221-4/+16
| | | | https://fedorahosted.org/pki/ticket/1372
* Fix XSS attacks on the dogtag administration page #1373.Jack Magne2015-05-1512-141/+127
| | | | | | | | | | | | Porting this set of fixes over from last downstream release upstream. Upon further review, decided to fix a few missing things pointed out by the code review and a few other things: 1. Too many copies of escapeJavaScriptString all over the place. Consolidated the two related functions "escapeJavaScriptString" and "escapeJavaScriptStringHTML" methods in the CMSTemplate class to be called everywhere. Removed the duplicated methods in other classes. 2. There were some places where "escapeJavaScriptString" was called, when we really wanted "escapeJavaScriptStringHTML". Fixed that everywhere. One reason for this is a copied version of "escapeJavaScriptString" actually was identical to CMSTemplate.escapeJavaScriptString, which has been removed. XSS fixes.
* Ticket 1160 audit logging needed: REST API auth/authz; kra for getKeyInfoChristina Fu2015-05-132-38/+277
| | | | | | - (1) REST API auth/authz - this patch addresses the first part of this ticket where auditing is completely missing for authentication and authorization at the REST interface.
* Added options for internal token and replication passwords.Endi S. Dewata2015-05-111-14/+9
| | | | | | | | The installation code has been modified such that the admin can optionally specify passwords for internal token and replication. Otherwise the code will generate random passwords like before. https://fedorahosted.org/pki/ticket/1354
* Fixed authentication data in audit log.Endi S. Dewata2015-05-051-0/+100
| | | | | | | | | | | The REST methods may be executed by different threads even though they are invoked in the same session. A new interceptor has been added to all subsystems to make sure the SessionContext is created properly for each thread. This will fix the authentication data in the audit log. The SessionContext has also been improved to use ThreadLocal instead of a global Hashtable. https://fedorahosted.org/pki/ticket/1054
* Add nuxwdog functionality to DogtagAde Lee2015-04-221-4/+4
| | | | | | | | | | | | This is the first of several commits. This adds a LifecycleListener to call init() on the nuxwdog client before any connectors or webapps start up, and call sendEndInit() once initialization completes. Code is also added to prompt for and test required passwords on startup. All that is required to use nuxwdog is to start the server using nuxwdog. An environment variable will be set that will trigger creation of the NuxwdogPasswordStore. We expect tags for the required passwords to be in cms.passwordList
* Ticket 1316 Allow adding SAN to server cert during the install processChristina Fu2015-04-214-10/+120
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Usage: * under /usr/share/pki/ca/conf, you will find a new file called serverCert.profile.exampleWithSANpattern * copy existing serverCert.profile away and replace with serverCert.profile.exampleWithSANpattern * edit serverCert.profile.exampleWithSANpattern - follow the instruction right above 8.default. - save and quit * cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg - follow the instruction right above policyset.serverCertSet.9 - save and quit * save away and edit the ca config file for pkispawn: (note: you can add multiple SAN's delimited by ',' for pki_san_server_cert - add the following lines, e.g. pki_san_inject=True pki_san_server_cert=host1.Example.com - do the same pkispawn cfg changes for kra or any other instances that you plan on creating * create your instance(s) check the sl sever cert, it should contain something like the following: Identifier: Subject Alternative Name - 2.5.29.17 Critical: no Value: DNSName: host1.Example.com
* Added support for Tomcat 8.Endi S. Dewata2015-04-211-23/+2
| | | | | | | | | | | | The Dogtag code has been modified to support both Tomcat 7 and 8. All files depending on a specific Tomcat version are now stored in separate folders. The build scripts have been modified to use the proper folder for the target platform. The tomcatjss dependency has been updated as well. The upgrade script will be added in a separate patch. https://fedorahosted.org/pki/ticket/1264
* Remove unneeded class EnrollProfileContextFraser Tweedale2015-04-162-35/+2
|
* Fix incorrect class name in debug messageFraser Tweedale2015-04-161-1/+1
|
* Remove duplicate getRequestQueue codeFraser Tweedale2015-04-161-2/+1
|
* Ticket 1339 doRevoke error string doesn't clear after failure.Christina Fu2015-04-161-0/+2
| | | | porting from Bugzilla 1150142
* Ticket#1028 phase2: TPS rewrite: provide externalReg functionalityChristina Fu2015-04-141-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch is the 2nd phase of the externalReg feature, it makes the following improvements: * added feature: recovery by keyid (v.s. by cert) * fixed some auditing message errors * added some missing ldapStringAttributes needed for delegation to work properly * added missing externalReg required config parameters * made corrections to some externalReg related parameters to allow delegation to work properly * added handle of some error cases * made sure externalReg enrollment does not go half-way (once fails, bails out) tested: * enrollment of the three default TPS profiles (tokenTypes) * format of the tokens enrolled with the three default tps profiles * delegation enrollments * cuid match check next phase: * cert/key retention (allow preserving existing certs/keys on the token) note: * some of the activity log and cert status related issues that are not specifically relating to externalReg will be addressed in other more relevant tickets.
