| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
To reduce maintenance the log4j.properties is no longer copied
into the instance folder during deployment. Instead, a link will
be created in the /var/lib/pki/<instance>/lib folder pointing to
the default file in /usr/share/pki/server/conf.
The default log4j.properties has been updated to remove redundant
lines. By default only log messages with level WARN or higher will
be logged on the console.
https://fedorahosted.org/pki/ticket/1897
|
| |
|
|
|
|
|
|
|
|
|
|
| |
To reduce maintenance the logging.properties is no longer copied
into the instance folder during deployment. Instead, a link will
be created in /etc/pki/<instance> pointing to the default file
in /usr/share/pki/server/conf.
The default logging.properties has been updated to only log
messages with level WARNING or higher on the console.
https://fedorahosted.org/pki/ticket/1897
|
| |
|
|
|
|
|
|
|
| |
The operations script has been modified to generate pki.policy
dynamically from links in the <instance>/common/lib directory.
This allows the pki.policy to match the actual paths in different
platforms.
https://fedorahosted.org/pki/ticket/2403
|
| |
|
|
|
|
| |
This patch removes references to the ciphers currently unsupported by NSS:
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
|
| |
|
|
|
|
|
|
|
|
| |
The code has been modified to use the JAVA_HOME path specified in
the pki.conf.
The spec file has been modified to depend specifically on OpenJDK
1.8.0 and to provide the default JAVA_HOME path for the pki.conf.
https://fedorahosted.org/pki/ticket/2363
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The instance name is used in NSSDB key nicknames, which are stored
in the authorityKeyNickname attribute for mapping lightweight CAs to
their keys. The schema was PrintableString, which does not permit
'_', causing LDAP syntax errors if the instance name contains '_'.
To avoid this issue, change the attribute syntax to IA5String.
Existing instances should be largely unaffected. The schema update
can be successfully applied even for existing attributes, because
PrintableString and IA5String share the same underlying
representation in 389DS.
Fixes: https://fedorahosted.org/pki/ticket/2343
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add the 'authorityKeyHost' attribute which will contain names of
hosts that possess the authority's signing keys.
Add the 'authoritySerial' attribute which may contain the serial
number of the certificate most recently issued for the authority.
Change other attributes to be single-valued.
Part of: https://fedorahosted.org/pki/ticket/1625
|
| |
|
|
|
| |
Added realm attribute and index. Added to request and keyRecord.
Part of Trac Ticket 2041
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
New authority monitor code requires the USN plugin to be
enabled in the database to ensure that the entryUSN attribute
is added to authority entries.
In the case where this plugin was disabled, accessing this
attribute resulted in a null pointer exception whch prevented server
startup.
The code has been changed so as not to throw a null pointer exception
on startup if the entryusn is not present, and also to call an LDIF
to enable the plugin when a subsystem is configured through pkispawn.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Properly formed GET-based OCSP requests can contain URL-encoded
slashes in the HTTP path[1] but our Tomcat configuration does not
permit this (returns 400 Bad Request). Change catalina.properties
to allow URL-encoded slashes in HTTP paths.
[1] https://tools.ietf.org/html/rfc6960#appendix-A.1
Also add an upgrade script to update catalina.properties in existing
instances.
Fixes: https://fedorahosted.org/pki/ticket/1658
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds initial support for "lightweight CAs" - CAs that
inhabit an existing CA instance and share the request queue and
certificate database of the "top-level CA".
We initially support only sub-CAs under the top-level CA - either
direct sub-CAs or nested. The general design will support hosting
unrelated CAs but creation or import of unrelated CAs is not yet
implemented.
Part of: https://fedorahosted.org/pki/ticket/1213
|
| |
|
|
| |
join security domain Investigation shows that this issue occurs when the non-CA subsystem's SSL server and client keys are also on the HSM. While browsers (on soft token) have no issue connecting to any of the subsystems on HSM, subsystem to subsystem communication has issues when the TLS_ECDHE_RSA_* ciphers are turned on. We have decided to turn off the TLS_ECDHE_RSA_* ciphers by default (can be manually turned on if desired) based on the fact that: 1. The tested HSM seems to have issue with them (will still continue to investigate) 2. While the Perfect Forward Secrecy provides added security by the TLS_ECDHE_RSA_* ciphers, each SSL session takes 3 times longer to estabish. 3. The TLS_RSA_* ciphers are adequate at this time for the CS system operations
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the RSA ciphers that were mistakenly turned on under ECC
section, and off under RSA section. A few adjustments have also been made
based on Bob Relyea's feedback. A new file, <instance>/conf/ciphers.info
was also created to
1. provide info on the ciphers
2. provide default rsa and ecc ciphers for admins to incorporate into earlier
instances (as migration script might not be ideal due to possible customization)
(cherry picked from commit 67c895851781d69343979cbcff138184803880ea)
|
| |
|
|
|
|
|
|
|
| |
Dogtag does not yet have a reliable way to update its schema, but
FreeIPA does need to add the new schema for LDAP-based profiles
during upgrade to 4.2. As a temporary solution until Dogtag can
manage its own schema updates (including when deployed as FreeIPA
CA), FreeIPA will perform the schema upgrade. Provide a schema file
that FreeIPA can use to do this.
|
| |
|
|
|
| |
This allows PKI server to be loaded with nuxwdog library when
java security policy is enabled.
|
| |
|
|
| |
Specifically changes to CS.cfg, server.xml and tomcat.conf
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The Dogtag code has been modified to support both Tomcat 7 and 8.
