summaryrefslogtreecommitdiffstats
path: root/base/server/python/pki/server
Commit message (Collapse)AuthorAgeFilesLines
* Fixed KRA install problem.branch-10.2.7-dev1Endi S. Dewata2016-04-022-28/+44
| | | | | | | | | | | | | Currently when installing an additional subsystem to an existing instance the install tool always generates a new random password in the pki_pin property which would not work with the existing NSS database. The code has been modified to load the existing NSS database password from the instance if the instance already exists. The PKIInstance class has been modified to allow loading partially created instance to help the installation. https://fedorahosted.org/pki/ticket/2247
* Install tools clean-up.Endi S. Dewata2016-04-021-3/+0
| | | | | | | | | | | | Some variables in pkispawn and pkidestroy have been renamed for clarity. The unused PKI_CERT_DB_PASSWORD_SLOT variable has been removed. The constant pki_self_signed_token property has been moved into default.cfg. https://fedorahosted.org/pki/ticket/2247
* Fix escaping of password fields to prevent interpolationChristian Heimes2016-04-021-0/+3
| | | | | | | | | | Some password and pin fields are missing from the no_interpolation list. One entry is misspelled. A '%' in password field such as pki_clone_pkcs12_password causes an installation error. https://fedorahosted.org/pki/ticket/1703 Signed-off-by: Christian Heimes <cheimes@redhat.com>
* Fixed certificate chain import problem.Endi S. Dewata2016-04-021-10/+13
| | | | | | | | | | | | In the external CA case if the externally-signed CA certificate is included in the certificate chain the CA certificate may get imported with an incorrect nickname. The code has been modified such that the certificate chain is imported after the CA certificate is imported with the proper nickname. https://fedorahosted.org/pki/ticket/2022
* Added support for cloning 3rd-party CA certificates.Endi S. Dewata2016-04-021-0/+19
| | | | | | | | | | | | | | | | | | | | | | | The installation code has been modified such that it imports all CA certificates from the PKCS #12 file for cloning before the server is started using certutil. The user certificates will continue to be imported using the existing JSS code after the server is started. This is necessary since JSS is unable to preserve the CA certificate nicknames. The PKCS12Util has been modified to support multiple certificates with the same nicknames. The pki pkcs12-cert-find has been modified to show certificate ID and another field indicating whether the certificate has a key. The pki pkcs12-cert-export has been modified to accept either certificate nickname or ID. The pki pkcs12-import has been modified to provide options for importing only user certificates or CA certificates. https://fedorahosted.org/pki/ticket/1742
* Additional clean-ups for PKCS #12 utilities.Endi S. Dewata2016-04-023-17/+17
| | | | | | | | | | | | | | | | The pki_server_external_cert_path has been renamed to pki_server_external_certs_path to match the file name. A default pki_server_external_certs_path has been added to default.cfg. The pki pkcs12-export has been modified to export into existing PKCS #12 file by default. The pki-server instance-cert-export has been modified to accept a list of nicknames to export. https://fedorahosted.org/pki/ticket/1742
* Renamed PKCS #12 options for consistency.Endi S. Dewata2016-04-026-41/+41
| | | | | | | The pki CLI's --pkcs12 options has been renamed to --pkcs12-file for consistency with pki-server CLI options. https://fedorahosted.org/pki/ticket/1742
* Handle import and export of external certsAde Lee2016-04-029-14/+345
| | | | | | | | | | | | | | | | | | | | | | Ticket 1742 has a case where a third party CA certificate has been added by IPA to the dogtag certdb for the proxy cert. There is no way to ensure that this certificate is imported when the system is cloned. This patch will allow the user to import third party certificates into a dogtag instance through CLI commands (pki-server). The certs are tracked by a new instance level configuration file external_certs.conf. Then, when cloning: 1. When the pk12 file is created by the pki-server ca-clone-prepare command, the external certs are automatically included. 2. When creating the clone, the new pki_server_pk12_path and password must be provided. Also, a copy of the external_certs.conf file must be provided. 3. This copy will be read and merged with the existing external_certs.conf if one exists.
