summaryrefslogtreecommitdiffstats
path: root/base/server/python
Commit message (Collapse)AuthorAgeFilesLines
* Removed support for creating system certificates in different tokens.Endi S. Dewata2016-09-081-33/+4
| | | | | | | | The patch that added the support for creating system certificates in different tokens causes issues in certain cases, so for now it has been reverted. https://fedorahosted.org/pki/ticket/2449
* Added support to create system certificates in different tokens.Endi S. Dewata2016-09-021-4/+33
| | | | | | | | | | | | | | | | Previously all system certificates were always created in the same token specified in the pki_token_name parameter. To allow creating system certificates in different tokens, the configuration.py has been modified to store the system certificate token names specified in pki_<cert>_token parameters into the CS.cfg before the server is started. After the server is started, the configuration servlet will read the token names from the CS.cfg and create the certificates in the appropriate token. https://fedorahosted.org/pki/ticket/2449
* Fixed default token name for system certificates.Endi S. Dewata2016-08-301-3/+30
| | | | | | | | | Previously when installing with HSM the token name has to be specified for each system certificate in the pki_<cert>_token parameters. The deployment tool has been modified such that by default it will use the token name specified in pki_token_name. https://fedorahosted.org/pki/ticket/2423
* Updated pki-server subsystem-cert-update CLI.Endi S. Dewata2016-08-221-20/+29
| | | | | | | | | | | | | | | | The pki-server subsystem-cert-update CLI has been updated to use certutil to retrieve the certificate data from the proper token. It will also show a warning if the certificate request cannot be found. The NSSDatabase constructor has been modified to normalize the name of internal NSS token to None. If the token name is None, the certutil will be executed without the -h option. The NSSDatabase.get_cert() has been modified to prepend the token name to the certificate nickname. https://fedorahosted.org/pki/ticket/2440
* Allowing optional CA signing CSR.Endi S. Dewata2016-08-221-4/+0
| | | | | | | | | | | | | The CA signing CSR is already stored in request record which will be imported as part of migration process, so it's not necessary to export and reimport the CSR file again for migration. To allow optional CSR, the pki-server subsystem-cert-validate CLI has been modified to no longer check the CSR in CS.cfg. The ConfigurationUtils.loadCertRequest() has been modified to ignore the missing CSR in CS.cfg. https://fedorahosted.org/pki/ticket/2440
* Improved SystemConfigService.configure() error message.Endi S. Dewata2016-08-081-22/+1
| | | | | | | | | | | The pkispawn has been modified to improve the way it displays the error message returned by SystemConfigService.configure(). If the method throws a PKIException, the response is returned as a JSON message, so pkispawn will parse it and display the actual error message. For other exceptions pkispawn will display the entire HTML message returned by Tomcat. https://fedorahosted.org/pki/ticket/2399
* Fixed PKCS #12 import for cloning.Endi S. Dewata2016-08-051-2/+11
| | | | | | | | | | | | | | | | | | To fix cloning issue in IPA the security_database.py has been modified to import all certificates and keys in the PKCS #12 file before the PKI server is started. Since the PKCS #12 generated by IPA may not contain the certificate trust flags, the script will also reset the trust flags on the imported certificates (i.e. CT,C,C for CA certificate and u,u,Pu for audit certificate). The ConfigurationUtils.restoreCertsFromP12() is now redundant and it should be removed in the future, but for now it has been modified to set the same trust flags on imported certificates. The CryptoUtil.importCertificateChain() has also been modified to set the same trust flags on imported certificates. https://fedorahosted.org/pki/ticket/2424
* Added log messages for certificate import during cloning.Endi S. Dewata2016-08-051-7/+35
| | | | | | | | To help troubleshooting cloning issues the security_databases.py has been modified to log the content of the PKCS #12 file before import and the NSS database after import. https://fedorahosted.org/pki/ticket/2424
* Added check for Subsystem data and request in 'pki-server subsystem-cert-export'Abhijeet Kasurde2016-08-051-3/+12
| | | | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1353245 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
* Add pkispawn option to disable Master CRLAde Lee2016-08-041-0/+4
|
* Fix deployment issueAde Lee2016-08-021-2/+5
| | | | | | | Need to put pki_server_side_keygen in a conditional to avoid breaking other subsystem deployments. Ticket 2418
* Do slot substitution for SERVER_KEYGENAde Lee2016-07-291-0/+2
| | | | Ticket 2418
* Fixed SELinux contexts.Endi S. Dewata2016-07-281-1/+6
| | | | | | | | | | The deployment tool has been modified to set up SELinux contexts after all instance files have been created to ensure they have the correct contexts. An upgrade script has been added to fix existing instances. https://fedorahosted.org/pki/ticket/2421
* Make starting CRL Number configurable.Jack Magne2016-07-271-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | Ticket #2406 Make starting CRL Number configurable This simple patch provides a pkispawn config param that passes some starting crl number value to the config process. Here is a sample: [CA] pki_ca_starting_crl_number=4000 After the CA comes up the value of "crlNumber" in the db will reflect that value of 4000. Currently no other values are changed. We can talk about if we need more values reset in the given case. Also, this creates a setting in the CS.cfg ca.crl.MasterCrl.startingCrlNumber=4000 This setting is only consulted when the crl Issuing Point record is created for the first time.
