| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
| |
The code that reads the access banner from file has been modified
to explicitly use UTF-8 encoding.
The Info class and the PKI UI have been modified not to encode the
access banner in Base64 since it is not necessary.
https://pagure.io/dogtagpki/issue/2671
Change-Id: I5f41a8ebac0bc91623b27f14608bca294bc9bc38
|
|
|
|
|
|
|
|
|
|
| |
The Info service and client have been modified to transmit access
banner in Base64-encoded form. The PKI UI has been modified to
decode the access banner properly.
https://pagure.io/dogtagpki/issue/2671
Change-Id: Ic8526bac4c4d6b99e627aced64ab24cf675f5d50
|
|
|
|
|
|
|
|
|
|
| |
The PKIService has been modified to trim whitespaces in access
banner before returning the value to the client. The clients
have been modified to no longer trim the banner.
https://pagure.io/dogtagpki/issue/2671
Change-Id: I51c5e78d11c89c711e369328def27bb352aa49e6
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The PKI UI main page has been modified to retrieve access banner
and display it in a dialog box. After displaying the banner it
will notify the server such that the banner is not returned again
in the same server session.
To prevent displaying multiple dialog boxes in pages with frames
the critical code is locked such that only one frame can actually
display the banner.
https://fedorahosted.org/pki/ticket/2582
|
|
|
|
|
|
|
| |
A new PKIApplication class has been added into /pki web application
to define common PKI REST services such as access banner.
https://fedorahosted.org/pki/ticket/2582
|
|
|
|
|
|
|
| |
A web.xml has been added to /pki web application to require SSL
connection to access the PKI UI main page at /pki/ui.
https://fedorahosted.org/pki/ticket/2582
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously the index.jsp of the ROOT web application was storing
PKI UI main page which contains links to PKI subsystems installed
on the instance.
Now the file has been changed to redirect to /pki which provides
a new PKI UI welcome page. The PKI UI main page itself has been
moved to /pki/ui.
https://fedorahosted.org/pki/ticket/2582
|
|
|
|
|
| |
For clarity the non-UI code in the pki-ui.js has been moved into
pki.js.
|
|
|
|
| |
- PKI TRAC Ticket #2524 - Remove xenroll.dll from pki-core
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To reduce maintenance the log4j.properties is no longer copied
into the instance folder during deployment. Instead, a link will
be created in the /var/lib/pki/<instance>/lib folder pointing to
the default file in /usr/share/pki/server/conf.
The default log4j.properties has been updated to remove redundant
lines. By default only log messages with level WARN or higher will
be logged on the console.
https://fedorahosted.org/pki/ticket/1897
|
|
|
|
|
|
|
|
|
|
|
|
| |
To reduce maintenance the logging.properties is no longer copied
into the instance folder during deployment. Instead, a link will
be created in /etc/pki/<instance> pointing to the default file
in /usr/share/pki/server/conf.
The default logging.properties has been updated to only log
messages with level WARNING or higher on the console.
https://fedorahosted.org/pki/ticket/1897
|
|
|
|
|
|
|
|
|
| |
The operations script has been modified to generate pki.policy
dynamically from links in the <instance>/common/lib directory.
This allows the pki.policy to match the actual paths in different
platforms.
https://fedorahosted.org/pki/ticket/2403
|
|
|
|
|
|
| |
This patch removes references to the ciphers currently unsupported by NSS:
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
|
|
|
|
|
|
|
|
|
|
| |
The code has been modified to use the JAVA_HOME path specified in
the pki.conf.
The spec file has been modified to depend specifically on OpenJDK
1.8.0 and to provide the default JAVA_HOME path for the pki.conf.
https://fedorahosted.org/pki/ticket/2363
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to display the token activity message
in a textarea to avoid truncation.
The UI framework class has been modified to handle textarea.
The CSS has been modified to align the field label with the top of
textarea.
https://fedorahosted.org/pki/ticket/2299
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The instance name is used in NSSDB key nicknames, which are stored
in the authorityKeyNickname attribute for mapping lightweight CAs to
their keys. The schema was PrintableString, which does not permit
'_', causing LDAP syntax errors if the instance name contains '_'.
To avoid this issue, change the attribute syntax to IA5String.
Existing instances should be largely unaffected. The schema update
can be successfully applied even for existing attributes, because
PrintableString and IA5String share the same underlying
representation in 389DS.
Fixes: https://fedorahosted.org/pki/ticket/2343
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to provide an interface to manage the
user certificates.