* Implement total ordering for PKISubsystem and PKIInstanceChristian Heimes2016-04-021-0/+45
| | | | | | | | In Python 3 subclasses no longer implement automatic ordering. To provide ordering for sort() and custom comparison, __eq__ and __lt__ are required. https://fedorahosted.org/pki/ticket/2216
* Py3 modernization: libmodernize.fixes.fix_importChristian Heimes2016-04-0219-0/+24
| | | | | | | | | | | | | | Enforce absolute imports or explicit relative imports. Python 3 no longer supports implicit relative imports, that is unqualified imports from a module's directory. In order to load a module from the same directory inside a package, use from . import module The future feature 'from __future__ import absolute_import' ensures that pki uses absolute imports on Python 2, too. See https://www.python.org/dev/peps/pep-0328/
* Added mechanism to import system certs via PKCS #12 file.Endi S. Dewata2016-04-023-9/+60
| | | | | | | | | | | | | | | | | | | | | | The installation tool has been modified to provide an optional pki_server_pkcs12_path property to specify a PKCS #12 file containing certificate chain, system certificates, and third-party certificates needed by the subsystem being installed. If the pki_server_pkcs12_path is specified the installation tool will no longer download the certificate chain from the security domain directly, and it will no longer import the PKCS #12 containing the entire master NSS database specified in pki_clone_pkcs12_path. For backward compatibility, if the pki_server_pkcs12_path is not specified the installation tool will use the old mechanism to import the system certificates. The ConfigurationUtils.verifySystemCertificates() has been modified not to catch the exception to help troubleshooting. https://fedorahosted.org/pki/ticket/1742
* Added pki-server commands to export system certificates.Endi S. Dewata2016-04-028-33/+1011
| | | | | | | | | | | | | | | | Some pki-server commands have been added to simplify exporting the required certificates for subsystem installations. These commands will invoke the pki pkcs12 utility to export the certificates from the instance NSS database. The pki-server ca-cert-chain-export command will export the the certificate chain needed for installing additional subsystems running on a separate instance. The pki-server <subsystem>-clone-prepare commands will export the certificates required for cloning a subsystem. https://fedorahosted.org/pki/ticket/1742
* Modify dnsdomainname test in pkispawnAde Lee2016-03-291-1/+1
| | | | | | | | We do a check for the dnsdomainname, which fails in Openstack CI because this is not set. Instead of exiting, default to the hostname. (cherry picked from commit 795465f8620a0a10092435dce46e4cff93dbc20a)
* Fixed KRA installation.Endi S. Dewata2016-02-222-2/+2
| | | | | | | | | | Due to a recent change the KRA installation failed because the installer was trying to read the pki_external_csr_path parameter which is not available for KRA installation. The installer has been fixed to read the parameter in external CA case only. https://fedorahosted.org/pki/ticket/456 (cherry picked from commit d42f39334ce4b4f5fa89707bfb6145039ff04579)
* Renamed pki.nss into pki.nssdb.Endi S. Dewata2016-02-223-8/+8
| | | | | | | | The pki.nss module has been renamed into pki.nssdb to prevent conflicts with the nss module. https://fedorahosted.org/pki/ticket/456 (cherry picked from commit 9609f4e6035d3cdff19a0f78caee2d08b095c8ba)
* Fixed installation summary for existing CA.Endi S. Dewata2016-02-222-7/+7
| | | | | | | | The pkispawn has been modified to display the proper summary for external CA and existing CA cases. https://fedorahosted.org/pki/ticket/456 (cherry picked from commit 66a4b7e635a4456a102221049c58c461d3429093)
