summaryrefslogtreecommitdiffstats
path: root/base/server/python
Commit message (Collapse)AuthorAgeFilesLines
...
* Do slot substitution for SERVER_KEYGENAde Lee2016-07-291-0/+2
| | | | Ticket 2418
* Fixed SELinux contexts.Endi S. Dewata2016-07-281-1/+6
| | | | | | | | | | The deployment tool has been modified to set up SELinux contexts after all instance files have been created to ensure they have the correct contexts. An upgrade script has been added to fix existing instances. https://fedorahosted.org/pki/ticket/2421
* Make starting CRL Number configurable.Jack Magne2016-07-271-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | Ticket #2406 Make starting CRL Number configurable This simple patch provides a pkispawn config param that passes some starting crl number value to the config process. Here is a sample: [CA] pki_ca_starting_crl_number=4000 After the CA comes up the value of "crlNumber" in the db will reflect that value of 4000. Currently no other values are changed. We can talk about if we need more values reset in the given case. Also, this creates a setting in the CS.cfg ca.crl.MasterCrl.startingCrlNumber=4000 This setting is only consulted when the crl Issuing Point record is created for the first time.
* Removed hard-coded paths in deployment tool.Endi S. Dewata2016-07-261-136/+7
| | | | | | | | | The deployment tool has been modified to link <instance>/common to /usr/share/pki/server/common instead of creating separate links for each dependency. This allows the RPM spec to customize the links for different platforms. https://fedorahosted.org/pki/ticket/2403
* Fixed param substitution problem.Endi S. Dewata2016-07-221-2/+2
| | | | | | | The string splice operation in substitute_deployment_params() has been fixed to include the rest of the string. https://fedorahosted.org/pki/ticket/2399
* Fixed certificate validation error message.Endi S. Dewata2016-07-141-1/+1
| | | | | | | The pkihelper.py has been modified to display the correct external command name on system certificate validation error. https://fedorahosted.org/pki/ticket/2399
* Added fix for pki-server for db-updateGeetika Kapoor2016-07-141-2/+2
| | | | | | | fixes: https://fedorahosted.org/pki/ticket/1667 Signed-off-by: Geetika Kapoor <gkapoor@redhat.com> Reviewed-by: Fraser Tweedale <ftweedal@redhat.com>
* Added instance and subsystem validation for pki-server subsystem-* commands.Abhijeet Kasurde2016-07-061-13/+53
| | | | | | | The pki-server subsystem-* commands have been updated to validate the instance and subsystem before proceeding with the operation. https://fedorahosted.org/pki/ticket/2399
* Updated notification message for DB subsystem commandAbhijeet Kasurde2016-07-011-5/+15
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Updated notification message for TPS subsystem commandAbhijeet Kasurde2016-07-011-8/+26
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Updated notification message for TKS subsystem commandAbhijeet Kasurde2016-07-011-0/+7
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Updated notification message for OCSP subsystem commandAbhijeet Kasurde2016-07-011-0/+6
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Updated notification message for kra-db-vlv* commandAbhijeet Kasurde2016-07-011-15/+23
| | | | Partially Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Added instance and subsystem validation for pki-server ca-* commands.Endi S. Dewata2016-07-011-7/+37
| | | | | | | | | | | The pki-server ca-* commands have been modified to validate the instance and the CA subsystem before proceeding with the operation. The usage() methods and invocations have been renamed into print_help() for consistency. https://fedorahosted.org/pki/ticket/2364
* Fixed pki-server subsystem-cert-update.Endi S. Dewata2016-07-013-96/+120
