| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
| |
The code that restarts the server at the end of installation has been
moved into configuration.py to allow further enhancements.
https://pagure.io/dogtagpki/issue/2280
Change-Id: I1de49ab9e7ec9f86dd1adfd945e6162948fd445a
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ConfigClient.configure_pki_data() has been modified to return
the server response to the caller to allow more flexibility in
processing the configuration result.
The code that handles system certificate requests generated by the
server has been moved into configuration.py.
https://pagure.io/dogtagpki/issue/2280
Change-Id: Id902fcc10fbdcb270e3b00e219c3356d1319bde1
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, the --cert option has not been implemented for
`pki-server subsystem-cert-update` command. The --cert takes
certificate name that needs to be added to the NSS database
and replaces the existing certificate (if exists) in the
database
https://pagure.io/dogtagpki/issue/2756
Change-Id: If8be9edd55a673230f86e213fc803be365e55a92
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some pki-server CLIs have been added to inspect and validate the
content of the banner file.
The PKI server startup script has been modified to validate the
content of the banner file using the new CLI.
https://pagure.io/dogtagpki/issue/2671
Change-Id: Ibc51afee184d0a720cc0d2961af08ef75d2b54c4
|
|
|
|
|
|
|
|
|
| |
The AuditVerify.verify() has been cleaned up and some debug
messages have been added for clarity.
https://pagure.io/dogtagpki/issue/2634
Change-Id: Id1c510dd0081e3abb4fb34da0737ea6a3a335ba4
|
|
|
|
| |
- https://pagure.io/dogtagpki/issue/2713 - Build failure due to Pylint issues
|
|
|
|
|
|
|
|
|
|
| |
The initialization scriptlet has been fixed to verify the subsystem
existence properly when running the second step of the two-step
subordinate CA installation.
https://pagure.io/dogtagpki/issue/2707
Change-Id: I0cc8ca21fda8637b4b34f4c5a1c108d213f638f8
|
|
|
|
|
|
|
|
|
|
|
| |
The operations script has been modified to enable all subsystems
on startup by default. If the selftest fails, the subsystem will
be shutdown again automatically as before. A pki.conf option has
been added to configure this behavior.
https://pagure.io/dogtagpki/issue/2699
Change-Id: Iaf367ba2d88d73f377662eee5eafbb99e088ae50
|
|
|
|
| |
- Bugzilla Bug #1454603 - Unable to install IPA server due to pkispawn error
|
|
|
|
|
| |
Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails
dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails
|
|
|
|
|
| |
Bugzilla Bug #1450143 - CA installation with HSM in FIPS mode fails
dogtagpki Pagure Issue #2684 - CA installation with HSM in FIPS mode fails
|
|
|
|
|
|
|
|
|
| |
The finalization scriptlet now waits after service has been restarted.
Change-Id: Id462728386b9d7e6b3364e1651ef6676115dd1de
Bugzilla: BZ#1446364
Pagure: 2644
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix Python 3 support for pkispawn: Config values are text values. Therefore
the config file has to be written as text file.
Test Python 3 support in Travis CI. The little script py3rewrite copies
pki.server Python files and rewrites pkispawn and pkidestroy to use
Python 3.
Change-Id: Ia516f80df94cacc2acfa70929ad16bb5b9c39ddf
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
| |
A new pki-server <subsystem>-audit-file-verify CLI has been added
to verify audit log files on the server.
Change-Id: I88e827d45cfb83cf34052146e2ec678f4cd2345f
|
|
|
|
|
|
|
| |
A new pki-server <subsystem>-audit-file-find CLI has been added
to list audit log files on the server.
Change-Id: I88e827d45cfb83cf34052146e2ec678f4cd2345f
|
|
|
|
|
|
|
|
|
|
| |
A new function has been added to generate a random password that
meets FIPS requirements for a strong password. This function is
used to generate NSS database password during installation.
https://pagure.io/dogtagpki/issue/2556
Change-Id: I64dd36125ec968f6253f90835e6065325d720032
|
|
|
|
|
| |
Added 'pylint: disable=no-member' whenever module 're'
attempts to reference its 'MULTILINE' member.
|
| |
|
|
|
|
|
|
| |
https://pagure.io/dogtagpki/issue/2627
Change-Id: Icd47be636c78224328438a8091c7c3bdd07c06bd
|
|
|
|
|
|
| |
The code that loads the password.conf in PKIInstance.load() has
been converted into a general purpose load_properties() method.
