summaryrefslogtreecommitdiffstats
path: root/base/server/share
Commit message (Collapse)AuthorAgeFilesLines
* Fixed access banner encoding (part 2).Endi S. Dewata2017-06-141-4/+1
| | | | | | | | | | | | The code that reads the access banner from file has been modified to explicitly use UTF-8 encoding. The Info class and the PKI UI have been modified not to encode the access banner in Base64 since it is not necessary. https://pagure.io/dogtagpki/issue/2671 Change-Id: I5f41a8ebac0bc91623b27f14608bca294bc9bc38
* Fixed access banner encoding.Endi S. Dewata2017-06-141-0/+3
| | | | | | | | | | The Info service and client have been modified to transmit access banner in Base64-encoded form. The PKI UI has been modified to decode the access banner properly. https://pagure.io/dogtagpki/issue/2671 Change-Id: Ic8526bac4c4d6b99e627aced64ab24cf675f5d50
* Fixed access banner normalization.Endi S. Dewata2017-06-141-1/+1
| | | | | | | | | | The PKIService has been modified to trim whitespaces in access banner before returning the value to the client. The clients have been modified to no longer trim the banner. https://pagure.io/dogtagpki/issue/2671 Change-Id: I51c5e78d11c89c711e369328def27bb352aa49e6
* Added access banner for PKI UI.Endi S. Dewata2017-02-243-2/+105
| | | | | | | | | | | | | The PKI UI main page has been modified to retrieve access banner and display it in a dialog box. After displaying the banner it will notify the server such that the banner is not returned again in the same server session. To prevent displaying multiple dialog boxes in pages with frames the critical code is locked such that only one frame can actually display the banner. https://fedorahosted.org/pki/ticket/2582
* Added PKIApplication.Endi S. Dewata2017-02-231-0/+30
| | | | | | | A new PKIApplication class has been added into /pki web application to define common PKI REST services such as access banner. https://fedorahosted.org/pki/ticket/2582
* Secured PKI UI main page.Endi S. Dewata2017-02-211-0/+22
| | | | | | | A web.xml has been added to /pki web application to require SSL connection to access the PKI UI main page at /pki/ui. https://fedorahosted.org/pki/ticket/2582
* Reorganized PKI UI pages.Endi S. Dewata2017-02-213-163/+273
| | | | | | | | | | | | Previously the index.jsp of the ROOT web application was storing PKI UI main page which contains links to PKI subsystems installed on the instance. Now the file has been changed to redirect to /pki which provides a new PKI UI welcome page. The PKI UI main page itself has been moved to /pki/ui. https://fedorahosted.org/pki/ticket/2582
* Refactored pki-ui.js.Endi S. Dewata2017-02-202-152/+172
| | | | | For clarity the non-UI code in the pki-ui.js has been moved into pki.js.
* Removed all references to 'xenroll.dll'Matthew Harmsen2016-12-091-5/+0
| | | | - PKI TRAC Ticket #2524 - Remove xenroll.dll from pki-core
* Updated log4j.properties.Endi S. Dewata2016-11-181-24/+21
| | | | | | | | | | | | | To reduce maintenance the log4j.properties is no longer copied into the instance folder during deployment. Instead, a link will be created in the /var/lib/pki/<instance>/lib folder pointing to the default file in /usr/share/pki/server/conf. The default log4j.properties has been updated to remove redundant lines. By default only log messages with level WARN or higher will be logged on the console. https://fedorahosted.org/pki/ticket/1897
* Updated logging.properties.Endi S. Dewata2016-11-181-19/+5
| | | | | | | | | | | | To reduce maintenance the logging.properties is no longer copied into the instance folder during deployment. Instead, a link will be created in /etc/pki/<instance> pointing to the default file in /usr/share/pki/server/conf. The default logging.properties has been updated to only log messages with level WARNING or higher on the console. https://fedorahosted.org/pki/ticket/1897
* Removed hard-coded paths in pki.policy.Endi S. Dewata2016-07-261-130/+2
