| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
- PKI TRAC Ticket #1441 - Lack of Interactive Installation Support
(Cloning, Subordinates, Externals, HSMs, ECC)
|
| |
|
|
| |
shared and nonshared tomcat instances
|
| |
|
|
|
|
|
|
| |
Due to issues with HSM the Modutil.is_security_module_registered()
has been modified to the get the list of all registered modules
and then use it to check if a module is registered.
https://fedorahosted.org/pki/ticket/1444
|
| |
|
|
|
|
| |
- PKI TRAC Ticket #1426 - pkispawn of KRA on HSM fails (shared instances)
- PKI TRAC Ticket #1427 - pkispawn of OCSP on HSM fails (shared instances)
- PKI TRAC Ticket #1429 - pkispawn of TKS on HSM fails (shared instances)
|
| | |
|
| | |
|
| |
|
|
| |
- PKI TRAC Ticket #1415 - nCipher HSM: Add 'pkiuser' to 'nfast' group
|
| |
|
|
|
|
| |
Some upgrade servlets use attributes loaded when PKIInstance.load()
is invoked, but it may not have been; breakage ensues. Invoke it
before executing upgrade scriptlets.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The ROOT's index.jsp has been modified to show the links to all
subsystems installed on the instance. When opened, it will show
the services provided by the subsystem.
The pkispawn output has been modified to show the subsystem URL
more consistently:
https://<hostname>:<port>/<subsystem>
In all subsystems except TPS the page will redirect to:
https://<hostname>:<port>/<subsystem>/services
|
| |
|
|
|
| |
This patch addressed the issue that TPS on independent Tomcat is missing
symlink to symkey.jar and causes all symkey method reference to fail
|
| |
|
|
|
|
|
| |
The pki_pin has been removed from the default.cfg to avoid
overwriting the randomly generated default value.
https://fedorahosted.org/pki/ticket/1393
|
| |
|
|
|
| |
- PKI TRAC Ticket #1371 - pkispawn: need to disable backup_keys when using an
HSM (and provide recommendation); allow clones to share keys
|
| |
|
|
|
|
|
|
| |
New parameters have been added into the default.cfg to specify the
master hostname and port for pki_clone_uri. By default they point
to the security domain. The man page has been updated as well.
https://fedorahosted.org/pki/ticket/1385
|
| | |
|
| |
|
|
|
|
|
|
| |
The pki-server subsystem-enable CLI has been modified to deploy
the subsystem from a custom location if available, or from the
default location otherwise.
https://fedorahosted.org/pki/ticket/1381
|
| |
|
|
|
| |
- PKI TRAC Ticket #1370 - pkispawn: installation with HSM from external CA
should hold off prepending token name in serverCertNick.conf till phase 2
|
| |
|
|
|
|
|
|
| |
The installation code has been modified such that the admin can
optionally specify passwords for internal token and replication.
Otherwise the code will generate random passwords like before.
https://fedorahosted.org/pki/ticket/1354
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds some new unit files and targets for starting instances
with nuxwdog, as well as logic within the pki-server nuxwdog module to
switch to/from the old and new systemd unit files.
It also corrects some issues found in additional testing of the nuxwdog
change scripts.
To use nuxwdog to start the instance, a user needs to do the following:
1. Create an instance normally.
2. Run: pki-server instance-nuxwdog-enable <instance_name>
3. Start the instance using:
systemctl start pki-tomcatd-nuxwdog@<instance_name>.service
To revert the instance, simply do the following:
1. Run: pki-server instance-nuxwdog-disable <instance_name>
2. Start the instance using:
systemctl start pki-tomcatd@<instance_name>.service
|
| |
|
|
|
|
|
|
|
| |
To help troubleshooting installation failures the pkihelper.py has
been modified to display the error code returned by the server before
parsing the error message. If there is a parsing error, the unparsed
message will now be displayed.
The redundant 'raise' and 'return' statements have been removed.
|
| |
|
|
|
|
| |
set when performing a clone operation.
Tested with a cloned CA and a couple of other subysstems, such as OCSP.
|
| |
|
|
|
|
|
|
|
|
| |
The short term solution to this problem was to remove the man page information and all references to the command line module reponsible for this issue.
The installer already has an alternative method to remove a subsystem from the security domain list. We now assume the alternate method and don't even try to find the token at this point.
