| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
In the external CA case if the externally-signed CA certificate
is included in the certificate chain the CA certificate may get
imported with an incorrect nickname.
The code has been modified such that the certificate chain is
imported after the CA certificate is imported with the proper
nickname.
https://fedorahosted.org/pki/ticket/2022
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation code has been modified such that it imports all
CA certificates from the PKCS #12 file for cloning before the
server is started using certutil. The user certificates will
continue to be imported using the existing JSS code after the
server is started. This is necessary since JSS is unable to
preserve the CA certificate nicknames.
The PKCS12Util has been modified to support multiple certificates
with the same nicknames.
The pki pkcs12-cert-find has been modified to show certificate ID
and another field indicating whether the certificate has a key.
The pki pkcs12-cert-export has been modified to accept either
certificate nickname or ID.
The pki pkcs12-import has been modified to provide options for
importing only user certificates or CA certificates.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki_server_external_cert_path has been renamed to
pki_server_external_certs_path to match the file name.
A default pki_server_external_certs_path has been added to
default.cfg.
The pki pkcs12-export has been modified to export into existing
PKCS #12 file by default.
The pki-server instance-cert-export has been modified to accept a
list of nicknames to export.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket 1742 has a case where a third party CA certificate has
been added by IPA to the dogtag certdb for the proxy cert.
There is no way to ensure that this certificate is imported
when the system is cloned.
This patch will allow the user to import third party certificates
into a dogtag instance through CLI commands (pki-server).
The certs are tracked by a new instance level configuration file
external_certs.conf.
Then, when cloning:
1. When the pk12 file is created by the pki-server ca-clone-prepare
command, the external certs are automatically included.
2. When creating the clone, the new pki_server_pk12_path and
password must be provided. Also, a copy of the
external_certs.conf file must be provided.
3. This copy will be read and merged with the existing
external_certs.conf if one exists.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enforce absolute imports or explicit relative imports. Python 3 no
longer supports implicit relative imports, that is unqualified imports
from a module's directory. In order to load a module from the same
directory inside a package, use
from . import module
The future feature 'from __future__ import absolute_import' ensures that
pki uses absolute imports on Python 2, too.
See https://www.python.org/dev/peps/pep-0328/
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation tool has been modified to provide an optional
pki_server_pkcs12_path property to specify a PKCS #12 file
containing certificate chain, system certificates, and third-party
certificates needed by the subsystem being installed.
If the pki_server_pkcs12_path is specified the installation tool
will no longer download the certificate chain from the security
domain directly, and it will no longer import the PKCS #12
containing the entire master NSS database specified in
pki_clone_pkcs12_path.
For backward compatibility, if the pki_server_pkcs12_path is not
specified the installation tool will use the old mechanism to
import the system certificates.
The ConfigurationUtils.verifySystemCertificates() has been modified
not to catch the exception to help troubleshooting.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
|
|
|
| |
Due to a recent change the KRA installation failed because the
installer was trying to read the pki_external_csr_path parameter
which is not available for KRA installation. The installer has
been fixed to read the parameter in external CA case only.
https://fedorahosted.org/pki/ticket/456
(cherry picked from commit d42f39334ce4b4f5fa89707bfb6145039ff04579)
|
| |
|
|
|
|
|
|
| |
The pki.nss module has been renamed into pki.nssdb to prevent
conflicts with the nss module.
https://fedorahosted.org/pki/ticket/456
(cherry picked from commit 9609f4e6035d3cdff19a0f78caee2d08b095c8ba)
|
| |
|
|
|
|
|
|
| |
The pkispawn has been modified to display the proper summary for
external CA and existing CA cases.
https://fedorahosted.org/pki/ticket/456
(cherry picked from commit 66a4b7e635a4456a102221049c58c461d3429093)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation code for external CA case has been fixed such
that IPA can detect step 1 completion properly.
The code that handles certificate data conversion has been fixed
to reformat base-64 data for PEM output properly.
The installation summary for step 1 has been updated to provide
more accurate information.
https://fedorahosted.org/pki/ticket/456
(cherry picked from commit 449e4357e733a70e8f27f65f69ca8f0f7c8b5b21)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The deployment procedure for external CA has been modified
such that it generates the CA CSR before starting the server.
