summaryrefslogtreecommitdiffstats
path: root/base/server/python
Commit message (Collapse)AuthorAgeFilesLines
* Refactored deployment system variables.Endi S. Dewata2016-12-223-10/+20
| | | | | | To improve reusability the deployment system variables have been converted from global variables in pkiconfig.py into attributes in PKIDeployer.
* Refactored deployment timestamp variables.Endi S. Dewata2016-12-223-7/+13
| | | | | | To improve reusability the deployment timestamp variables have been converted from global variables in pkiconfig.py into attributes in PKIDeployer.
* Refactored PKIConfigParser.flatten_master_dict().Endi S. Dewata2016-12-222-23/+24
| | | | | To improve reusability the flatten_master_dict() has been moved from PKIConfigParser into PKIDeployer.
* Refactored PKIDeployer.Endi S. Dewata2016-12-223-103/+129
| | | | | To improve reusability the PKIDeployer class has been moved from the pkihelper.py into the top level pki.server.deployment module.
* Refactored pki_subsystem object in pkiconfig.py.Endi S. Dewata2016-12-213-7/+8
| | | | | | To improve reusability the pki_subsystem object has been converted from a global variable in pkiconfig.py into an attribute in PKIDeployer.
* Refactored pki_config object in pkiparser.py.Endi S. Dewata2016-12-212-22/+22
| | | | | To improve reusability the pki_config object has been moved from PKIConfigParser into PKIDeployer.
* Refactored user_config object in pkiconfig.py.Endi S. Dewata2016-12-213-12/+13
| | | | | | To improve reusability the user_config object has been converted from a global variable in pkiconfig.py into an attribute in PKIDeployer.
* Refactored master & slots dictionaries creation.Endi S. Dewata2016-12-212-7/+29
| | | | | | | To improve reusability the deployment tools have been modified such that the master and slots dictionary objects are created in PKIDeployer at the beginning of the program. The PKIConfigParser has been modified to use the same dictionary objects.
* Refactored pki_copytree().Endi S. Dewata2016-12-211-78/+2
| | | | | | The pki_copytree() has been moved from pkihelper.py into pki/util.py such that it can be reused in non-deployment scenarios.
* Updated log4j.properties.Endi S. Dewata2016-11-181-1/+6
| | | | | | | | | | | | | To reduce maintenance the log4j.properties is no longer copied into the instance folder during deployment. Instead, a link will be created in the /var/lib/pki/<instance>/lib folder pointing to the default file in /usr/share/pki/server/conf. The default log4j.properties has been updated to remove redundant lines. By default only log messages with level WARN or higher will be logged on the console. https://fedorahosted.org/pki/ticket/1897
* Updated logging.properties.Endi S. Dewata2016-11-181-2/+14
| | | | | | | | | | | | To reduce maintenance the logging.properties is no longer copied into the instance folder during deployment. Instead, a link will be created in /etc/pki/<instance> pointing to the default file in /usr/share/pki/server/conf. The default logging.properties has been updated to only log messages with level WARNING or higher on the console. https://fedorahosted.org/pki/ticket/1897
* Fixed hanging subordinate CA with HSM installation in FIPS mode.Endi S. Dewata2016-11-161-13/+8
| | | | | | | | | | | | | | | | | | | When installing subordinate CA with HSM, the installer calls the pki CLI (which is implemented using JSS) to validate the imported CA certificate in HSM. Normally, the HSM password is specified as CLI parameter, but in FIPS mode JSS requires both the HSM and the internal token passwords. Since the CLI only takes one password, JSS will prompt for the missing one on the console causing the installation to hang. As a temporary solution, the pki-server subsystem-cert-validate command has been modified to validate certificates stored in the internal token only and it will use the internal token password, so only a single password is required. Further investigation in CLI/JSS/NSS is needed to support validating certificates in HSM without password prompts. https://fedorahosted.org/pki/ticket/2543
* Fixed problem installing subordinate CA with HSM in FIPS mode.Endi S. Dewata2016-11-161-1/+2
| | | | | | | | | | | | | | Due to certutil issue (bug #1393668) the installation code has been modified to import certificates into the NSS database in two steps. This workaround is needed to install subordinate CA with HSM in FIPS mode. First, the certificate will be imported into the HSM using the HSM password without the trust attributes. Then, the certificate will be imported into the internal token using the internal token password with the trust attributes. https://fedorahosted.org/pki/ticket/2543
* Fix for flake8 errors on Fedora 26 (cheimes)Matthew Harmsen2016-10-191-4/+6
|
* Fixed installation error message.Endi S. Dewata2016-10-121-1/+1
| | | | | | | | The verify_subsystem_does_not_exist() has been modified to display the proper error message when the subsystem to be installed already exists. https://fedorahosted.org/pki/ticket/2476
* Removed support for creating system certificates in different tokens.Endi S. Dewata2016-09-081-33/+4
| | | | | | | | The patch that added the support for creating system certificates in different tokens causes issues in certain cases, so for now it has been reverted. https://fedorahosted.org/pki/ticket/2449
* Added support to create system certificates in different tokens.Endi S. Dewata2016-09-021-4/+33