The UserService has been modified to provide better error messages.
https://fedorahosted.org/pki/ticket/1434
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to provide an interface to manage
the user roles.
The ErrorDialog was modified to handle both text and JSON error
responses.
https://fedorahosted.org/pki/ticket/2267
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add the 'authorityKeyHost' attribute which will contain names of
hosts that possess the authority's signing keys.
Add the 'authoritySerial' attribute which may contain the serial
number of the certificate most recently issued for the authority.
Change other attributes to be single-valued.
Part of: https://fedorahosted.org/pki/ticket/1625
|
|
|
|
| |
- PKI TRAC Ticket #2248 - support only tomcat instances
|
|
|
|
|
| |
Added realm attribute and index. Added to request and keyRecord.
Part of Trac Ticket 2041
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
New authority monitor code requires the USN plugin to be
enabled in the database to ensure that the entryUSN attribute
is added to authority entries.
In the case where this plugin was disabled, accessing this
attribute resulted in a null pointer exception whch prevented server
startup.
The code has been changed so as not to throw a null pointer exception
on startup if the entryusn is not present, and also to call an LDIF
to enable the plugin when a subsystem is configured through pkispawn.
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI Tokens page and the pki tps-token-find CLI have been
modified to provide an interface to filter tokens based on their
attributes.
The TokenService.findTokens() has been modified to accept
additional search criteria based on token attributes.
https://fedorahosted.org/pki/ticket/1482
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified such that it will use an HTML-based
dialog instead of the browser's built-in dialog such that the
option to "prevent this page from creating additional dialogs"
will no longer appear.
https://fedorahosted.org/pki/ticket/1685
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The labels for token states and the transitions are now stored
in token-states.properties. The default file will be stored
in the /usr/share/pki/tps/conf, but it can be overriden by
copying and customizing the file into <instance>/tps/conf.
When the UI retrieves the token data the labels for the current
state and the valid transitions will be loaded from the file
and returned to the UI. The UI will show the transition labels
in the dropdown list for changing token status.
https://fedorahosted.org/pki/ticket/1289
https://fedorahosted.org/pki/ticket/1291
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Properly formed GET-based OCSP requests can contain URL-encoded
slashes in the HTTP path[1] but our Tomcat configuration does not
permit this (returns 400 Bad Request). Change catalina.properties
to allow URL-encoded slashes in HTTP paths.
[1] https://tools.ietf.org/html/rfc6960#appendix-A.1
Also add an upgrade script to update catalina.properties in existing
instances.
Fixes: https://fedorahosted.org/pki/ticket/1658
|
|
|
|
|
|
|
| |
The TPS UI has been modified to provide an interface to run the
selftests and display the results.
https://fedorahosted.org/pki/ticket/1502
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to provide a table as an interface
to manage the user profiles. When adding a profile, the profile
can be selected from a list of available profiles.
The UserService and UGSubsystem have been modified to allow adding
a user with no assigned profiles.
https://fedorahosted.org/pki/ticket/1478
|
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI navigation elements have been updated to add the
missing names and to use better names. The checkbox IDs in various
pages have also been renamed for consistency.
The pki-ui.js has been modified to use the checkbox ID of the
template row instead of table name to construct the checkbox ID
of the actual rows.
https://fedorahosted.org/pki/ticket/1622
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds initial support for "lightweight CAs" - CAs that
inhabit an existing CA instance and share the request queue and
certificate database of the "top-level CA".
We initially support only sub-CAs under the top-level CA - either
direct sub-CAs or nested. The general design will support hosting
unrelated CAs but creation or import of unrelated CAs is not yet
implemented.
Part of: https://fedorahosted.org/pki/ticket/1213
|
|
|
|
| |
join security domain Investigation shows that this issue occurs when the non-CA subsystem's SSL server and client keys are also on the HSM. While browsers (on soft token) have no issue connecting to any of the subsystems on HSM, subsystem to subsystem communication has issues when the TLS_ECDHE_RSA_* ciphers are turned on. We have decided to turn off the TLS_ECDHE_RSA_* ciphers by default (can be manually turned on if desired) based on the fact that: 1. The tested HSM seems to have issue with them (will still continue to investigate) 2. While the Perfect Forward Secrecy provides added security by the TLS_ECDHE_RSA_* ciphers, each SSL session takes 3 times longer to estabish. 3. The TLS_RSA_* ciphers are adequate at this time for the CS system operations
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the RSA ciphers that were mistakenly turned on under ECC
section, and off under RSA section. A few adjustments have also been made
based on Bob Relyea's feedback. A new file, <instance>/conf/ciphers.info
was also created to
1. provide info on the ciphers
2. provide default rsa and ecc ciphers for admins to incorporate into earlier
instances (as migration script might not be ideal due to possible customization)
(cherry picked from commit 67c895851781d69343979cbcff138184803880ea)
|
|
|
|
|
|
|
|
| |
Ticket #1523
Move the dire warning about the crypto object to sections where it applies.