* Fixed external CA case for IPA compatibility.Endi S. Dewata2016-02-222-5/+12
| | | | | | | | | | | | | | The installation code for external CA case has been fixed such that IPA can detect step 1 completion properly. The code that handles certificate data conversion has been fixed to reformat base-64 data for PEM output properly. The installation summary for step 1 has been updated to provide more accurate information. https://fedorahosted.org/pki/ticket/456 (cherry picked from commit 449e4357e733a70e8f27f65f69ca8f0f7c8b5b21)
* Added mechanism to import existing CA certificate.Endi S. Dewata2016-02-224-32/+183
| | | | | | | | | | | | The deployment procedure for external CA has been modified such that it generates the CA CSR before starting the server. This allows the same procedure to be used to import CA certificate from an existing server. It also removes the requirement to keep the server running while waiting to get the CSR signed by an external CA. https://fedorahosted.org/pki/ticket/456 (cherry picked from commit 20c985ae773b26f653cac6d22bd9d93923e18c8e)
* Added pki-server subsystem-cert-export command.Endi S. Dewata2016-02-222-0/+132
| | | | | | | | | A new command has been added to export a system certificate, the CSR, and the key. This command can be used to migrate a system certificate into another instance. https://fedorahosted.org/pki/ticket/456 (cherry picked from commit 9dce4a497f7c977a3c453972706eeb325bd33275)
* Added automatic Tomcat migration.Matthew Harmsen2015-11-015-27/+51
| | | | | | | | | | | | | | | | | The pki-server migrate command has been modified such that if there is no specific Tomcat version specified it will use the current Tomcat version. The top attribute in the CLI class was not functioning properly, so it has been replaced with get_top_module() method. The getopt() invocations in pki-server subcommands have been replaced with gnu_getopt() to allow intermixing options and arguments. https://fedorahosted.org/pki/ticket/1310 (based upon Edewata patch c7bc6eb94aa64c89467f9394554f860dc485ad94)
* Added support for secure database connection in CLI.Endi S. Dewata2015-09-233-12/+97
| | | | | | | | | | | | | | | | The pki-server subsystem-cert-update has been modified to support secure database connection with client certificate authentication. The certificate and the private key will be exported temporarily into PEM files so python-ldap can use them. The pki client-cert-show has been modified to provide an option to export client certificate's private key. https://fedorahosted.org/pki/ticket/1551 (cherry picked from commit f153bd8a455953698e8af5085cd3cd7b368b1247) Conflicts: base/server/upgrade/10.2.0/01-AddTLSRangeSupport
* Added CLI to update cert data and request in CS.cfg.Endi S. Dewata2015-09-235-81/+718
| | | | | | | | | | A set of new pki-server commands have been added to simplify updating the cert data and cert request stored in the CS.cfg with the cert data and cert request stored in the NSS and LDAP database, respectively. https://fedorahosted.org/pki/ticket/1551 (cherry picked from commit 7ed1e32c574a2ee93a62297d16e07a7071e696d7)
* Ticket 1566 on HSM, non-CA subystem installations failing while trying to ↵Christina Fu2015-08-191-10/+10