| | | | | | | | | | | | | | | | Previously all system certificates were always created in the same token specified in the pki_token_name parameter. To allow creating system certificates in different tokens, the configuration.py has been modified to store the system certificate token names specified in pki_<cert>_token parameters into the CS.cfg before the server is started. After the server is started, the configuration servlet will read the token names from the CS.cfg and create the certificates in the appropriate token. https://fedorahosted.org/pki/ticket/2449
* Fixed default token name for system certificates.Endi S. Dewata2016-08-301-3/+30
| | | | | | | | | Previously when installing with HSM the token name has to be specified for each system certificate in the pki_<cert>_token parameters. The deployment tool has been modified such that by default it will use the token name specified in pki_token_name. https://fedorahosted.org/pki/ticket/2423
* Updated pki-server subsystem-cert-update CLI.Endi S. Dewata2016-08-221-20/+29
| | | | | | | | | | | | | | | | The pki-server subsystem-cert-update CLI has been updated to use certutil to retrieve the certificate data from the proper token. It will also show a warning if the certificate request cannot be found. The NSSDatabase constructor has been modified to normalize the name of internal NSS token to None. If the token name is None, the certutil will be executed without the -h option. The NSSDatabase.get_cert() has been modified to prepend the token name to the certificate nickname. https://fedorahosted.org/pki/ticket/2440
* Allowing optional CA signing CSR.Endi S. Dewata2016-08-221-4/+0
| | | | | | | | | | | | | The CA signing CSR is already stored in request record which will be imported as part of migration process, so it's not necessary to export and reimport the CSR file again for migration. To allow optional CSR, the pki-server subsystem-cert-validate CLI has been modified to no longer check the CSR in CS.cfg. The ConfigurationUtils.loadCertRequest() has been modified to ignore the missing CSR in CS.cfg. https://fedorahosted.org/pki/ticket/2440
* Improved SystemConfigService.configure() error message.Endi S. Dewata2016-08-081-22/+1
| | | | | | | | | | | The pkispawn has been modified to improve the way it displays the error message returned by SystemConfigService.configure(). If the method throws a PKIException, the response is returned as a JSON message, so pkispawn will parse it and display the actual error message. For other exceptions pkispawn will display the entire HTML message returned by Tomcat. https://fedorahosted.org/pki/ticket/2399
* Fixed PKCS #12 import for cloning.Endi S. Dewata2016-08-051-2/+11
| | | | | | | | | | | | | | | | | | To fix cloning issue in IPA the security_database.py has been modified to import all certificates and keys in the PKCS #12 file before the PKI server is started. Since the PKCS #12 generated by IPA may not contain the certificate trust flags, the script will also reset the trust flags on the imported certificates (i.e. CT,C,C for CA certificate and u,u,Pu for audit certificate). The ConfigurationUtils.restoreCertsFromP12() is now redundant and it should be removed in the future, but for now it has been modified to set the same trust flags on imported certificates. The CryptoUtil.importCertificateChain() has also been modified to set the same trust flags on imported certificates. https://fedorahosted.org/pki/ticket/2424
* Added log messages for certificate import during cloning.Endi S. Dewata2016-08-051-7/+35
| | | | | | | | To help troubleshooting cloning issues the security_databases.py has been modified to log the content of the PKCS #12 file before import and the NSS database after import. https://fedorahosted.org/pki/ticket/2424
* Added check for Subsystem data and request in 'pki-server subsystem-cert-export'Abhijeet Kasurde2016-08-051-3/+12
| | | | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1353245 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
* Add pkispawn option to disable Master CRLAde Lee2016-08-041-0/+4
|
* Fix deployment issueAde Lee2016-08-021-2/+5
| | | | | | | Need to put pki_server_side_keygen in a conditional to avoid breaking other subsystem deployments. Ticket 2418
* Do slot substitution for SERVER_KEYGENAde Lee2016-07-291-0/+2
| | | | Ticket 2418
* Fixed SELinux contexts.Endi S. Dewata2016-07-281-1/+6
| | | | | | | | | | The deployment tool has been modified to set up SELinux contexts after all instance files have been created to ensure they have the correct contexts. An upgrade script has been added to fix existing instances. https://fedorahosted.org/pki/ticket/2421
* Make starting CRL Number configurable.Jack Magne2016-07-271-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | Ticket #2406 Make starting CRL Number configurable This simple patch provides a pkispawn config param that passes some starting crl number value to the config process. Here is a sample: [CA] pki_ca_starting_crl_number=4000 After the CA comes up the value of "crlNumber" in the db will reflect that value of 4000. Currently no other values are changed. We can talk about if we need more values reset in the given case. Also, this creates a setting in the CS.cfg ca.crl.MasterCrl.startingCrlNumber=4000 This setting is only consulted when the crl Issuing Point record is created for the first time.