| | | | | | | | | | | | | | | | | | | | | | The pki-server subsystem-cert-update is supposed to restore the system certificate data and requests into CS.cfg. The command was broken since the CASubsystem class that contains the code to find the certificate requests from database was not loaded correctly. To fix the problem the CASubsystem class has been moved into the pki/server/__init__.py. All pki-server subsystem-* commands have been modified to check the validity of the instance. An option has been added to the pki-server subsystem-cert-show command to display the data and request of a particular system certificate. The redundant output of the pki-server subsystem-cert-update has been removed. The updated certificate data and request can be obtained using the pki-server subsystem-cert-show command. https://fedorahosted.org/pki/ticket/2385
* AuthInfoAccess: use default OCSP URI if configuredFraser Tweedale2016-07-011-0/+5
| | | | | | | | | | | | | | | | The AuthInfoAccessExtDefault profile component constructs an OCSP URI based on the current host and port, if no URI is explicitly configured in the profile. Update the component to look in CS.cfg for the "ca.defaultOcspUri" config, and use its value if present. If not present, the old behaviour prevails. Also add the 'pki_default_ocsp_uri' pkispawn config to add the config during instance creation, so that the value will be used for the CA and system certificates. Fixes: https://fedorahosted.org/pki/ticket/2387
* Updated notification message for kra-db-vlv-del commandAbhijeet Kasurde2016-07-011-12/+16
| | | | Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Added condition for checking instance id in kra commandsAbhijeet Kasurde2016-07-012-3/+22
| | | | Partially Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
* Added fix for checking ldapmodify return code in db-schema-upgradeAbhijeet Kasurde2016-07-011-5/+7
| | | | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1349769
* Added condition to verify instance id in db-schema-upgradeAbhijeet Kasurde2016-07-011-0/+4
| | | | Fixes : https://bugzilla.redhat.com/show_bug.cgi?id=1351096
* Bugzilla #1203407 tomcatjss: missing ciphersChristina Fu2016-06-301-3/+0
| | | | | | This patch removes references to the ciphers currently unsupported by NSS: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
* Normalize default softokn nameMatthew Harmsen2016-06-281-0/+10
| | | | | - PKI TRAC Ticket #2311 - When pki_token_name=Internal, consider normalizing it to "internal"
* Fixes: Invalid instance exception issue.Amol Kahat2016-06-281-3/+37
| | | | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1348433
* Fixes pki-server subsystem-* --help options.Amol Kahat2016-06-281-74/+81
| | | | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1340718
* Fixed problem reading HSM password from password file.Endi S. Dewata2016-06-283-24/+50
| | | | | | | | | | | | | A new method get_token_password() has been added into PKIInstance Python class in order to read the token password correctly from password.conf. If the token is an internal token, it will read the 'internal' password. If it is an HSM it will read the password for 'hardware-<token>'. The codes that call the get_password() to get token password have been modified to use get_token_password() instead. https://fedorahosted.org/pki/ticket/2384
* Fixed Java dependency.Endi S. Dewata2016-06-174-10/+27
| | | | | | | | | | The code has been modified to use the JAVA_HOME path specified in the pki.conf. The spec file has been modified to depend specifically on OpenJDK 1.8.0 and to provide the default JAVA_HOME path for the pki.conf. https://fedorahosted.org/pki/ticket/2363
* Fixed pki-server instance-start <instance> command. Fixed pki-server ↵Amol Kahat2016-06-151-0/+18
| | | | | | instance-stop <instance> command. https://bugzilla.redhat.com/show_bug.cgi?id=1341953
* Add man page and clarify CLI for kra-connectorAde Lee2016-06-131-2/+4
|
* Fixed --help option for instance-show, instance-start, instance-stop, ↵Amol Kahat2016-06-131-41/+42
| | | | | | instance-migrate, instance-nuxwdog-enable, instance-nuxwdog-disable. https://bugzilla.redhat.com/show_bug.cgi?id=1339263
* Updated KRA VLV management CLI.Endi S. Dewata2016-06-081-25/+141
| | | | | | A new pki-server kra-db-vlv-find command has been added to list existing KRA VLV indexes. The pki-server kra-db-vlv-reindex has been modified to wait until the reindex is complete.