* Removed hard-coded paths in deployment tool.Endi S. Dewata2016-07-261-136/+7
| | | | | | | | | The deployment tool has been modified to link <instance>/common to /usr/share/pki/server/common instead of creating separate links for each dependency. This allows the RPM spec to customize the links for different platforms. https://fedorahosted.org/pki/ticket/2403
* Fixed param substitution problem.Endi S. Dewata2016-07-221-2/+2
| | | | | | | The string splice operation in substitute_deployment_params() has been fixed to include the rest of the string. https://fedorahosted.org/pki/ticket/2399
* Fixed certificate validation error message.Endi S. Dewata2016-07-141-1/+1
| | | | | | | The pkihelper.py has been modified to display the correct external command name on system certificate validation error. https://fedorahosted.org/pki/ticket/2399
* Added fix for pki-server for db-updateGeetika Kapoor2016-07-141-2/+2
| | | | | | | fixes: https://fedorahosted.org/pki/ticket/1667 Signed-off-by: Geetika Kapoor <gkapoor@redhat.com> Reviewed-by: Fraser Tweedale <ftweedal@redhat.com>
* Added instance and subsystem validation for pki-server subsystem-* commands.Abhijeet Kasurde2016-07-061-13/+53
| | | | | | | The pki-server subsystem-* commands have been updated to validate the instance and subsystem before proceeding with the operation. https://fedorahosted.org/pki/ticket/2399
* Updated notification message for DB subsystem commandAbhijeet Kasurde2016-07-011-5/+15
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Updated notification message for TPS subsystem commandAbhijeet Kasurde2016-07-011-8/+26
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Updated notification message for TKS subsystem commandAbhijeet Kasurde2016-07-011-0/+7
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Updated notification message for OCSP subsystem commandAbhijeet Kasurde2016-07-011-0/+6
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Updated notification message for kra-db-vlv* commandAbhijeet Kasurde2016-07-011-15/+23
| | | | Partially Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Added instance and subsystem validation for pki-server ca-* commands.Endi S. Dewata2016-07-011-7/+37
| | | | | | | | | | | The pki-server ca-* commands have been modified to validate the instance and the CA subsystem before proceeding with the operation. The usage() methods and invocations have been renamed into print_help() for consistency. https://fedorahosted.org/pki/ticket/2364
* Fixed pki-server subsystem-cert-update.Endi S. Dewata2016-07-013-96/+120
| | | | | | | | | | | | | | | | | | | | | | The pki-server subsystem-cert-update is supposed to restore the system certificate data and requests into CS.cfg. The command was broken since the CASubsystem class that contains the code to find the certificate requests from database was not loaded correctly. To fix the problem the CASubsystem class has been moved into the pki/server/__init__.py. All pki-server subsystem-* commands have been modified to check the validity of the instance. An option has been added to the pki-server subsystem-cert-show command to display the data and request of a particular system certificate. The redundant output of the pki-server subsystem-cert-update has been removed. The updated certificate data and request can be obtained using the pki-server subsystem-cert-show command. https://fedorahosted.org/pki/ticket/2385
* AuthInfoAccess: use default OCSP URI if configuredFraser Tweedale2016-07-011-0/+5
| | | | | | | | | | | | | | | | The AuthInfoAccessExtDefault profile component constructs an OCSP URI based on the current host and port, if no URI is explicitly configured in the profile. Update the component to look in CS.cfg for the "ca.defaultOcspUri" config, and use its value if present. If not present, the old behaviour prevails. Also add the 'pki_default_ocsp_uri' pkispawn config to add the config during instance creation, so that the value will be used for the CA and system certificates. Fixes: https://fedorahosted.org/pki/ticket/2387
* Updated notification message for kra-db-vlv-del commandAbhijeet Kasurde2016-07-011-12/+16
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Added condition for checking instance id in kra commandsAbhijeet Kasurde2016-07-012-3/+22
| | | | Partially Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Added fix for checking ldapmodify return code in db-schema-upgradeAbhijeet Kasurde2016-07-011-5/+7
| | | | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1349769
* Added condition to verify instance id in db-schema-upgradeAbhijeet Kasurde2016-07-011-0/+4
| | | | Fixes : https://bugzilla.redhat.com/show_bug.cgi?id=1351096
* Bugzilla #1203407 tomcatjss: missing ciphersChristina Fu2016-06-301-3/+0
| | | | | | This patch removes references to the ciphers currently unsupported by NSS: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
* Normalize default softokn nameMatthew Harmsen2016-06-281-0/+10
| | | | | - PKI TRAC Ticket #2311 - When pki_token_name=Internal, consider normalizing it to "internal"
* Fixes: Invalid instance exception issue.Amol Kahat2016-06-281-3/+37
| | | | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1348433