A corresponding store_properties() method has been added as well.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the /pki webapp was only added if the theme was present
during installation, and there were separate webapps for /pki/admin
and /pki/js. If the theme was installed later, the /pki webapp had
to be configured manually.
To simplify the installation and to support other developments
(e.g. login banner), the /pki webapp will always be added during
installation regardless of theme, and the /pki/admin and /pki/js
webapps are merged into /pki webapp. When the theme package is
installed, it will create links in /pki webapp so the theme files
will become available without additional configuration.
An upgrade script has been added to merge the /pki webapp in
existing instances.
https://fedorahosted.org/pki/ticket/2582
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the migration case, it is useful to delete the initially
created signing certificate database record and have that be
imported through the ldif data import instead.
Therefore, we add an option to remove this entry. The user
also needs to provide the serial number for the entry.
This resolves the following tickets/BZs:
BZ# 1409949/Trac 2573 - CA Certificate Issuance Date displayed
on CA website incorrect
BZ# 1409946/Trac 2571 - Request ID undefined for CA signing
certificate
|
|
|
|
|
|
| |
To improve reusability the deployment system variables have been
converted from global variables in pkiconfig.py into attributes in
PKIDeployer.
|
|
|
|
|
|
| |
To improve reusability the deployment timestamp variables have been
converted from global variables in pkiconfig.py into attributes in
PKIDeployer.
|
|
|
|
|
| |
To improve reusability the flatten_master_dict() has been moved
from PKIConfigParser into PKIDeployer.
|
|
|
|
|
| |
To improve reusability the PKIDeployer class has been moved from
the pkihelper.py into the top level pki.server.deployment module.
|
|
|
|
|
|
| |
To improve reusability the pki_subsystem object has been converted
from a global variable in pkiconfig.py into an attribute in
PKIDeployer.
|
|
|
|
|
| |
To improve reusability the pki_config object has been moved from
PKIConfigParser into PKIDeployer.
|
|
|
|
|
|
| |
To improve reusability the user_config object has been converted
from a global variable in pkiconfig.py into an attribute in
PKIDeployer.
|
|
|
|
|
|
|
| |
To improve reusability the deployment tools have been modified
such that the master and slots dictionary objects are created in
PKIDeployer at the beginning of the program. The PKIConfigParser
has been modified to use the same dictionary objects.
|
|
|
|
|
|
| |
The pki_copytree() has been moved from pkihelper.py into
pki/util.py such that it can be reused in non-deployment
scenarios.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To reduce maintenance the log4j.properties is no longer copied
into the instance folder during deployment. Instead, a link will
be created in the /var/lib/pki/<instance>/lib folder pointing to
the default file in /usr/share/pki/server/conf.
The default log4j.properties has been updated to remove redundant
lines. By default only log messages with level WARN or higher will
be logged on the console.
https://fedorahosted.org/pki/ticket/1897
|
|
|
|
|
|
|
|
|
|
|
|
| |
To reduce maintenance the logging.properties is no longer copied
into the instance folder during deployment. Instead, a link will
be created in /etc/pki/<instance> pointing to the default file
in /usr/share/pki/server/conf.
The default logging.properties has been updated to only log
messages with level WARNING or higher on the console.
https://fedorahosted.org/pki/ticket/1897
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When installing subordinate CA with HSM, the installer calls the
pki CLI (which is implemented using JSS) to validate the imported
CA certificate in HSM. Normally, the HSM password is specified as
CLI parameter, but in FIPS mode JSS requires both the HSM and the
internal token passwords. Since the CLI only takes one password,
JSS will prompt for the missing one on the console causing the
installation to hang.