| | | | | | | | | The operations script has been modified to generate pki.policy dynamically from links in the <instance>/common/lib directory. This allows the pki.policy to match the actual paths in different platforms. https://fedorahosted.org/pki/ticket/2403
* Bugzilla #1203407 tomcatjss: missing ciphersChristina Fu2016-06-301-2/+2
| | | | | | This patch removes references to the ciphers currently unsupported by NSS: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
* Fixed Java dependency.Endi S. Dewata2016-06-171-12/+4
| | | | | | | | | | The code has been modified to use the JAVA_HOME path specified in the pki.conf. The spec file has been modified to depend specifically on OpenJDK 1.8.0 and to provide the default JAVA_HOME path for the pki.conf. https://fedorahosted.org/pki/ticket/2363
* Fixed truncated token activity message in TPS UI.Endi S. Dewata2016-06-031-3/+3
| | | | | | | | | | | | The TPS UI has been modified to display the token activity message in a textarea to avoid truncation. The UI framework class has been modified to handle textarea. The CSS has been modified to align the field label with the top of textarea. https://fedorahosted.org/pki/ticket/2299
* Fix LDAP schema violation when instance name contains '_'Fraser Tweedale2016-05-302-2/+2
| | | | | | | | | | | | | | | The instance name is used in NSSDB key nicknames, which are stored in the authorityKeyNickname attribute for mapping lightweight CAs to their keys. The schema was PrintableString, which does not permit '_', causing LDAP syntax errors if the instance name contains '_'. To avoid this issue, change the attribute syntax to IA5String. Existing instances should be largely unaffected. The schema update can be successfully applied even for existing attributes, because PrintableString and IA5String share the same underlying representation in 389DS. Fixes: https://fedorahosted.org/pki/ticket/2343
* Added TPS UI for managing user certificates.Endi S. Dewata2016-05-241-0/+6
| | | | | | | | | The TPS UI has been modified to provide an interface to manage the user certificates. The UserService has been modified to provide better error messages. https://fedorahosted.org/pki/ticket/1434
* Added TPS UI for managing user roles.Endi S. Dewata2016-05-241-21/+27
| | | | | | | | | | The TPS UI has been modified to provide an interface to manage the user roles. The ErrorDialog was modified to handle both text and JSON error responses. https://fedorahosted.org/pki/ticket/2267
* Lightweight CAs: add missing authoritySerial attr to default schemaFraser Tweedale2016-05-141-1/+2
|
* Lightweight CAs: authority schema changesFraser Tweedale2016-05-032-14/+17
| | | | | | | | | | | | Add the 'authorityKeyHost' attribute which will contain names of hosts that possess the authority's signing keys. Add the 'authoritySerial' attribute which may contain the serial number of the certificate most recently issued for the authority. Change other attributes to be single-valued. Part of: https://fedorahosted.org/pki/ticket/1625
* Removed pkidaemon support of apache instancesMatthew Harmsen2016-04-272-2/+2
| | | | - PKI TRAC Ticket #2248 - support only tomcat instances
* Add realm schema changesAde Lee2016-04-201-2/+7
| | | | | Added realm attribute and index. Added to request and keyRecord. Part of Trac Ticket 2041
* Add script to enable USN pluginAde Lee2016-04-151-0/+4
| | | | | | | | | | | | | | New authority monitor code requires the USN plugin to be enabled in the database to ensure that the entryUSN attribute is added to authority entries. In the case where this plugin was disabled, accessing this attribute resulted in a null pointer exception whch prevented server startup. The code has been changed so as not to throw a null pointer exception on startup if the entryusn is not present, and also to call an LDIF to enable the plugin when a subsystem is configured through pkispawn.
