| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
join security domain Investigation shows that this issue occurs when the non-CA subsystem's SSL server and client keys are also on the HSM. While browsers (on soft token) have no issue connecting to any of the subsystems on HSM, subsystem to subsystem communication has issues when the TLS_ECDHE_RSA_* ciphers are turned on. We have decided to turn off the TLS_ECDHE_RSA_* ciphers by default (can be manually turned on if desired) based on the fact that: 1. The tested HSM seems to have issue with them (will still continue to investigate) 2. While the Perfect Forward Secrecy provides added security by the TLS_ECDHE_RSA_* ciphers, each SSL session takes 3 times longer to estabish. 3. The TLS_RSA_* ciphers are adequate at this time for the CS system operations
(cherry picked from commit 89211b9915e9c3e034d311ac0fa7091e9e08bde8)
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the RSA ciphers that were mistakenly turned on under ECC
section, and off under RSA section. A few adjustments have also been made
based on Bob Relyea's feedback. A new file, <instance>/conf/ciphers.info
was also created to
1. provide info on the ciphers
2. provide default rsa and ecc ciphers for admins to incorporate into earlier
instances (as migration script might not be ideal due to possible customization)
|
|
|
|
|
|
|
|
| |
Ticket #1523
Move the dire warning about the crypto object to sections where it applies.
Also slightly changed the message due to context.
|
|
|
|
|
|
|
|
|
| |
Dogtag does not yet have a reliable way to update its schema, but
FreeIPA does need to add the new schema for LDAP-based profiles
during upgrade to 4.2. As a temporary solution until Dogtag can
manage its own schema updates (including when deployed as FreeIPA
CA), FreeIPA will perform the schema upgrade. Provide a schema file
that FreeIPA can use to do this.
|
| |
|
|
|
|
|
|
| |
Provide simple textual warning when the user is using a browser that no longer supports the crypto object, which results in reduced CA certficat enrollment functionality. For simplicity provide the warning at the top of the main index page and at the top of the CA's services page. The services page is where the pkispawn of the CA points the uers after installation. The ticket originally called for a JS warnign but the simple text warning should be less intrusive and repetitive to the user.
Ticket #1398 Provide UI Javascript warning for missing Mozilla Crypto Object in the CA.
|
|
|
|
| |
available for use in the browser.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ROOT's index.jsp has been modified to show the links to all
subsystems installed on the instance. When opened, it will show
the services provided by the subsystem.
The pkispawn output has been modified to show the subsystem URL
more consistently:
https://<hostname>:<port>/<subsystem>
In all subsystems except TPS the page will redirect to:
https://<hostname>:<port>/<subsystem>/services
|
|
|
|
|
|
|
| |
The ROOT's index.jsp has been modified to check each subsystem's
servlet context for null before accessing the value.
https://fedorahosted.org/pki/ticket/1407
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds some new unit files and targets for starting instances
with nuxwdog, as well as logic within the pki-server nuxwdog module to
switch to/from the old and new systemd unit files.
It also corrects some issues found in additional testing of the nuxwdog
change scripts.
To use nuxwdog to start the instance, a user needs to do the following:
1. Create an instance normally.
2. Run: pki-server instance-nuxwdog-enable <instance_name>
3. Start the instance using:
systemctl start pki-tomcatd-nuxwdog@<instance_name>.service
To revert the instance, simply do the following:
1. Run: pki-server instance-nuxwdog-disable <instance_name>
2. Start the instance using:
systemctl start pki-tomcatd@<instance_name>.service
|
|
|
|
|
| |
This allows PKI server to be loaded with nuxwdog library when
java security policy is enabled.
|
|
|
|
|
|
|
| |
The templates have been modified to remove hard-coded background
color settings and use the styles defined in a new CSS file.
https://fedorahosted.org/pki/ticket/1296
|
|
|
|
|
|
|
| |
The CSS files have been moved into the theme package to allow more
control of the UI appearance.
https://fedorahosted.org/pki/ticket/499
|
|
|
|
|
|
|
| |
The fonts and images have been moved into the theme package to
allow more control of the UI appearance.
https://fedorahosted.org/pki/ticket/499
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/1296
|
|
|
|
| |
Specifically changes to CS.cfg, server.xml and tomcat.conf
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Dogtag code has been modified to support both Tomcat 7 and 8.
All files depending on a specific Tomcat version are now stored
in separate folders. The build scripts have been modified to use
the proper folder for the target platform. The tomcatjss
dependency has been updated as well.
The upgrade script will be added in a separate patch.
https://fedorahosted.org/pki/ticket/1264
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to display the appropriate actions
menu based on the roles of the user. TPS agent can only enable
and disable profiles, and also approve or reject pending requests.