* Removed hard-coded paths in deployment tool.Endi S. Dewata2016-07-261-136/+7
| | | | | | | | | The deployment tool has been modified to link <instance>/common to /usr/share/pki/server/common instead of creating separate links for each dependency. This allows the RPM spec to customize the links for different platforms. https://fedorahosted.org/pki/ticket/2403
* Fixed param substitution problem.Endi S. Dewata2016-07-221-2/+2
| | | | | | | The string splice operation in substitute_deployment_params() has been fixed to include the rest of the string. https://fedorahosted.org/pki/ticket/2399
* Fixed certificate validation error message.Endi S. Dewata2016-07-141-1/+1
| | | | | | | The pkihelper.py has been modified to display the correct external command name on system certificate validation error. https://fedorahosted.org/pki/ticket/2399
* Added fix for pki-server for db-updateGeetika Kapoor2016-07-141-2/+2
| | | | | | | fixes: https://fedorahosted.org/pki/ticket/1667 Signed-off-by: Geetika Kapoor <gkapoor@redhat.com> Reviewed-by: Fraser Tweedale <ftweedal@redhat.com>
* Added instance and subsystem validation for pki-server subsystem-* commands.Abhijeet Kasurde2016-07-061-13/+53
| | | | | | | The pki-server subsystem-* commands have been updated to validate the instance and subsystem before proceeding with the operation. https://fedorahosted.org/pki/ticket/2399
* Updated notification message for DB subsystem commandAbhijeet Kasurde2016-07-011-5/+15
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Updated notification message for TPS subsystem commandAbhijeet Kasurde2016-07-011-8/+26
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Updated notification message for TKS subsystem commandAbhijeet Kasurde2016-07-011-0/+7
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Updated notification message for OCSP subsystem commandAbhijeet Kasurde2016-07-011-0/+6
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Updated notification message for kra-db-vlv* commandAbhijeet Kasurde2016-07-011-15/+23
| | | | Partially Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Added instance and subsystem validation for pki-server ca-* commands.Endi S. Dewata2016-07-011-7/+37
| | | | | | | | | | | The pki-server ca-* commands have been modified to validate the instance and the CA subsystem before proceeding with the operation. The usage() methods and invocations have been renamed into print_help() for consistency. https://fedorahosted.org/pki/ticket/2364
* Fixed pki-server subsystem-cert-update.Endi S. Dewata2016-07-013-96/+120
| | | | | | | | | | | | | | | | | | | | | | The pki-server subsystem-cert-update is supposed to restore the system certificate data and requests into CS.cfg. The command was broken since the CASubsystem class that contains the code to find the certificate requests from database was not loaded correctly. To fix the problem the CASubsystem class has been moved into the pki/server/__init__.py. All pki-server subsystem-* commands have been modified to check the validity of the instance. An option has been added to the pki-server subsystem-cert-show command to display the data and request of a particular system certificate. The redundant output of the pki-server subsystem-cert-update has been removed. The updated certificate data and request can be obtained using the pki-server subsystem-cert-show command. https://fedorahosted.org/pki/ticket/2385
* AuthInfoAccess: use default OCSP URI if configuredFraser Tweedale2016-07-011-0/+5
| | | | | | | | | | | | | | | | The AuthInfoAccessExtDefault profile component constructs an OCSP URI based on the current host and port, if no URI is explicitly configured in the profile. Update the component to look in CS.cfg for the "ca.defaultOcspUri" config, and use its value if present. If not present, the old behaviour prevails. Also add the 'pki_default_ocsp_uri' pkispawn config to add the config during instance creation, so that the value will be used for the CA and system certificates. Fixes: https://fedorahosted.org/pki/ticket/2387
* Updated notification message for kra-db-vlv-del commandAbhijeet Kasurde2016-07-011-12/+16
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Added condition for checking instance id in kra commandsAbhijeet Kasurde2016-07-012-3/+22
| | | | Partially Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Added fix for checking ldapmodify return code in db-schema-upgradeAbhijeet Kasurde2016-07-011-5/+7
| | | | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1349769
* Added condition to verify instance id in db-schema-upgradeAbhijeet Kasurde2016-07-011-0/+4
| | | | Fixes : https://bugzilla.redhat.com/show_bug.cgi?id=1351096
* Bugzilla #1203407 tomcatjss: missing ciphersChristina Fu2016-06-301-3/+0
| | | | | | This patch removes references to the ciphers currently unsupported by NSS: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
* Normalize default softokn nameMatthew Harmsen2016-06-281-0/+10
| | | | | - PKI TRAC Ticket #2311 - When pki_token_name=Internal, consider normalizing it to "internal"
* Fixes: Invalid instance exception issue.Amol Kahat2016-06-281-3/+37
| | | | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1348433
* Fixes pki-server subsystem-* --help options.Amol Kahat2016-06-281-74/+81
| | | | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1340718
generated by cgit (git 2.34.1) at 2026-01-26 22:09:46 +0000