A user at the command line of the pki command will no longer be able to attempt this as well.
Tested this to verify that the man page for the "securtydomain" command no longer mentions or documents the "get-install-token" variant. Tested to verify that this command can't be manually called from the command line using "pki". This attempt results in an "unknown module". Tested by installing and uninstalling a subsytem. The security domain was kept up to date as expected for each install over remove attempted.
|
| |
|
|
|
|
|
| |
The pki.server Python module has been fixed to remove pylint
warnings generated by recent changes.
https://fedorahosted.org/pki/ticket/1353
|
| |
|
|
|
|
|
|
| |
The migration tool has been fixed to update the links to Tomcat
libraries in the instance folder to match the current Tomcat
version installed on the system.
https://fedorahosted.org/pki/ticket/1353
|
| |
|
|
|
| |
Ports are already set when deploying into an existing instance.
Having a user re-enter these is repetitious and error prone.
|
| |
|
|
|
| |
When second subsystem is installed, serverCertNick.conf and other top level
tomcat config files should not be replaced.
|
| |
|
|
|
| |
All subsystems are now tomcat instances. Conditionals based on
whether the subsystem is a tomcat instance or not are no longer required.
|
| |
|
|
|
|
| |
This adds the ability to either enable or disable an instance using
the pki-server utility. Additional documentation and additions to the
man pages will be added in a separate patch.
|
| |
|
|
|
|
|
| |
The deployment tool has been modified to deploy the pki.xml only
if the theme package is installed.
https://fedorahosted.org/pki/ticket/499
|
| |
|
|
|
|
|
|
| |
The deployment tool has been modified to deploy the theme files
directly from /usr/share/pki. New deployment descriptors have been
added for admin templates and JS library.
https://fedorahosted.org/pki/ticket/499
|
| |
|
|
|
|
|
|
| |
The deployment tool has been modified to deploy all subsystems
directly from the /usr/share/pki. This will simplify updating
the templates in the web applications.
https://fedorahosted.org/pki/ticket/499
|
| |
|
|
| |
Specifically changes to CS.cfg, server.xml and tomcat.conf
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This is the first of several commits. This adds a LifecycleListener
to call init() on the nuxwdog client before any connectors or webapps
start up, and call sendEndInit() once initialization completes.
Code is also added to prompt for and test required passwords on startup.
All that is required to use nuxwdog is to start the server using nuxwdog.
An environment variable will be set that will trigger creation of the
NuxwdogPasswordStore. We expect tags for the required passwords to be in
cms.passwordList
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Usage:
* under /usr/share/pki/ca/conf, you will find a new file called
serverCert.profile.exampleWithSANpattern
* copy existing serverCert.profile away and replace with
serverCert.profile.exampleWithSANpattern
* edit serverCert.profile.exampleWithSANpattern
- follow the instruction right above 8.default.
- save and quit
* cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg
- follow the instruction right above policyset.serverCertSet.9
- save and quit
* save away and edit the ca config file for pkispawn: (note: you can
add multiple SAN's delimited by ',' for pki_san_server_cert
- add the following lines, e.g.
pki_san_inject=True
pki_san_server_cert=host1.Example.com
- do the same pkispawn cfg changes for kra or any other instances
that you plan on creating
* create your instance(s)
check the sl sever cert, it should contain something like the
following:
Identifier: Subject Alternative Name - 2.5.29.17
Critical: no
Value:
DNSName: host1.Example.com
|
| |
|
|
|
|
|
|
|
|
|
|
| |
New pki-server CLI commands have been added to migrate the server
configuration from Tomcat 7 to Tomcat 8 and vice versa. These
commands can be used later during system upgrade to migrate
existing instances from Tomcat 7 in F22 to Tomcat 8 in F23.