TPS admin can only edit disabled profiles, then submit it for
approval, or cancel the request.
https://fedorahosted.org/pki/ticket/1292
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to customize the navigation menu
based on the roles of the user currently logged in. TPS agents
do not have access to users, groups, config, authenticators,
connectors, profile mappings, audit, and self tests, so the
corresponding menu items will be hidden. TPS admins have
access to all menu items.
https://fedorahosted.org/pki/ticket/1292
|
|
|
|
|
| |
- PKI TRAC Ticket #1315 - pki-tomcatd fails to start on system boot
- PKI TRAC Ticket #1340 - pkidestroy should not remove /var/lib/pki
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In Fedora 22 the Resteasy package has been split into several
subpackages. The pki-core.spec has been modified to depend on
more specific Resteasy packages which depend only on Jackson
1.x. The classpaths and various scripts have been modified to
remove unused references to Jackson 2.x.
https://fedorahosted.org/pki/ticket/1254
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new pki-server CLI has been added to manage the instances and
subsystems using the server management library. This CLI manages
the system files directly, so it can only be run locally on the
server by the system administrator.
The autoDeploy setting in server.xml has been enabled by default.
An upgrade script has been added to enable the autoDeploy setting
in existing instances.
https://fedorahosted.org/pki/ticket/1183
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix now includes last review comments where we decided to consolidate 3 of the
ldif files: schema.ldif,database.ldif, and manager.ldif.
Each one of these 3 files contains the data needed for any subsystem for that file.
The subsystem specific files for these 3 go away in the source tree.
The first iteration of this fix was copying these 3 files into an undesirable directory.
This is no longer the case.
Extra code in the python installer allows one to establish a "file exclusion" callback to
keep a set of desired files from being copied when the installer does a directory copy.
All subsystems have been tested, including TPS with a brand new DS (which was the original reason for this fix),
and they appear to work fine.
Addressed further review comments:
1. Removed trailing whitespace instances from schema.ldif which had some.
2. Used pycharm to remove the few PEP violations I had previously added to the Python code.
3. Changed the format of the schema.ldif file to make all the entries use the same style.
Previously the TPS entries was using an all in one syntax. No more since now each entry is separate.
4. Changed the name of an argument in one of the new Python methods to get rid of a camelCase instance.
5. Tested everything to work as before, including basic TPS operations such as Format.
Fixed a method comment string and fixed some typos.
|
|
|
|
| |
and upgrade
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously emptying a field in TPS UI could not be saved because
the change was not saved and sent to the server. The UI framework
now has been fixed to save and send the empty field to the server
such that the database can be updated properly.
Additional parameters have been added to the tps-token-mod command
to modify all editable fields.
Ticket #1085
|
|
|
|
| |
* PKI TRAC Ticket #567 - ui needs to be scrubbed for missing images
|
|
|
|
| |
- PKI TRAC Ticket #832 - Remove legacy 'systemctl' files . . .
|
|
|
|
|
|
|
|
| |
The ActivityService has been fixed to return the missing TPS activity
attributes including IP, operation, result, and message. The TPS CLI
and UI has been fixed to display the activity date in UTC format.
Ticket #1050
|
|
|
|
|
|
|
| |
The TPS UI logout functionality has been modified to clear the
authentication credential cache on IE.
Ticket #903
|
|
|
|
|
|
| |
The RCUE files are no longer used so they have been removed.
Ticket #958
|
|
|
|
|
|
|
|
| |
The RCUE library has been replaced with a more generic PatternFly
library. The dialog boxes and the navigation bar have been updated
accordingly.
Ticket #958
|
|
|
|
|
|
| |
New CSS, font, and JS files from PatterFly have been added.
Ticket #958
|
|
|
|
|
|
|
|
| |
The font files have been moved from /pki/font to /pki/fonts to
match the RCUE/PatternFly layout. The CSS files have been updated
accordingly.
Ticket #958
|
|
|
|
|
|
|
| |
Previously the TPS UI generates an error when adding a new group
because it's trying to fetch the members of the new group which
has not been added yet. The code has been changed to detect this
particular case and avoid fetching the data.
|
|
|
|
|
|
|
|
|
|
| |
A new table has been added to the group page in TPS UI for managing
the group members.
The addGroupMember() method in group REST interface has been fixed
to accept JSON request properly.
Ticket #654
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to use Backbone.Router to assign a
unique path for each page. This way the browser's Back button will
work properly and the page can be bookmarked.
A home page has been added for the UI. Currently it provide links
to all available pages. In the future it might be changed to
display more useful information.
A breadcrumb has been added to the top of each page to provide
links back to the home page.
Some new font files have been added from PatternFly library.
The EntryWithPropertiesPage has been renamed to ConfigEntryPage.
The Navigation class is no longer used so it has been removed.
Ticket #959
|
|
|
|
|
|
|
|
|
|
|
| |
The dialog used to edit user attributes has been replaced with a
details page since it will be required for breadcrumbs. A new HTML
template has been added for this page.
The renderField() in EntryPage has been renamed to loadField() for
consistency with the Dialog clas.
Ticket #654
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The dialog used to edit token attributes has been replaced with a
details page since it will be required for breadcrumbs. A new HTML
template has been added for this page.