* Added TPS VLV management CLI.Endi S. Dewata2016-06-082-0/+506
| | | | | | | | | A set of pki-server commands has been added to simplify upgrading TPS VLV indexes. https://fedorahosted.org/pki/ticket/2354 https://fedorahosted.org/pki/ticket/2263 https://fedorahosted.org/pki/ticket/2269
* Add option to modify ajp_host to pkispawnAde Lee2016-06-031-0/+2
| | | | | | | | This allows IPA to handle the case of a pure ipv6 environment in which the ipv4 loopback interface is not available. Ticket 1717
* Add commands to db-server to help with DB related changesAde Lee2016-06-033-3/+449
| | | | | | | | | | | | | | Added pki-server kra-db-vlv-add, kra-db-vlv-del, kra-db-vlv-reindex Added pki-server db-schema-upgrade If the admin has the directory manager (or equivalent) simple creds, then they can enter them as parameters and perform the operations. Otherwise, they can specify --generate-ldif to generate LDIF files containing the changes that need to be implemented, and implement them using GSSAPI or otherwise. Tickets 2320, 2319
* Fix unknown TKS host and port connector error during TPS removalMatthew Harmsen2016-06-021-10/+3
| | | | | - PKI TRAC #1677 - Pkidestroy of a TPS instance installed in a shared tomcat throws error.
* Fixed support for generic CSR extensions.Endi S. Dewata2016-05-252-2/+72
| | | | | | | | The deployment tool has been modified to support adding Subordinate CA extension into the CSR for Microsoft CA, and also adding generic extensions to any system certificate. https://fedorahosted.org/pki/ticket/2312
* Ignoring blank and comment lines in configuration files.Endi S. Dewata2016-05-241-2/+11
| | | | | | | | | The PKISubsystem.load() and PKIInstance.load() have been modified to ignore blank and comment lines in CS.cfg and password.conf. If the code fails to parse a line it will throw an exception showing the location of the invalid line. https://fedorahosted.org/pki/ticket/2314
* Renamed pki-server ca-db-upgrade to db-upgrade.Endi S. Dewata2016-05-142-81/+131
| | | | | | | | | The pki-server ca-db-upgrade command has been renamed to db-upgrade to be more general. In the future the command can be refactored to handle additional upgrade scripts. Additional log messages have been added to show the upgrade activities in verbose mode. https://fedorahosted.org/pki/ticket/1667
* Add pki-server ca-db-upgrade commandFraser Tweedale2016-05-141-0/+81
| | | | | | | | | Add the 'ca-db-upgrade' command to 'pki-server'. This command updates certificate records to add the issuerName attribute where missing. If other database updates are needed in future, they can be added to this command. Part of: https://fedorahosted.org/pki/ticket/1667
* Fixed pki-server subsystem-cert-validate command.Endi S. Dewata2016-05-131-32/+83
| | | | | | | | | | | | | | | | | The system certificate validation command has been modified to check for both 'internal' and 'Internal Key Storage Token' since both are valid names for the internal token. Additional checks have been added to validate the certificate parameters in CS.cfg. The output of the command has been modified to be more consistent with other pki-server commands. The pki client-cert-validate invocation has been fixed to use -C option to specify the NSS database password in a file. https://fedorahosted.org/pki/ticket/2043
* Fixed missing CSR extensions for external CA case.Endi S. Dewata2016-05-121-1/+22
| | | | | | | | The deployment tool has been modified to generate CSR with basic constraints and key usage extensions for the externally-signed CA signing certificate. https://fedorahosted.org/pki/ticket/2312
* Fixed install-only message in external CA case.Endi S. Dewata2016-05-122-7/+8
| | | | | | | | | | | | | | | | | | Previously, in external CA case if pkispawn was executed with pki_skip_configuration=True, it would stop the execution before the step 1 was fully completed (i.e. generating CSR), but it would incorrectly show a message indicating the CSR has been generated. The code that displays the installation summary has been fixed to check for pki_skip_configuration first before checking for external CA case to ensure that it displays the appropriate message for each step. The code that generates the Tomcat instance systemd service link was moved into instance_layout.py to avoid redundant executions. The pkispawn and pkidestroy have also be modified to remove redundant log of deployment parameters in master dictionary.