* Fixes pki-server subsystem-* --help options.Amol Kahat2016-06-281-74/+81
| | | | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1340718
* Fixed problem reading HSM password from password file.Endi S. Dewata2016-06-283-24/+50
| | | | | | | | | | | | | A new method get_token_password() has been added into PKIInstance Python class in order to read the token password correctly from password.conf. If the token is an internal token, it will read the 'internal' password. If it is an HSM it will read the password for 'hardware-<token>'. The codes that call the get_password() to get token password have been modified to use get_token_password() instead. https://fedorahosted.org/pki/ticket/2384
* Fixed Java dependency.Endi S. Dewata2016-06-174-10/+27
| | | | | | | | | | The code has been modified to use the JAVA_HOME path specified in the pki.conf. The spec file has been modified to depend specifically on OpenJDK 1.8.0 and to provide the default JAVA_HOME path for the pki.conf. https://fedorahosted.org/pki/ticket/2363
* Fixed pki-server instance-start <instance> command. Fixed pki-server ↵Amol Kahat2016-06-151-0/+18
| | | | | | instance-stop <instance> command. https://bugzilla.redhat.com/show_bug.cgi?id=1341953
* Add man page and clarify CLI for kra-connectorAde Lee2016-06-131-2/+4
|
* Fixed --help option for instance-show, instance-start, instance-stop, ↵Amol Kahat2016-06-131-41/+42
| | | | | | instance-migrate, instance-nuxwdog-enable, instance-nuxwdog-disable. https://bugzilla.redhat.com/show_bug.cgi?id=1339263
* Updated KRA VLV management CLI.Endi S. Dewata2016-06-081-25/+141
| | | | | | A new pki-server kra-db-vlv-find command has been added to list existing KRA VLV indexes. The pki-server kra-db-vlv-reindex has been modified to wait until the reindex is complete.
* Added TPS VLV management CLI.Endi S. Dewata2016-06-082-0/+506
| | | | | | | | | A set of pki-server commands has been added to simplify upgrading TPS VLV indexes. https://fedorahosted.org/pki/ticket/2354 https://fedorahosted.org/pki/ticket/2263 https://fedorahosted.org/pki/ticket/2269
* Add option to modify ajp_host to pkispawnAde Lee2016-06-031-0/+2
| | | | | | | | This allows IPA to handle the case of a pure ipv6 environment in which the ipv4 loopback interface is not available. Ticket 1717
* Add commands to db-server to help with DB related changesAde Lee2016-06-033-3/+449
| | | | | | | | | | | | | | Added pki-server kra-db-vlv-add, kra-db-vlv-del, kra-db-vlv-reindex Added pki-server db-schema-upgrade If the admin has the directory manager (or equivalent) simple creds, then they can enter them as parameters and perform the operations. Otherwise, they can specify --generate-ldif to generate LDIF files containing the changes that need to be implemented, and implement them using GSSAPI or otherwise. Tickets 2320, 2319
* Fix unknown TKS host and port connector error during TPS removalMatthew Harmsen2016-06-021-10/+3
| | | | | - PKI TRAC #1677 - Pkidestroy of a TPS instance installed in a shared tomcat throws error.
* Fixed support for generic CSR extensions.Endi S. Dewata2016-05-252-2/+72
| | | | | | | | The deployment tool has been modified to support adding Subordinate CA extension into the CSR for Microsoft CA, and also adding generic extensions to any system certificate. https://fedorahosted.org/pki/ticket/2312
* Ignoring blank and comment lines in configuration files.Endi S. Dewata2016-05-241-2/+11
| | | | | | | | | The PKISubsystem.load() and PKIInstance.load() have been modified to ignore blank and comment lines in CS.cfg and password.conf. If the code fails to parse a line it will throw an exception showing the location of the invalid line. https://fedorahosted.org/pki/ticket/2314
* Renamed pki-server ca-db-upgrade to db-upgrade.Endi S. Dewata2016-05-142-81/+131
| | | | | | | | | The pki-server ca-db-upgrade command has been renamed to db-upgrade to be more general. In the future the command can be refactored to handle additional upgrade scripts. Additional log messages have been added to show the upgrade activities in verbose mode. https://fedorahosted.org/pki/ticket/1667
* Add pki-server ca-db-upgrade commandFraser Tweedale2016-05-141-0/+81
| | | | | | | | | Add the 'ca-db-upgrade' command to 'pki-server'. This command updates certificate records to add the issuerName attribute where missing. If other database updates are needed in future, they can be added to this command. Part of: https://fedorahosted.org/pki/ticket/1667
* Fixed pki-server subsystem-cert-validate command.Endi S. Dewata2016-05-131-32/+83
| | | | | | | | | | | | | | | | | The system certificate validation command has been modified to check for both 'internal' and 'Internal Key Storage Token' since both are valid names for the internal token. Additional checks have been added to validate the certificate parameters in CS.cfg. The output of the command has been modified to be more consistent with other pki-server commands. The pki client-cert-validate invocation has been fixed to use -C option to specify the NSS database password in a file. https://fedorahosted.org/pki/ticket/2043
generated by cgit (git 2.34.1) at 2026-03-11 23:22:32 +0000