Changing token status now can be done both in token list page and
in token details page.
The EntryPage has been modified such that it requires the editable
fields to be specified for the add mode.
To improve the appearance, the input fields in all dialogs and pages
will now appear as read-only while the data is still loading.
Ticket #654
|
|
|
|
|
|
|
| |
Previously error messages were displayed using alert(). It has been
replaced with a new ErrorDialog which can be formatted properly.
Ticket #949
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new dialog has been added to change the token status. The status
can be changed by clicking the Status value in the tokens table.
Initially the status is Uninitialized. The status can be changed
according to the allowed status transitions defined in the CS.cfg.
The status and reason fields in TokenRecord is now translated into
a single status field in TokenData. This way the UI only needs to
handle a single status field.
A new field has also been added to the database for token type.
Some issues displaying and updating some token attributes have been
fixed as well.
Ticket #654
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the content of table cells was generated by JavaScript
code. Now the content can be defined in the HTML template to allow
cleaner separation from the code. Attributes of the entry being
displayed in the row can now be specified in the template using
${attribute} notation. A special attribute called "parent" can be
used to refer to the attributes of the parent object. The current
templates have been modified to utilize this feature.
The renderIDColumn() in TableItem is no longer needed so it has been
removed. An open() method is added to handle any links in the cell.
The PropertiesTableItem has been moved into tps.js.
The "attributes" property in Dialog and EntryPage has been renamed
to "entry".
Ticket #654
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new page has been added to manage general TPS configuration
properties. The properties are read-only by default. In edit
mode the property name will become a link which will show a
dialog to edit the property value.
The config REST service has been updated to use PATCH for
update operation and handle possible null collection of
properties.
Fixed a bug in TableItem.reset() where the code didn't clear
the table cell properly.
Fixed a bug in ConfigDatabase.getProperties() where the code
didn't handle null property key properly.
Ticket #654
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new tps.js has been added to store TPS-specific classes including
PropertiesTable and EntryWithPropertiesPage.
The Navigation has been refactored to simplify page registration.
The render() method now has to be called separately after instance
creation.
The Table has been refactored to improve reusability. The code that
handles a generic array of entry objects has been moved from the
PropertiesTable into the Table class. The code that handles a
Collection of Models has been moved into ModelTable. The Table now
supports entry sorting and attribute mapping. The Table also
supports view and edit modes. In view mode the Table will be
read-only. In edit mode the action buttons will appear.
The EntryPage has been refactored to handle a generic set of fields.
The editable fields can be specified in a list. The code related to
enable/disable buttons and properties table has been moved to
EntryWithPropertiesPage.
Some unused classes have been removed. Incorrect colum names in
the HTML templates have been fixed.
Ticket #654
|
|
|
|
|
|
|
|
| |
The pagination controls have been fixed to resemble the UXD design.
The page jump control is now located between the first/previous
buttons and the next/last buttons.
Ticket #848
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The add button in the list page for TPS profiles, connections, and
authenticators has been modified to show a blank form to add a new
entry. Once the entry is added, it will go back to the list page.
The DetailsPage has been renamed into EntryPage and modified to
support an add mode. In add mode the fields are editable. A new
AddEntryPage was added to change the behavior when closing the
page to return to the list page.
The Page container now has to be specified in the constructor. The
load() method is no longer taking any parameter. The open() has
been added to simplify loading page template and content.
The default length of the list page has been changed to 15
entries.
Fixed some bugs in ConnectionModel, AuthenticatorModel,
ConnectionDatabase, and in the HTML template.
Ticket #654
|
|
|
|
|
|
|
| |
The links in the top level page have been fixed to point to the
front page of the new TPS UI.
Ticket #654
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new DetailsPage has been added to view and edit TPS resources
including profiles, connections, and authenticators. Initially, in
view mode the page is read-only. User can view properties but they
are non-editable. To enter the edit mode the user needs to click
the Edit link. In this mode the properties become editable. To save
the all changes the user must click the Save button, and it will go
back to view mode. The page also provides links to enable or disable
the resource. The add functionality will be added separately later.
New HTML templates and the CSS code have been modified to better
control the formatting. Some unused code has been removed as well.
Ticket #654
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New buttons and dialogs have been added to add and remove properties
in TPS profiles, connections, and authenticators. Currently the code
will only change the properties in memory. The save functionality
will be added separately later.
Previously the Dialog class would only work with Models. The class
has been refactored such that it will work with any storage mechanism.
New CSS code was added to fix the dialog formatting.
Ticket #654
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A new page has been added to view TPS profile details. The properties are
displayed in a table which provides pagination and search functionality.
Currently the page is read-only. The edit functionality will be added
separately later.
Previously the ProfileData had a problem with JSON mapping because it
incorrectly included a PropertyNames attribute. To fix the problem the
class has been modified to require explicit JAXB mapping by setting the
@XmlAccessorType to NONE.
New CSS classes have been added to format the details page.
Ticket #654
|