This allows the same procedure to be used to import CA
certificate from an existing server. It also removes the
requirement to keep the server running while waiting to get
the CSR signed by an external CA.
https://fedorahosted.org/pki/ticket/456
(cherry picked from commit 20c985ae773b26f653cac6d22bd9d93923e18c8e)
|
| |
|
|
|
|
|
|
| |
Noise file does not actually need to have random data because
NSS does not actually use this data. Certutil still needs
the file though, so we will put dummy data in there. This
solves potential problems with the random() method used and also
issues like BZ 1244382
|
| | |
|
| |
|
|
| |
- PKI TRAC Ticket #1415 - nCipher HSM: Add 'pkiuser' to 'nfast' group
|
| |
|
|
|
| |
This patch addressed the issue that TPS on independent Tomcat is missing
symlink to symkey.jar and causes all symkey method reference to fail
|
| |
|
|
|
| |
- PKI TRAC Ticket #1370 - pkispawn: installation with HSM from external CA
should hold off prepending token name in serverCertNick.conf till phase 2
|
| |
|
|
|
|
|
|
|
|
| |
The short term solution to this problem was to remove the man page information and all references to the command line module reponsible for this issue.
The installer already has an alternative method to remove a subsystem from the security domain list. We now assume the alternate method and don't even try to find the token at this point.
A user at the command line of the pki command will no longer be able to attempt this as well.
Tested this to verify that the man page for the "securtydomain" command no longer mentions or documents the "get-install-token" variant. Tested to verify that this command can't be manually called from the command line using "pki". This attempt results in an "unknown module". Tested by installing and uninstalling a subsytem. The security domain was kept up to date as expected for each install over remove attempted.
|
| |
|
|
|
| |
When second subsystem is installed, serverCertNick.conf and other top level
tomcat config files should not be replaced.
|
| |
|
|
|
| |
All subsystems are now tomcat instances. Conditionals based on
whether the subsystem is a tomcat instance or not are no longer required.
|
| |
|
|
|
|
|
| |
The deployment tool has been modified to deploy the pki.xml only
if the theme package is installed.
https://fedorahosted.org/pki/ticket/499
|
| |
|
|
|
|
|
|
| |
The deployment tool has been modified to deploy the theme files
directly from /usr/share/pki. New deployment descriptors have been
added for admin templates and JS library.
https://fedorahosted.org/pki/ticket/499
|
| |
|
|
|
|
|
|
| |
The deployment tool has been modified to deploy all subsystems
directly from the /usr/share/pki. This will simplify updating
the templates in the web applications.
https://fedorahosted.org/pki/ticket/499
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is the first of several commits. This adds a LifecycleListener
to call init() on the nuxwdog client before any connectors or webapps
start up, and call sendEndInit() once initialization completes.
Code is also added to prompt for and test required passwords on startup.
All that is required to use nuxwdog is to start the server using nuxwdog.
An environment variable will be set that will trigger creation of the
NuxwdogPasswordStore. We expect tags for the required passwords to be in
cms.passwordList
|
| |
|
|
| |
- PKI TRAC Ticket #1200 - make sure pkispawn works with hsm (passwords)
|
| |
|
|
| |
- PKI TRAC Ticket #1346 - pkispawn should have an HSM library option
|
| |
|
|
|
| |
- PKI TRAC Ticket #1315 - pki-tomcatd fails to start on system boot
- PKI TRAC Ticket #1340 - pkidestroy should not remove /var/lib/pki
|
| |
|
|
| |
- PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously pylint report was saved it into a file which may not be
accessible on a build system. The pylint-build-scan.sh has been
changed to display the report so it will appear in the build log.
The pylint configuration has also been modified to disable C and R
messages by default. This way when other errors or warnings occur
the build will fail without having to check for specific codes.
Some Python codes have been modified to reduce the number of pylint
warnings.
https://fedorahosted.org/pki/ticket/703
|
| |
|
|
|
|
|
|
|
|
| |
In Fedora 22 the Resteasy package has been split into several
subpackages. The pki-core.spec has been modified to depend on
more specific Resteasy packages which depend only on Jackson
1.x. The classpaths and various scripts have been modified to
remove unused references to Jackson 2.x.
https://fedorahosted.org/pki/ticket/1254
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently web applications are deployed into Host's appBase (i.e.
<instance>/webapps). To allow better control of individual
subsystem deployments, the web applications have to be moved out
of the appBase so that the autoDeploy can work properly later.
This patch moves the common web applications to <instance>/
common/webapps and subsystem web applications to <instance>/
<subsystem>/webapps. An upgrade script has been added to update
existing deployments.
https://fedorahosted.org/pki/ticket/1183
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix now includes last review comments where we decided to consolidate 3 of the
ldif files: schema.ldif,database.ldif, and manager.ldif.
Each one of these 3 files contains the data needed for any subsystem for that file.
The subsystem specific files for these 3 go away in the source tree.
The first iteration of this fix was copying these 3 files into an undesirable directory.
This is no longer the case.
Extra code in the python installer allows one to establish a "file exclusion" callback to
keep a set of desired files from being copied when the installer does a directory copy.