The Python CLI framework has been refactored to provide a way to
find other CLI modules by the command names.
https://fedorahosted.org/pki/ticket/1264
|
| |
|
|
| |
- PKI TRAC Ticket #1200 - make sure pkispawn works with hsm (passwords)
|
| |
|
|
| |
- PKI TRAC Ticket #1346 - pkispawn should have an HSM library option
|
| |
|
|
|
| |
- PKI TRAC Ticket #1315 - pki-tomcatd fails to start on system boot
- PKI TRAC Ticket #1340 - pkidestroy should not remove /var/lib/pki
|
| |
|
|
|
|
| |
Add the `pki_profiles_in_ldap' pkispawn config to control whether
profiles are stored on the filesystem (old behaviour) or LDAP (new
behaviour). The default is file-based profiles.
|
| |
|
|
| |
- PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously pylint report was saved it into a file which may not be
accessible on a build system. The pylint-build-scan.sh has been
changed to display the report so it will appear in the build log.
The pylint configuration has also been modified to disable C and R
messages by default. This way when other errors or warnings occur
the build will fail without having to check for specific codes.
Some Python codes have been modified to reduce the number of pylint
warnings.
https://fedorahosted.org/pki/ticket/703
|
| |
|
|
|
|
|
|
|
|
| |
In Fedora 22 the Resteasy package has been split into several
subpackages. The pki-core.spec has been modified to depend on
more specific Resteasy packages which depend only on Jackson
1.x. The classpaths and various scripts have been modified to
remove unused references to Jackson 2.x.
https://fedorahosted.org/pki/ticket/1254
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A new pki-server CLI has been added to manage the instances and
subsystems using the server management library. This CLI manages
the system files directly, so it can only be run locally on the
server by the system administrator.
The autoDeploy setting in server.xml has been enabled by default.
An upgrade script has been added to enable the autoDeploy setting
in existing instances.
https://fedorahosted.org/pki/ticket/1183
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKISubsystem and PKIInstance classes used by the upgrade
framework have been converted into a server management library.
They have been enhanced to provide the following functionalities:
* starting and stopping instances
* enabling and disabling subsystems
* checking instance and subsystem statuses
The validate() invocation has been moved out of the constructors
into the upgrade framework such that these objects can be created
to represent subsystems and instances that do not exist yet.
https://fedorahosted.org/pki/ticket/1183
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently web applications are deployed into Host's appBase (i.e.
<instance>/webapps). To allow better control of individual
subsystem deployments, the web applications have to be moved out
of the appBase so that the autoDeploy can work properly later.
This patch moves the common web applications to <instance>/
common/webapps and subsystem web applications to <instance>/
<subsystem>/webapps. An upgrade script has been added to update
existing deployments.
https://fedorahosted.org/pki/ticket/1183
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix now includes last review comments where we decided to consolidate 3 of the
ldif files: schema.ldif,database.ldif, and manager.ldif.
Each one of these 3 files contains the data needed for any subsystem for that file.
The subsystem specific files for these 3 go away in the source tree.
The first iteration of this fix was copying these 3 files into an undesirable directory.
This is no longer the case.
Extra code in the python installer allows one to establish a "file exclusion" callback to
keep a set of desired files from being copied when the installer does a directory copy.
All subsystems have been tested, including TPS with a brand new DS (which was the original reason for this fix),
and they appear to work fine.
Addressed further review comments:
1. Removed trailing whitespace instances from schema.ldif which had some.
2. Used pycharm to remove the few PEP violations I had previously added to the Python code.
3. Changed the format of the schema.ldif file to make all the entries use the same style.
Previously the TPS entries was using an all in one syntax. No more since now each entry is separate.
4. Changed the name of an argument in one of the new Python methods to get rid of a camelCase instance.
5. Tested everything to work as before, including basic TPS operations such as Format.
Fixed a method comment string and fixed some typos.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Bugzilla Bug #1165351 - Errata TPS test fails due to dependent packages not
found
(cherry picked from commit d7a0807b7493fc3d86900ee4aaf8199efd824907)
Conflicts:
base/java-tools/templates/pki_java_command_wrapper.in
base/java-tools/templates/pretty_print_cert_command_wrapper.in
base/java-tools/templates/pretty_print_crl_command_wrapper.in
base/server/python/pki/server/deployment/pkiparser.py
base/server/scripts/operations
(cherry picked from commit c8d73ade2c651fd5ca01226c89d5d19828bfc9b7)
|
| |
|
|
| |
and upgrade
|
| |
|
|
|
|
|
|
|
| |
Installation code failed to anticipate installation of a subordinate
CA that would host its own security domain. This patch includes changes
to python installation code, java configuration servlet and
changes to man pages.
Ticket 1132
|