Also slightly changed the message due to context.
|
|
|
|
|
|
|
|
|
| |
Dogtag does not yet have a reliable way to update its schema, but
FreeIPA does need to add the new schema for LDAP-based profiles
during upgrade to 4.2. As a temporary solution until Dogtag can
manage its own schema updates (including when deployed as FreeIPA
CA), FreeIPA will perform the schema upgrade. Provide a schema file
that FreeIPA can use to do this.
|
| |
|
|
|
|
|
|
| |
Provide simple textual warning when the user is using a browser that no longer supports the crypto object, which results in reduced CA certficat enrollment functionality. For simplicity provide the warning at the top of the main index page and at the top of the CA's services page. The services page is where the pkispawn of the CA points the uers after installation. The ticket originally called for a JS warnign but the simple text warning should be less intrusive and repetitive to the user.
Ticket #1398 Provide UI Javascript warning for missing Mozilla Crypto Object in the CA.
|
|
|
|
| |
available for use in the browser.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ROOT's index.jsp has been modified to show the links to all
subsystems installed on the instance. When opened, it will show
the services provided by the subsystem.
The pkispawn output has been modified to show the subsystem URL
more consistently:
https://<hostname>:<port>/<subsystem>
In all subsystems except TPS the page will redirect to:
https://<hostname>:<port>/<subsystem>/services
|
|
|
|
|
|
|
| |
The ROOT's index.jsp has been modified to check each subsystem's
servlet context for null before accessing the value.
https://fedorahosted.org/pki/ticket/1407
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds some new unit files and targets for starting instances
with nuxwdog, as well as logic within the pki-server nuxwdog module to
switch to/from the old and new systemd unit files.
It also corrects some issues found in additional testing of the nuxwdog
change scripts.
To use nuxwdog to start the instance, a user needs to do the following:
1. Create an instance normally.
2. Run: pki-server instance-nuxwdog-enable <instance_name>
3. Start the instance using:
systemctl start pki-tomcatd-nuxwdog@<instance_name>.service
To revert the instance, simply do the following:
1. Run: pki-server instance-nuxwdog-disable <instance_name>
2. Start the instance using:
systemctl start pki-tomcatd@<instance_name>.service
|
|
|
|
|
| |
This allows PKI server to be loaded with nuxwdog library when
java security policy is enabled.
|
|
|
|
|
|
|
| |
The templates have been modified to remove hard-coded background
color settings and use the styles defined in a new CSS file.
https://fedorahosted.org/pki/ticket/1296
|
|
|
|
|
|
|
| |
The CSS files have been moved into the theme package to allow more
control of the UI appearance.
https://fedorahosted.org/pki/ticket/499
|
|
|
|
|
|
|
| |
The fonts and images have been moved into the theme package to
allow more control of the UI appearance.
https://fedorahosted.org/pki/ticket/499
|
|
|
|
| |
https://fedorahosted.org/pki/ticket/1296
|
|
|
|
| |
Specifically changes to CS.cfg, server.xml and tomcat.conf
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Dogtag code has been modified to support both Tomcat 7 and 8.
All files depending on a specific Tomcat version are now stored
in separate folders. The build scripts have been modified to use
the proper folder for the target platform. The tomcatjss
dependency has been updated as well.
The upgrade script will be added in a separate patch.
https://fedorahosted.org/pki/ticket/1264
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to display the appropriate actions
menu based on the roles of the user. TPS agent can only enable
and disable profiles, and also approve or reject pending requests.
TPS admin can only edit disabled profiles, then submit it for
approval, or cancel the request.
https://fedorahosted.org/pki/ticket/1292
|
|
|
|
|
|
|
|
|
|
|
| |
The TPS UI has been modified to customize the navigation menu
based on the roles of the user currently logged in. TPS agents
do not have access to users, groups, config, authenticators,
connectors, profile mappings, audit, and self tests, so the
corresponding menu items will be hidden. TPS admins have
access to all menu items.
https://fedorahosted.org/pki/ticket/1292
|