* Added deployment parameters for number ranges.Endi S. Dewata2016-05-092-4/+9
| | | | | | | | | | | New deployment parameters have been added to customize the serial number range, request number range, and replica number range in CS.cfg during installation. The code that generates the CS.cfg has been moved closer to the code that generates the subsystem configuration folder. https://fedorahosted.org/pki/ticket/2278
* Simplified slot substitution.Endi S. Dewata2016-05-091-0/+54
| | | | | | | | | Previously a deployment parameter has to be added to pkislots.cfg before it can be used in copy_with_slot_substitution(). The method has been modified to support substitutions using the deployment parameters directly, which simplifies the development. https://fedorahosted.org/pki/ticket/2278
* Add validity check for the signing certificate in pkispawnAde Lee2016-05-022-15/+68
| | | | | | | | When either an existing CA or external CA installation is performed, use the pki-server cert validation tool to check the signing certiticate and chain. Ticket #2043
* Add CLI to check system certificate statusAde Lee2016-05-022-0/+120
| | | | | | | | | | | | | | | | | | | We add two different calls: 1. pki client-cert-validate - which checks a certificate in the client certdb and calls the System cert verification call performed by JSS in the system self test. This does some basic extensions and trust tests, and also validates cert validity and cert trust chain. 2. pki-server subsystem-cert-validate <subsystem> This calls pki client-cert-validate using the nssdb for the subsystem on all of the system certificates by default (or just one if the nickname is defined). This is a great thing to call when healthchecking an instance, and also will be used by pkispawn to verify the signing cert in the externally signed CA case. Trac Ticket 2043
* Fixed duplicate executions of finalization scriptlet.Endi S. Dewata2016-04-302-30/+15
| | | | | | | | | | | | | | | | | Previously the finalization scriptlet was always executed in each pkispawn execution. In multi-step installations (e.g. external CA, standalone, or installation/configuration-only mode) some of the code in the scriptlet such as enabling systemd service, restarting the service, and purging client database will be redundant. Now the scriptlet has been modified to execute only in the final step of the installation. The code that archives the deployment and manifest files has been moved into pkispawn to ensure that it is always executed in each pkispawn execution. For clarity the method that displays the installation summary has been broken up into separate methods for standalone step 1, installation-only mode, and configuration-only/full installation.
* Removed unused variables in deployment scriptlets.Endi S. Dewata2016-04-2810-50/+22
| | | | | | | | The unused rv instance variables in all deployment scriptlets have been removed. The spawn() and destroy() are now returning None instead of error code. If an error happens during execution the scriptlet will throw an exception which will be caught by pkispawn or pkidestroy and then displayed to the user.
* Fixed PKCS #12 export options.Endi S. Dewata2016-04-202-2/+40
| | | | | | | | The CLIs for exporting PKCS #12 file have been modified to accept options to export without trust flags, keys, and/or certificate chain. https://fedorahosted.org/pki/ticket/1736
* Moved self-signed SSL server certificate creation.Endi S. Dewata2016-04-152-41/+55
| | | | | | | | | To avoid possible conflicts imported external certificates, the self-signed SSL server certificate creation has been moved after the external certificates have been imported into the NSS database and before the server is started. https://fedorahosted.org/pki/ticket/1736
* Updated pki pkcs12-export CLI.Endi S. Dewata2016-04-152-9/+29
| | | | | | | | | | | | For consistency the pki pkcs12-export has been modified to overwrite the PKCS #12 output file by default. A new option has been added to append the exported certificates and keys into the output file if the file already exists. The same option has been added to the The pki-server instance-cert-export and subsystem-cert-export commands. https://fedorahosted.org/pki/ticket/1736
generated by cgit (git 2.34.1) at 2025-09-26 23:12:16 +0000