All subsystems have been tested, including TPS with a brand new DS (which was the original reason for this fix),
and they appear to work fine.
Addressed further review comments:
1. Removed trailing whitespace instances from schema.ldif which had some.
2. Used pycharm to remove the few PEP violations I had previously added to the Python code.
3. Changed the format of the schema.ldif file to make all the entries use the same style.
Previously the TPS entries was using an all in one syntax. No more since now each entry is separate.
4. Changed the name of an argument in one of the new Python methods to get rid of a camelCase instance.
5. Tested everything to work as before, including basic TPS operations such as Format.
Fixed a method comment string and fixed some typos.
|
| |
|
|
| |
- PKI TRAC Ticket #1077 - Consider removing [Apache] section from 'default.cfg'
|
| |
|
|
| |
- PKI TRAC Ticket #1120 - Remove Firefox PKI GUI Configuration Panel Interface
|
| |
|
|
|
| |
* PKI TRAC Ticket #905 - 2 Step Configuration of CA instance using
pkispawn fails
|
| |
|
|
|
| |
Improve the layout of strings in pkimessages and fix
a couple more PEP 8 issues.
|
| |
|
|
| |
Mostly handle pycharm warnings about code formatting.
|
| |
|
|
|
|
| |
Most of the install python scripts do not meet PEP8 including
being less than 80 chars. Changing master_dict to mdict helps
fix this and improves or at least does not degrade readability.
|
| | |
|
| |
|
|
|
|
| |
1. Provides an xml file served by TPS to allow the client(esc) to configure itself to contact TPS.
2. Edewata review fixes. Return application/xml instead of text/xml, and fix how the phone home file path is calculated.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The deployment tool has been modified to deploy TPS directly from the
share folder. This way the TPS UI can be upgraded automatically with
RPM upgrade without having to write upgrade scripts.
For this to work, the TPS web application files cannot contain any slot
parameters. So, the cfgPath parameter has been removed from web.xml,
and the CMSStartServlet has been modified such that if the parameter is
missing it would generate a default path matching the original value in
web.xml. Also, the velocity.properties has been modified to use a fixed
value for the file.resource.loader.path parameter pointing to the share
folder.
In the future other subsystems may be modified to use the same
deployment mechanism.
Ticket #748, #752, #499
|
| |
|
|
|
|
|
|
|
|
| |
The Dogtag client library has been modified to use RESTEasy 3.0 client
library. A new upgrade script has been added to update existing servers.
The JAXB annotation in ResourceMessage has been modified to require
explicit property mapping.
Ticket #554
|
| |
|
|
|
|
|
|
|
| |
The Jettison library has been replaced with Jackson library as
JSON provider for RESTEasy. All class paths and the deployment
tools have been updated accordingly. The Python library and the
TPS UI have been updated as well to use the new JSON format.
Ticket #817
|
| |
|
|
|
|
| |
The deployment scriptlet has been fixed to copy the templates to the
subsystem web application. This functionality was incorrectly removed
in a previous revision (5952a82975063c4ec27303091a44e586d1386933).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The location of web application context file has been changed from
<instance>/webapps/<name>/META-INF/context.xml
into
<instance>/conf/Catalina/localhost/<name>.xml.
This will eventually allow deploying the web application directly
from the shared folder.
A new upgrade script has been added to move the context files in
the existing instances.
Ticket #499
|
| |
|
|
| |
* TRAC Ticket #667 - provide option for ca-less drm install
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new REST service has been added to the TKS to manage shared secrets.
The shared secret is tied to the TKS-TPS connector, and is created at the
end of the TPS configuration. At this point, the TPS contacts the TKS and
requests that the shared secret be generated. The secret is returned to the
TPS, wrapped using the subsystem certificate of the TPS.
The TPS should then decrypt the shared secret and store it in its certificate
database. This operations requires JSS changes, though, and so will be deferred
to a later patch. For now, though, if the TPS and TKS share the same certdb, then
it is sufficient to generate the shared secret.
Clients and CLI are also provided. The CLI in particular is used to remove the
TPSConnector entries and the shared secret when the TPS is pkidestroyed.
|
| |
|
|
|
| |
Resteasy 3.0.1 uses apache-commons-io. Also fixed PKIErrorInterceptor
with correct method call and reformatted the interceptors.
|
| |
|
|
|
|
|
|
| |
tomcat now uses systemd unit files. We will reuse and customize those
files accordingly. As a result, startup is simplified considerably -
and pkidaemon has been gutted accordingly.
We'll need to add migration scripts for older instances in a subsequent patch.
|
|
|
The pkispawn and pkidestroy scripts have been moved into sbin folder.
The Python deployment library and the scriptlets were moved into
pki.server.deployment and pki.server.deployment.scriptlets packages,
respectively.
|