* Added TPS token filter dialog.Endi S. Dewata2016-03-171-6/+22
| | | | | | | | | | | The TPS UI Tokens page and the pki tps-token-find CLI have been modified to provide an interface to filter tokens based on their attributes. The TokenService.findTokens() has been modified to accept additional search criteria based on token attributes. https://fedorahosted.org/pki/ticket/1482
* Replaced confirmation dialog with HTML dialog.Endi S. Dewata2016-03-171-6/+52
| | | | | | | | | The TPS UI has been modified such that it will use an HTML-based dialog instead of the browser's built-in dialog such that the option to "prevent this page from creating additional dialogs" will no longer appear. https://fedorahosted.org/pki/ticket/1685
* Added resource bundle for token state labels.Endi S. Dewata2016-02-051-3/+19
| | | | | | | | | | | | | | | The labels for token states and the transitions are now stored in token-states.properties. The default file will be stored in the /usr/share/pki/tps/conf, but it can be overriden by copying and customizing the file into <instance>/tps/conf. When the UI retrieves the token data the labels for the current state and the valid transitions will be loaded from the file and returned to the UI. The UI will show the transition labels in the dropdown list for changing token status. https://fedorahosted.org/pki/ticket/1289 https://fedorahosted.org/pki/ticket/1291
* Allow encoded slashes in HTTP pathsFraser Tweedale2016-01-211-0/+2
| | | | | | | | | | | | | | Properly formed GET-based OCSP requests can contain URL-encoded slashes in the HTTP path[1] but our Tomcat configuration does not permit this (returns 400 Bad Request). Change catalina.properties to allow URL-encoded slashes in HTTP paths. [1] https://tools.ietf.org/html/rfc6960#appendix-A.1 Also add an upgrade script to update catalina.properties in existing instances. Fixes: https://fedorahosted.org/pki/ticket/1658
* Added interface to run selftest in TPS UI.Endi S. Dewata2016-01-181-8/+20
| | | | | | | The TPS UI has been modified to provide an interface to run the selftests and display the results. https://fedorahosted.org/pki/ticket/1502
* Added table to manage TPS user profiles.Endi S. Dewata2016-01-181-2/+6
| | | | | | | | | | | The TPS UI has been modified to provide a table as an interface to manage the user profiles. When adding a profile, the profile can be selected from a list of available profiles. The UserService and UGSubsystem have been modified to allow adding a user with no assigned profiles. https://fedorahosted.org/pki/ticket/1478
* Updated TPS UI element IDs.Endi S. Dewata2015-10-151-1/+4
| | | | | | | | | | | | The TPS UI navigation elements have been updated to add the missing names and to use better names. The checkbox IDs in various pages have also been renamed for consistency. The pki-ui.js has been modified to use the checkbox ID of the template row instead of table name to construct the checkbox ID of the actual rows. https://fedorahosted.org/pki/ticket/1622
* Lightweight CAs: initial supportFraser Tweedale2015-09-262-0/+21
| | | | | | | | | | | | | This commit adds initial support for "lightweight CAs" - CAs that inhabit an existing CA instance and share the request queue and certificate database of the "top-level CA". We initially support only sub-CAs under the top-level CA - either direct sub-CAs or nested. The general design will support hosting unrelated CAs but creation or import of unrelated CAs is not yet implemented. Part of: https://fedorahosted.org/pki/ticket/1213
* Ticket 1566 on HSM, non-CA subystem installations failing while trying to ↵Christina Fu2015-08-191-8/+16
| | | | join security domain Investigation shows that this issue occurs when the non-CA subsystem's SSL server and client keys are also on the HSM. While browsers (on soft token) have no issue connecting to any of the subsystems on HSM, subsystem to subsystem communication has issues when the TLS_ECDHE_RSA_* ciphers are turned on. We have decided to turn off the TLS_ECDHE_RSA_* ciphers by default (can be manually turned on if desired) based on the fact that: 1. The tested HSM seems to have issue with them (will still continue to investigate) 2. While the Perfect Forward Secrecy provides added security by the TLS_ECDHE_RSA_* ciphers, each SSL session takes 3 times longer to estabish. 3. The TLS_RSA_* ciphers are adequate at this time for the CS system operations
* Ticket #1556 Weak HTTPS TLS ciphersChristina Fu2015-08-171-0/+66
| | | | | | | | | | | | This patch fixes the RSA ciphers that were mistakenly turned on under ECC section, and off under RSA section. A few adjustments have also been made based on Bob Relyea's feedback. A new file, <instance>/conf/ciphers.info was also created to 1. provide info on the ciphers 2. provide default rsa and ecc ciphers for admins to incorporate into earlier instances (as migration script might not be ideal due to possible customization) (cherry picked from commit 67c895851781d69343979cbcff138184803880ea)
* Firefox warningJack Magne2015-07-311-9/+0
| | | | | | | | Ticket #1523 Move the dire warning about the crypto object to sections where it applies. Also slightly changed the message due to context.
* Add profiles schema update fileFraser Tweedale2015-06-191-0/+4
| | | | | | | | | Dogtag does not yet have a reliable way to update its schema, but FreeIPA does need to add the new schema for LDAP-based profiles during upgrade to 4.2. As a temporary solution until Dogtag can manage its own schema updates (including when deployed as FreeIPA CA), FreeIPA will perform the schema upgrade. Provide a schema file that FreeIPA can use to do this.
* Fixed typos in Web UI.Endi S. Dewata2015-06-181-1/+1
|
* Mozilla crypto object warning:Jack Magne2015-06-161-1/+1
| | | | | | Provide simple textual warning when the user is using a browser that no longer supports the crypto object, which results in reduced CA certficat enrollment functionality. For simplicity provide the warning at the top of the main index page and at the top of the CA's services page. The services page is where the pkispawn of the CA points the uers after installation. The ticket originally called for a JS warnign but the simple text warning should be less intrusive and repetitive to the user. Ticket #1398 Provide UI Javascript warning for missing Mozilla Crypto Object in the CA.