As a temporary solution, the pki-server subsystem-cert-validate
command has been modified to validate certificates stored in the
internal token only and it will use the internal token password,
so only a single password is required. Further investigation in
CLI/JSS/NSS is needed to support validating certificates in HSM
without password prompts.
https://fedorahosted.org/pki/ticket/2543
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to certutil issue (bug #1393668) the installation code has
been modified to import certificates into the NSS database in
two steps. This workaround is needed to install subordinate CA
with HSM in FIPS mode.
First, the certificate will be imported into the HSM using the
HSM password without the trust attributes. Then, the certificate
will be imported into the internal token using the internal token
password with the trust attributes.
https://fedorahosted.org/pki/ticket/2543
|
| |
|
|
|
|
|
|
|
|
| |
The verify_subsystem_does_not_exist() has been modified to display
the proper error message when the subsystem to be installed already
exists.
https://fedorahosted.org/pki/ticket/2476
|
|
|
|
|
|
|
|
| |
The patch that added the support for creating system certificates
in different tokens causes issues in certain cases, so for now it
has been reverted.
https://fedorahosted.org/pki/ticket/2449
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously all system certificates were always created in the same
token specified in the pki_token_name parameter.
To allow creating system certificates in different tokens, the
configuration.py has been modified to store the system certificate
token names specified in pki_<cert>_token parameters into the
CS.cfg before the server is started.
After the server is started, the configuration servlet will read
the token names from the CS.cfg and create the certificates in the
appropriate token.
https://fedorahosted.org/pki/ticket/2449
|
|
|
|
|
|
|
|
|
| |
Previously when installing with HSM the token name has to be
specified for each system certificate in the pki_<cert>_token
parameters. The deployment tool has been modified such that by
default it will use the token name specified in pki_token_name.
https://fedorahosted.org/pki/ticket/2423
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki-server subsystem-cert-update CLI has been updated to
use certutil to retrieve the certificate data from the proper
token. It will also show a warning if the certificate request
cannot be found.
The NSSDatabase constructor has been modified to normalize the
name of internal NSS token to None. If the token name is None,
the certutil will be executed without the -h option.
The NSSDatabase.get_cert() has been modified to prepend the token
name to the certificate nickname.
https://fedorahosted.org/pki/ticket/2440
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CA signing CSR is already stored in request record which will
be imported as part of migration process, so it's not necessary to
export and reimport the CSR file again for migration.
To allow optional CSR, the pki-server subsystem-cert-validate
CLI has been modified to no longer check the CSR in CS.cfg. The
ConfigurationUtils.loadCertRequest() has been modified to ignore
the missing CSR in CS.cfg.
https://fedorahosted.org/pki/ticket/2440
|
|
|
|
|
|
|
|
|
|
|
| |
The pkispawn has been modified to improve the way it displays the
error message returned by SystemConfigService.configure(). If the
method throws a PKIException, the response is returned as a JSON
message, so pkispawn will parse it and display the actual error
message. For other exceptions pkispawn will display the entire
HTML message returned by Tomcat.
https://fedorahosted.org/pki/ticket/2399
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To fix cloning issue in IPA the security_database.py has been
modified to import all certificates and keys in the PKCS #12 file
before the PKI server is started. Since the PKCS #12 generated by
IPA may not contain the certificate trust flags, the script will
also reset the trust flags on the imported certificates (i.e.
CT,C,C for CA certificate and u,u,Pu for audit certificate).
The ConfigurationUtils.restoreCertsFromP12() is now redundant and
it should be removed in the future, but for now it has been
modified to set the same trust flags on imported certificates.
The CryptoUtil.importCertificateChain() has also been modified to
set the same trust flags on imported certificates.
https://fedorahosted.org/pki/ticket/2424
|
|
|
|
|
|
|
|
| |
To help troubleshooting cloning issues the security_databases.py
has been modified to log the content of the PKCS #12 file before
import and the NSS database after import.
https://fedorahosted.org/pki/ticket/2424
|
|
|
|
|
|
| |
Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1353245
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Need to put pki_server_side_keygen in a conditional to avoid
breaking other subsystem deployments.
Ticket 2418
|
|
|
|
| |
Ticket 2418
|