| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
instance-stop <instance> command.
https://bugzilla.redhat.com/show_bug.cgi?id=1341953
|
| | |
|
| |
|
|
|
|
| |
instance-migrate, instance-nuxwdog-enable, instance-nuxwdog-disable.
https://bugzilla.redhat.com/show_bug.cgi?id=1339263
|
| |
|
|
|
|
| |
A new pki-server kra-db-vlv-find command has been added to list
existing KRA VLV indexes. The pki-server kra-db-vlv-reindex has
been modified to wait until the reindex is complete.
|
| |
|
|
|
|
|
|
|
| |
A set of pki-server commands has been added to simplify upgrading
TPS VLV indexes.
https://fedorahosted.org/pki/ticket/2354
https://fedorahosted.org/pki/ticket/2263
https://fedorahosted.org/pki/ticket/2269
|
| |
|
|
|
|
|
|
| |
This allows IPA to handle the case of a pure ipv6
environment in which the ipv4 loopback interface is
not available.
Ticket 1717
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added pki-server kra-db-vlv-add, kra-db-vlv-del, kra-db-vlv-reindex
Added pki-server db-schema-upgrade
If the admin has the directory manager (or equivalent) simple creds,
then they can enter them as parameters and perform the operations.
Otherwise, they can specify --generate-ldif to generate LDIF files
containing the changes that need to be implemented, and implement
them using GSSAPI or otherwise.
Tickets 2320, 2319
|
| |
|
|
|
| |
- PKI TRAC #1677 - Pkidestroy of a TPS instance installed in a shared tomcat
throws error.
|
| |
|
|
|
|
|
|
| |
The deployment tool has been modified to support adding Subordinate
CA extension into the CSR for Microsoft CA, and also adding generic
extensions to any system certificate.
https://fedorahosted.org/pki/ticket/2312
|
| |
|
|
|
|
|
|
|
| |
The PKISubsystem.load() and PKIInstance.load() have been modified
to ignore blank and comment lines in CS.cfg and password.conf. If
the code fails to parse a line it will throw an exception showing
the location of the invalid line.
https://fedorahosted.org/pki/ticket/2314
|
| |
|
|
|
|
|
|
|
| |
The pki-server ca-db-upgrade command has been renamed to db-upgrade
to be more general. In the future the command can be refactored to
handle additional upgrade scripts. Additional log messages have
been added to show the upgrade activities in verbose mode.
https://fedorahosted.org/pki/ticket/1667
|
| |
|
|
|
|
|
|
|
| |
Add the 'ca-db-upgrade' command to 'pki-server'. This command
updates certificate records to add the issuerName attribute where
missing. If other database updates are needed in future, they can
be added to this command.
Part of: https://fedorahosted.org/pki/ticket/1667
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The system certificate validation command has been modified to
check for both 'internal' and 'Internal Key Storage Token' since
both are valid names for the internal token.
Additional checks have been added to validate the certificate
parameters in CS.cfg.
The output of the command has been modified to be more consistent
with other pki-server commands.
The pki client-cert-validate invocation has been fixed to use -C
option to specify the NSS database password in a file.
https://fedorahosted.org/pki/ticket/2043
|
| |
|
|
|
|
|
|
| |
The deployment tool has been modified to generate CSR with basic
constraints and key usage extensions for the externally-signed CA
signing certificate.
https://fedorahosted.org/pki/ticket/2312
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, in external CA case if pkispawn was executed with
pki_skip_configuration=True, it would stop the execution before
the step 1 was fully completed (i.e. generating CSR), but it would
incorrectly show a message indicating the CSR has been generated.
The code that displays the installation summary has been fixed to
check for pki_skip_configuration first before checking for external
CA case to ensure that it displays the appropriate message for each
step.
The code that generates the Tomcat instance systemd service link
was moved into instance_layout.py to avoid redundant executions.