* Warning for the main index to tell the user that the crypto object is not ↵Jack Magne2015-06-161-0/+8
| | | | available for use in the browser.
* Cleaned up links in main page.Endi S. Dewata2015-06-111-116/+13
| | | | | | | | | | | | | The ROOT's index.jsp has been modified to show the links to all subsystems installed on the instance. When opened, it will show the services provided by the subsystem. The pkispawn output has been modified to show the subsystem URL more consistently: https://<hostname>:<port>/<subsystem> In all subsystems except TPS the page will redirect to: https://<hostname>:<port>/<subsystem>/services
* Fixed NPE in ROOT's index.jsp.Endi S. Dewata2015-06-081-17/+27
| | | | | | | The ROOT's index.jsp has been modified to check each subsystem's servlet context for null before accessing the value. https://fedorahosted.org/pki/ticket/1407
* Patches to get nuxwdog working with systemdAde Lee2015-05-102-0/+22
| | | | | | | | | | | | | | | | | | | | | | This patch adds some new unit files and targets for starting instances with nuxwdog, as well as logic within the pki-server nuxwdog module to switch to/from the old and new systemd unit files. It also corrects some issues found in additional testing of the nuxwdog change scripts. To use nuxwdog to start the instance, a user needs to do the following: 1. Create an instance normally. 2. Run: pki-server instance-nuxwdog-enable <instance_name> 3. Start the instance using: systemctl start pki-tomcatd-nuxwdog@<instance_name>.service To revert the instance, simply do the following: 1. Run: pki-server instance-nuxwdog-disable <instance_name> 2. Start the instance using: systemctl start pki-tomcatd@<instance_name>.service
* Add nuxwdog to java policyAde Lee2015-04-281-0/+3
| | | | | This allows PKI server to be loaded with nuxwdog library when java security policy is enabled.
* Moved color settings to CSS.Endi S. Dewata2015-04-225-5/+5
| | | | | | | The templates have been modified to remove hard-coded background color settings and use the styles defined in a new CSS file. https://fedorahosted.org/pki/ticket/1296
* Moved CSS files to theme package.Endi S. Dewata2015-04-224-9986/+0
| | | | | | | The CSS files have been moved into the theme package to allow more control of the UI appearance. https://fedorahosted.org/pki/ticket/499
* Moved fonts and images to theme package.Endi S. Dewata2015-04-2221-0/+0
| | | | | | | The fonts and images have been moved into the theme package to allow more control of the UI appearance. https://fedorahosted.org/pki/ticket/499
* Parameterized ROOT's index.jsp.Endi S. Dewata2015-04-221-2/+27
| | | | https://fedorahosted.org/pki/ticket/1296
* Changes to config files to support nuxwdogAde Lee2015-04-221-1/+4
| | | | Specifically changes to CS.cfg, server.xml and tomcat.conf
* Added support for Tomcat 8.Endi S. Dewata2015-04-213-370/+0
| | | | | | | | | | | | The Dogtag code has been modified to support both Tomcat 7 and 8. All files depending on a specific Tomcat version are now stored in separate folders. The build scripts have been modified to use the proper folder for the target platform. The tomcatjss dependency has been updated as well. The upgrade script will be added in a separate patch. https://fedorahosted.org/pki/ticket/1264
* Fixed action menu in TPS UI.Endi S. Dewata2015-04-172-10/+34
| | | | | | | | | | The TPS UI has been modified to display the appropriate actions menu based on the roles of the user. TPS agent can only enable and disable profiles, and also approve or reject pending requests. TPS admin can only edit disabled profiles, then submit it for approval, or cancel the request. https://fedorahosted.org/pki/ticket/1292
* Customized TPS UI menu based on user roles.Endi S. Dewata2015-04-172-9/+16
| | | | | | | | | | | The TPS UI has been modified to customize the navigation menu based on the roles of the user currently logged in. TPS agents do not have access to users, groups, config, authenticators, connectors, profile mappings, audit, and self tests, so the corresponding menu items will be hidden. TPS admins have access to all menu items. https://fedorahosted.org/pki/ticket/1292
generated by cgit (git 2.34.1) at 2024-06-20 11:46:33 +0000