| | | | | | join security domain Investigation shows that this issue occurs when the non-CA subsystem's SSL server and client keys are also on the HSM. While browsers (on soft token) have no issue connecting to any of the subsystems on HSM, subsystem to subsystem communication has issues when the TLS_ECDHE_RSA_* ciphers are turned on. We have decided to turn off the TLS_ECDHE_RSA_* ciphers by default (can be manually turned on if desired) based on the fact that: 1. The tested HSM seems to have issue with them (will still continue to investigate) 2. While the Perfect Forward Secrecy provides added security by the TLS_ECDHE_RSA_* ciphers, each SSL session takes 3 times longer to estabish. 3. The TLS_RSA_* ciphers are adequate at this time for the CS system operations (cherry picked from commit 89211b9915e9c3e034d311ac0fa7091e9e08bde8)
* Ticket #1556 Weak HTTPS TLS ciphersChristina Fu2015-08-141-34/+38
| | | | | | | | | | This patch fixes the RSA ciphers that were mistakenly turned on under ECC section, and off under RSA section. A few adjustments have also been made based on Bob Relyea's feedback. A new file, <instance>/conf/ciphers.info was also created to 1. provide info on the ciphers 2. provide default rsa and ecc ciphers for admins to incorporate into earlier instances (as migration script might not be ideal due to possible customization)
* Add code to reindex data during cloning without replicationAde Lee2015-07-311-0/+1
| | | | | | | | | | | | | When setting up a clone, indexes are added before the replication agreements are set up and the consumer is initialized. Thus, as data is replicated and added to the clone db, the data is indexed. When cloning is done with the replication agreements already set up and the data replicated, the existing data is not indexed and cannot be accessed in searches. The data needs to be reindexed. Related to ticket 1414
* Add certutil options for ECCMatthew Harmsen2015-07-282-3/+33
| | | | | - PKI TRAC Ticket #1524 - pkispawn: certutil options incorrect for creating ecc admin certificate
* Remove noise file generation codeAde Lee2015-07-282-64/+19
| | | | | | | | Noise file does not actually need to have random data because NSS does not actually use this data. Certutil still needs the file though, so we will put dummy data in there. This solves potential problems with the random() method used and also issues like BZ 1244382
* Updated man pages with TPS info.Endi S. Dewata2015-07-181-2/+2
| | | | | | | The man pages for pkispawn and pki_default.cfg have been updated to include TPS deployment parameters. https://fedorahosted.org/pki/ticket/1277
* Limited Interactive Installation SupportMatthew Harmsen2015-07-021-0/+19
| | | | | - PKI TRAC Ticket #1441 - Lack of Interactive Installation Support (Cloning, Subordinates, Externals, HSMs, ECC)
* Ticket 1438 pkispawn: SSL_ForceHandshake issue for non-CA on HSM on both ↵Christina Fu2015-07-011-35/+72
| | | | shared and nonshared tomcat instances
* Fixed Modutil.is_security_module_registered().Endi S. Dewata2015-06-291-45/+45
| | | | | | | | Due to issues with HSM the Modutil.is_security_module_registered() has been modified to the get the list of all registered modules and then use it to check if a module is registered. https://fedorahosted.org/pki/ticket/1444
* Check security module registrationMatthew Harmsen2015-06-182-0/+59
| | | | | | - PKI TRAC Ticket #1426 - pkispawn of KRA on HSM fails (shared instances) - PKI TRAC Ticket #1427 - pkispawn of OCSP on HSM fails (shared instances) - PKI TRAC Ticket #1429 - pkispawn of TKS on HSM fails (shared instances)
* ticket 867 symkey library path link fixChristina Fu2015-06-181-0/+7
|
* fix pylint issueChristina Fu2015-06-171-2/+2
|
* add pkiuser to nfast groupMatthew Harmsen2015-06-164-0/+96
| | | | - PKI TRAC Ticket #1415 - nCipher HSM: Add 'pkiuser' to 'nfast' group
* Invoke PKIInstance.load() during upgradeFraser Tweedale2015-06-161-0/+3
| | | | | | Some upgrade servlets use attributes loaded when PKIInstance.load() is invoked, but it may not have been; breakage ensues. Invoke it before executing upgrade scriptlets.