The pkispawn and pkidestroy have also be modified to remove
redundant log of deployment parameters in master dictionary.
|
| |
|
|
|
|
|
|
|
|
|
| |
New deployment parameters have been added to customize the serial
number range, request number range, and replica number range in
CS.cfg during installation.
The code that generates the CS.cfg has been moved closer to the
code that generates the subsystem configuration folder.
https://fedorahosted.org/pki/ticket/2278
|
| |
|
|
|
|
|
|
|
| |
Previously a deployment parameter has to be added to pkislots.cfg
before it can be used in copy_with_slot_substitution(). The method
has been modified to support substitutions using the deployment
parameters directly, which simplifies the development.
https://fedorahosted.org/pki/ticket/2278
|
| |
|
|
|
|
|
|
| |
When either an existing CA or external CA installation is
performed, use the pki-server cert validation tool to check
the signing certiticate and chain.
Ticket #2043
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We add two different calls:
1. pki client-cert-validate - which checks a certificate in the client
certdb and calls the System cert verification call performed by JSS
in the system self test. This does some basic extensions and trust
tests, and also validates cert validity and cert trust chain.
2. pki-server subsystem-cert-validate <subsystem>
This calls pki client-cert-validate using the nssdb for the subsystem
on all of the system certificates by default (or just one if the
nickname is defined).
This is a great thing to call when healthchecking an instance,
and also will be used by pkispawn to verify the signing cert in the
externally signed CA case.
Trac Ticket 2043
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the finalization scriptlet was always executed in each
pkispawn execution. In multi-step installations (e.g. external CA,
standalone, or installation/configuration-only mode) some of the
code in the scriptlet such as enabling systemd service, restarting
the service, and purging client database will be redundant.
Now the scriptlet has been modified to execute only in the final
step of the installation. The code that archives the deployment
and manifest files has been moved into pkispawn to ensure that it
is always executed in each pkispawn execution.
For clarity the method that displays the installation summary has
been broken up into separate methods for standalone step 1,
installation-only mode, and configuration-only/full installation.
|
| |
|
|
|
|
|
|
| |
The unused rv instance variables in all deployment scriptlets have
been removed. The spawn() and destroy() are now returning None
instead of error code. If an error happens during execution the
scriptlet will throw an exception which will be caught by pkispawn
or pkidestroy and then displayed to the user.
|
| |
|
|
|
|
|
|
| |
The CLIs for exporting PKCS #12 file have been modified to accept
options to export without trust flags, keys, and/or certificate
chain.
https://fedorahosted.org/pki/ticket/1736
|
| |
|
|
|
|
|
|
|
| |
To avoid possible conflicts imported external certificates, the
self-signed SSL server certificate creation has been moved after
the external certificates have been imported into the NSS database
and before the server is started.
https://fedorahosted.org/pki/ticket/1736
|
| |
|
|
|
|
|
|
|
|
|
|
| |
For consistency the pki pkcs12-export has been modified to
overwrite the PKCS #12 output file by default. A new option has
been added to append the exported certificates and keys into the
output file if the file already exists.
The same option has been added to the The pki-server
instance-cert-export and subsystem-cert-export commands.
https://fedorahosted.org/pki/ticket/1736
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new pki_existing deployment property has been added to install
CA with existing CA certificate and key in a single step.
New certificate deployment properties have been added as aliases
for some external CA properties to allow them to be used in more
general cases:
- pki_ca_signing_csr_path -> pki_external_csr_path
- pki_ca_signing_cert_path -> pki_external_ca_cert_path
- pki_cert_chain_path -> pki_external_ca_cert_chain_path
- pki_cert_chain_nickname -> pki_external_ca_cert_chain_nickname
https://fedorahosted.org/pki/ticket/1736
|
| |
|
|
|
|
|
|
|
|
| |
New PKCS #12 deployment properties have been added as aliases
for some external CA properties to allow them to be used in
more general cases:
- pki_pkcs12_path -> pki_external_pkcs12_path
- pki_pkcs12_password -> pki_external_pkcs12_password
https://fedorahosted.org/pki/ticket/1736
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Currently when installing an additional subsystem to an existing
instance the install tool always generates a new random password in
the pki_pin property which would not work with the existing NSS
database. The code has been modified to load the existing NSS
database password from the instance if the instance already exists.