All files depending on a specific Tomcat version are now stored
in separate folders. The build scripts have been modified to use
the proper folder for the target platform. The tomcatjss
dependency has been updated as well.
The upgrade script will be added in a separate patch.
https://fedorahosted.org/pki/ticket/1264
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
In Fedora 22 the Resteasy package has been split into several
subpackages. The pki-core.spec has been modified to depend on
more specific Resteasy packages which depend only on Jackson
1.x. The classpaths and various scripts have been modified to
remove unused references to Jackson 2.x.
https://fedorahosted.org/pki/ticket/1254
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
A new pki-server CLI has been added to manage the instances and
subsystems using the server management library. This CLI manages
the system files directly, so it can only be run locally on the
server by the system administrator.
The autoDeploy setting in server.xml has been enabled by default.
An upgrade script has been added to enable the autoDeploy setting
in existing instances.
https://fedorahosted.org/pki/ticket/1183
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix now includes last review comments where we decided to consolidate 3 of the
ldif files: schema.ldif,database.ldif, and manager.ldif.
Each one of these 3 files contains the data needed for any subsystem for that file.
The subsystem specific files for these 3 go away in the source tree.
The first iteration of this fix was copying these 3 files into an undesirable directory.
This is no longer the case.
Extra code in the python installer allows one to establish a "file exclusion" callback to
keep a set of desired files from being copied when the installer does a directory copy.
All subsystems have been tested, including TPS with a brand new DS (which was the original reason for this fix),
and they appear to work fine.
Addressed further review comments:
1. Removed trailing whitespace instances from schema.ldif which had some.
2. Used pycharm to remove the few PEP violations I had previously added to the Python code.
3. Changed the format of the schema.ldif file to make all the entries use the same style.
Previously the TPS entries was using an all in one syntax. No more since now each entry is separate.
4. Changed the name of an argument in one of the new Python methods to get rid of a camelCase instance.
5. Tested everything to work as before, including basic TPS operations such as Format.
Fixed a method comment string and fixed some typos.
|
| |
|
|
| |
and upgrade
|
| |
|
|
|
|
|
|
|
|
| |
The Dogtag client library has been modified to use RESTEasy 3.0 client
library. A new upgrade script has been added to update existing servers.
The JAXB annotation in ResourceMessage has been modified to require
explicit property mapping.
Ticket #554
|
| |
|
|
|
|
|
|
|
| |
The Jettison library has been replaced with Jackson library as
JSON provider for RESTEasy. All class paths and the deployment
tools have been updated accordingly. The Python library and the
TPS UI have been updated as well to use the new JSON format.
Ticket #817
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The addtions in this patch will add start/stop/restart/status
functionality to operations, so that Debian systems can perform
these operations by calling these functions from an init script.
We also introduce a parameter in the configuration scripts that
can be used to determine if the system is a debian system. This
parameter is used to specify a system V init script instead of
a systemd script on a debian system, when the configuration
scriptlets start and stop a system.
Also source apparently does not work by default in debian. Used
dot (.) instead.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The location of web application context file has been changed from
<instance>/webapps/<name>/META-INF/context.xml
into
<instance>/conf/Catalina/localhost/<name>.xml.
This will eventually allow deploying the web application directly
from the shared folder.
A new upgrade script has been added to move the context files in
the existing instances.
Ticket #499
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ACL mapping files have been renamed from auth.properties to
acl.properties to match the actual content and moved into the
subsystem conf folder. The authentication method mapping files
have been extracted from the interceptor into actual files.
The ACLInterceptor and AuthMethodInterceptors have been modified to read
the default mapping first, then overwrite it with custom mapping if it
exists in the subsystem folder.
The UpdateAuthzProperties upgrade script has been replaced with
RemoveAuthProperties that will remove the old auth.properties.
|
| |
|
|
| |
* TRAC Ticket #762 - Stand-alone DRM (cleanup tasks)
|
| |
|
|
|
|
| |
This patch enables Tomcat access log for Java subsystems.
Ticket #558.
|
| | |
|
| |
|
|
|
| |
Resteasy 3.0.1 uses apache-commons-io. Also fixed PKIErrorInterceptor
with correct method call and reformatted the interceptors.
|
| |
|
|
|
|
|
|
| |
tomcat now uses systemd unit files. We will reuse and customize those
files accordingly. As a result, startup is simplified considerably -
and pkidaemon has been gutted accordingly.
We'll need to add migration scripts for older instances in a subsequent patch.
|
| | |
|
|
|
Some server files in base/common have been moved to base/server for
consistency. The build scripts have been updated accordingly.
|