* Add LDAPProfileSubsystem to store profiles in LDAPFraser Tweedale2015-04-071-28/+2
| | | | | | | | | | | | Add the LDAPProfileSubsystem as another IProfileSubsystem implementation that can be used instead of ProfileSubsystem (which stores profiles on the file system) to store files in LDAP so that changes can be replicated. Extract common behaviour in to new AbstractProfileSubsystem superclass. Also address the minor issue #1220.
* NISTSP8000 feature.Jack Magne2015-03-172-16/+19
| | | | | | | | | | | | | | | | | | | Implementation of the nistSP800 dervication feature. Works for both supported scp01 cards and scp02 cards. During the various session key and key upgrade functions, the nist dervication code is being called. Review comments addressed Cleanup of some input validation on the TKS. Added some sanity checking on the TPS side for key versions and token cuid's and kdd's. Final review comments. Fixed issue with extracting the kdd from the AppletInfo class. Fixed issue with sending the KDD to the encryptData TKS servlet. Added requested entries to the CS.cfg .
* Store groups on AuthToken and update group evaluatorFraser Tweedale2015-03-164-35/+139
| | | | | | | | | | | | | Update the UidPwdDirAuthentication plugin to retrieve all the user's groups from a directory and store them on the AuthToken. Also update the group evaluator to match against all the groups stored in the AuthToken. The "gid" and "groups" are merged into a single collection, if the ACL operation is "=" the collection is checked under disjunction, and if the operation is "!=", then conjunction. Fixes https://fedorahosted.org/pki/ticket/1174
* Allow use of secure LDAPS connectionMatthew Harmsen2015-03-131-2/+2
| | | | - PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap
* Ticket: TPS Rewrite: Implement Secure Channel Protocol 02 (#883).Jack Magne2015-02-272-387/+1017
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | First cut of gp211 and scp protocol 02 for tokens. Allow token operations using a GP211 token over secure channel protocol 02. This patch supports the following: 1. Token operations with a GP211 card and SCP02 protocol, implementation 15. 2. Token still supports GP201 cards with SCP01. 3. SCP02 tested with SC650 gp211/scp02 card. Things still to do: 1. Right now the SCP02 support has been tested with the current gp201 applet and enrollment and formatting works just fine. We need to modify and compile the applet against the GP211 spec and retest to see if any further changes are needed. 2. The nistSP800 key derivation stuff is not completed for the SCP02 protocol. Some of the routines are self contained vs similar SCP01 ones. We have another ticket to complete the nistSP800 support from end to end. This work will be done for that ticket. 3. One of the new scp02 deriviation functions can make use of a new NSS derive mechanism. As of now this work is done by simple encryption, this can be done later. 4. The security APDU level of "RMAC" is not supported because the card does not support it. It could have been done to the spec, but it having the card to test is more convenient and there were more crucial issues to this point.
* Bugzilla 1134405 - CRL publishing fails after Java heap out of memory errorAde Lee2015-02-261-0/+24
| | | | Added fix from hot fix.
generated by cgit (git 2.34.1) at 2024-11-15 15:16:51 +0000