The PKIInstance class has been modified to allow loading partially
created instance to help the installation.
https://fedorahosted.org/pki/ticket/2247
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Some variables in pkispawn and pkidestroy have been renamed for
clarity.
The unused PKI_CERT_DB_PASSWORD_SLOT variable has been removed.
The constant pki_self_signed_token property has been moved into
default.cfg.
https://fedorahosted.org/pki/ticket/2247
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In the external CA case if the externally-signed CA certificate
is included in the certificate chain the CA certificate may get
imported with an incorrect nickname.
The code has been modified such that the certificate chain is
imported after the CA certificate is imported with the proper
nickname.
https://fedorahosted.org/pki/ticket/2022
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation code has been modified such that it imports all
CA certificates from the PKCS #12 file for cloning before the
server is started using certutil. The user certificates will
continue to be imported using the existing JSS code after the
server is started. This is necessary since JSS is unable to
preserve the CA certificate nicknames.
The PKCS12Util has been modified to support multiple certificates
with the same nicknames.
The pki pkcs12-cert-find has been modified to show certificate ID
and another field indicating whether the certificate has a key.
The pki pkcs12-cert-export has been modified to accept either
certificate nickname or ID.
The pki pkcs12-import has been modified to provide options for
importing only user certificates or CA certificates.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki_server_external_cert_path has been renamed to
pki_server_external_certs_path to match the file name.
A default pki_server_external_certs_path has been added to
default.cfg.
The pki pkcs12-export has been modified to export into existing
PKCS #12 file by default.
The pki-server instance-cert-export has been modified to accept a
list of nicknames to export.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
| |
The pki CLI's --pkcs12 options has been renamed to --pkcs12-file
for consistency with pki-server CLI options.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
| |
The upgrade uses instance and subsystem as keys for dicts.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket 1742 has a case where a third party CA certificate has
been added by IPA to the dogtag certdb for the proxy cert.
There is no way to ensure that this certificate is imported
when the system is cloned.
This patch will allow the user to import third party certificates
into a dogtag instance through CLI commands (pki-server).
The certs are tracked by a new instance level configuration file
external_certs.conf.
Then, when cloning:
1. When the pk12 file is created by the pki-server ca-clone-prepare
command, the external certs are automatically included.
2. When creating the clone, the new pki_server_pk12_path and
password must be provided. Also, a copy of the
external_certs.conf file must be provided.
3. This copy will be read and merged with the existing
external_certs.conf if one exists.
|
| |
|
|
|
|
|
|
| |
In Python 3 subclasses no longer implement automatic ordering. To
provide ordering for sort() and custom comparison, __eq__ and __lt__ are
required.
https://fedorahosted.org/pki/ticket/2216
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation tool has been modified to provide an optional
pki_server_pkcs12_path property to specify a PKCS #12 file
containing certificate chain, system certificates, and third-party
certificates needed by the subsystem being installed.
If the pki_server_pkcs12_path is specified the installation tool
will no longer download the certificate chain from the security
domain directly, and it will no longer import the PKCS #12
containing the entire master NSS database specified in
pki_clone_pkcs12_path.
For backward compatibility, if the pki_server_pkcs12_path is not
specified the installation tool will use the old mechanism to
import the system certificates.
The ConfigurationUtils.verifySystemCertificates() has been modified
not to catch the exception to help troubleshooting.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some pki-server commands have been added to simplify exporting
the required certificates for subsystem installations. These
commands will invoke the pki pkcs12 utility to export the
certificates from the instance NSS database.