* Cleaned up links in main page.Endi S. Dewata2015-06-111-3/+0
| | | | | | | | | | | | | The ROOT's index.jsp has been modified to show the links to all subsystems installed on the instance. When opened, it will show the services provided by the subsystem. The pkispawn output has been modified to show the subsystem URL more consistently: https://<hostname>:<port>/<subsystem> In all subsystems except TPS the page will redirect to: https://<hostname>:<port>/<subsystem>/services
* Ticket 867 Need to support TPS as a separate tomcat instance.Christina Fu2015-06-011-8/+0
| | | | | This patch addressed the issue that TPS on independent Tomcat is missing symlink to symkey.jar and causes all symkey method reference to fail
* Fixed overwritten deployment property.Endi S. Dewata2015-05-291-1/+1
| | | | | | | The pki_pin has been removed from the default.cfg to avoid overwriting the randomly generated default value. https://fedorahosted.org/pki/ticket/1393
* disable backup keys and share master keys when using an HSMMatthew Harmsen2015-05-222-6/+39
| | | | | - PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an HSM (and provide recommendation); allow clones to share keys
* Added deployment parameters to construct pki_clone_uri.Endi S. Dewata2015-05-221-1/+0
| | | | | | | | New parameters have been added into the default.cfg to specify the master hostname and port for pki_clone_uri. By default they point to the security domain. The man page has been updated as well. https://fedorahosted.org/pki/ticket/1385
* Fixed pylint warning in pkihelper.py.Endi S. Dewata2015-05-141-1/+1
|
* Fixed problem redeploying subsystem.Endi S. Dewata2015-05-141-3/+13
| | | | | | | | The pki-server subsystem-enable CLI has been modified to deploy the subsystem from a custom location if available, or from the default location otherwise. https://fedorahosted.org/pki/ticket/1381
* modify contents of serverCertNick.confMatthew Harmsen2015-05-133-0/+48
| | | | | - PKI TRAC Ticket #1370 - pkispawn: installation with HSM from external CA should hold off prepending token name in serverCertNick.conf till phase 2
* Added options for internal token and replication passwords.Endi S. Dewata2015-05-112-6/+18
| | | | | | | | The installation code has been modified such that the admin can optionally specify passwords for internal token and replication. Otherwise the code will generate random passwords like before. https://fedorahosted.org/pki/ticket/1354
* Patches to get nuxwdog working with systemdAde Lee2015-05-103-17/+93
| | | | | | | | | | | | | | | | | | | | | | This patch adds some new unit files and targets for starting instances with nuxwdog, as well as logic within the pki-server nuxwdog module to switch to/from the old and new systemd unit files. It also corrects some issues found in additional testing of the nuxwdog change scripts. To use nuxwdog to start the instance, a user needs to do the following: 1. Create an instance normally. 2. Run: pki-server instance-nuxwdog-enable <instance_name> 3. Start the instance using: systemctl start pki-tomcatd-nuxwdog@<instance_name>.service To revert the instance, simply do the following: 1. Run: pki-server instance-nuxwdog-disable <instance_name> 2. Start the instance using: systemctl start pki-tomcatd@<instance_name>.service
* Fixed installation logs.Endi S. Dewata2015-05-081-6/+13
| | | | | | | | | To help troubleshooting installation failures the pkihelper.py has been modified to display the error code returned by the server before parsing the error message. If there is a parsing error, the unparsed message will now be displayed. The redundant 'raise' and 'return' statements have been removed.
* Simple fix for this is not requiring the pki_client_database_password to be ↵Jack Magne2015-05-071-1/+3
| | | | | | set when performing a clone operation. Tested with a cloned CA and a couple of other subysstems, such as OCSP.
* Fix #1351 pki securitydomain-get-install-token fails when run with caadmin user.Jack Magne2015-05-072-70/+10
| | | | | | | | | | The short term solution to this problem was to remove the man page information and all references to the command line module reponsible for this issue. The installer already has an alternative method to remove a subsystem from the security domain list. We now assume the alternate method and don't even try to find the token at this point. A user at the command line of the pki command will no longer be able to attempt this as well. Tested this to verify that the man page for the "securtydomain" command no longer mentions or documents the "get-install-token" variant. Tested to verify that this command can't be manually called from the command line using "pki". This attempt results in an "unknown module". Tested by installing and uninstalling a subsytem. The security domain was kept up to date as expected for each install over remove attempted.
* Fixed pylint warnings.Endi S. Dewata2015-05-071-0/+3
| | | | | | | The pki.server Python module has been fixed to remove pylint warnings generated by recent changes. https://fedorahosted.org/pki/ticket/1353
generated by cgit (git 2.34.1) at 2024-05-23 14:49:53 +0000