The pki-server ca-cert-chain-export command will export the
the certificate chain needed for installing additional
subsystems running on a separate instance.
The pki-server <subsystem>-clone-prepare commands will export
the certificates required for cloning a subsystem.
https://fedorahosted.org/pki/ticket/1742
|
| |
|
|
|
| |
I forgot to decode the output of subprocess.check_call(). All other
places decode bytes to text properly.
|
| |
|
|
|
|
| |
We do a check for the dnsdomainname, which fails in Openstack
CI because this is not set. Instead of exiting, default to
the hostname.
|
| |
|
|
|
|
|
|
|
| |
Due to a recent change the KRA installation failed because the
installer was trying to read the pki_external_csr_path parameter
which is not available for KRA installation. The installer has
been fixed to read the parameter in external CA case only.
https://fedorahosted.org/pki/ticket/456
|
| |
|
|
| |
https://fedorahosted.org/pki/ticket/1738
|
| |
|
|
|
|
|
| |
The pki.nss module has been renamed into pki.nssdb to prevent
conflicts with the nss module.
https://fedorahosted.org/pki/ticket/456
|
| |
|
|
|
|
|
| |
The pkispawn has been modified to display the proper summary for
external CA and existing CA cases.
https://fedorahosted.org/pki/ticket/456
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKIConnection class uses python-requests for HTTPS. The library
picks up several settings from environment variables, e.g. HTTP proxy
server, certificate bundle with trust anchors and authentication. A
proxy can interfere with the Dogtag installer and cause some operations
to fail.
With session.trust_env = False python-requests no longer inspects the
environment and Dogtag has full controll over its connection settings.
For backward compatibility reasons trust_env is only disabled during
installation and removal of Dogtag.
https://requests.readthedocs.org/en/latest/api/?highlight=trust_env#requests.Session.trust_env
https://fedorahosted.org/pki/ticket/1733
https://fedorahosted.org/freeipa/ticket/5555
|
| |
|
|
|
|
|
|
|
| |
A lot of Python files start with a #!/usr/bin/python shebang although
the files are neither executables nor designed as scripts. Shebangs are
only required for executable scripts.
Without unnecessary shebangs it's a bit easier to track Python 3
porting.
|
| |
|
|
|
|
|
|
|
|
| |
Some password and pin fields are missing from the no_interpolation list.
One entry is misspelled. A '%' in password field such as
pki_clone_pkcs12_password causes an installation error.
https://fedorahosted.org/pki/ticket/1703
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The installation code for external CA case has been fixed such
that IPA can detect step 1 completion properly.
The code that handles certificate data conversion has been fixed
to reformat base-64 data for PEM output properly.
The installation summary for step 1 has been updated to provide
more accurate information.
https://fedorahosted.org/pki/ticket/456
|
| |
|
|
|
|
|
|
|
|
|
| |
The deployment procedure for external CA has been modified
such that it generates the CA CSR before starting the server.
This allows the same procedure to be used to import CA
certificate from an existing server. It also removes the
requirement to keep the server running while waiting to get
the CSR signed by an external CA.
https://fedorahosted.org/pki/ticket/456
|
| |
|
|
|
|
|
|
| |
A new command has been added to export a system certificate, the
CSR, and the key. This command can be used to migrate a system
certificate into another instance.
https://fedorahosted.org/pki/ticket/456
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki-core.spec has been modified to execute pki-server migrate
when the package is installed. This way when upgrading from F22 to
F23 all PKI instances will be migrated automatically to Tomcat 8.
The pki-server migrate command has been modified such that if there
is no specific Tomcat version specified it will use the current
Tomcat version.
The top attribute in the CLI class was not functioning properly,
so it has been replaced with get_top_module() method.
The getopt() invocations in pki-server subcommands have been
replaced with gnu_getopt() to allow intermixing options and
arguments.
https://fedorahosted.org/pki/ticket/1310
|
