| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently when installing an additional subsystem to an existing
instance the install tool always generates a new random password in
the pki_pin property which would not work with the existing NSS
database. The code has been modified to load the existing NSS
database password from the instance if the instance already exists.
The PKIInstance class has been modified to allow loading partially
created instance to help the installation.
https://fedorahosted.org/pki/ticket/2247
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some variables in pkispawn and pkidestroy have been renamed for
clarity.
The unused PKI_CERT_DB_PASSWORD_SLOT variable has been removed.
The constant pki_self_signed_token property has been moved into
default.cfg.
https://fedorahosted.org/pki/ticket/2247
|
|
|
|
|
|
|
|
|
|
| |
Some password and pin fields are missing from the no_interpolation list.
One entry is misspelled. A '%' in password field such as
pki_clone_pkcs12_password causes an installation error.
https://fedorahosted.org/pki/ticket/1703
Signed-off-by: Christian Heimes <cheimes@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the external CA case if the externally-signed CA certificate
is included in the certificate chain the CA certificate may get
imported with an incorrect nickname.
The code has been modified such that the certificate chain is
imported after the CA certificate is imported with the proper
nickname.
https://fedorahosted.org/pki/ticket/2022
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation code has been modified such that it imports all
CA certificates from the PKCS #12 file for cloning before the
server is started using certutil. The user certificates will
continue to be imported using the existing JSS code after the
server is started. This is necessary since JSS is unable to
preserve the CA certificate nicknames.
The PKCS12Util has been modified to support multiple certificates
with the same nicknames.
The pki pkcs12-cert-find has been modified to show certificate ID
and another field indicating whether the certificate has a key.
The pki pkcs12-cert-export has been modified to accept either
certificate nickname or ID.
The pki pkcs12-import has been modified to provide options for
importing only user certificates or CA certificates.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki_server_external_cert_path has been renamed to
pki_server_external_certs_path to match the file name.
A default pki_server_external_certs_path has been added to
default.cfg.
The pki pkcs12-export has been modified to export into existing
PKCS #12 file by default.
The pki-server instance-cert-export has been modified to accept a
list of nicknames to export.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
| |
The pki CLI's --pkcs12 options has been renamed to --pkcs12-file
for consistency with pki-server CLI options.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket 1742 has a case where a third party CA certificate has
been added by IPA to the dogtag certdb for the proxy cert.
There is no way to ensure that this certificate is imported
when the system is cloned.
This patch will allow the user to import third party certificates
into a dogtag instance through CLI commands (pki-server).
The certs are tracked by a new instance level configuration file
external_certs.conf.
Then, when cloning:
1. When the pk12 file is created by the pki-server ca-clone-prepare
command, the external certs are automatically included.
2. When creating the clone, the new pki_server_pk12_path and
password must be provided. Also, a copy of the
external_certs.conf file must be provided.
3. This copy will be read and merged with the existing
external_certs.conf if one exists.
|
|
|
|
|
|
|
|
| |
In Python 3 subclasses no longer implement automatic ordering. To
provide ordering for sort() and custom comparison, __eq__ and __lt__ are
required.
https://fedorahosted.org/pki/ticket/2216
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enforce absolute imports or explicit relative imports. Python 3 no
longer supports implicit relative imports, that is unqualified imports
from a module's directory. In order to load a module from the same
directory inside a package, use
from . import module
The future feature 'from __future__ import absolute_import' ensures that
pki uses absolute imports on Python 2, too.
See https://www.python.org/dev/peps/pep-0328/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation tool has been modified to provide an optional
pki_server_pkcs12_path property to specify a PKCS #12 file
containing certificate chain, system certificates, and third-party
certificates needed by the subsystem being installed.
If the pki_server_pkcs12_path is specified the installation tool
will no longer download the certificate chain from the security
domain directly, and it will no longer import the PKCS #12
containing the entire master NSS database specified in
pki_clone_pkcs12_path.
For backward compatibility, if the pki_server_pkcs12_path is not
specified the installation tool will use the old mechanism to
import the system certificates.
The ConfigurationUtils.verifySystemCertificates() has been modified
not to catch the exception to help troubleshooting.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some pki-server commands have been added to simplify exporting
the required certificates for subsystem installations. These
commands will invoke the pki pkcs12 utility to export the
certificates from the instance NSS database.
The pki-server ca-cert-chain-export command will export the
the certificate chain needed for installing additional
subsystems running on a separate instance.
The pki-server <subsystem>-clone-prepare commands will export
the certificates required for cloning a subsystem.
https://fedorahosted.org/pki/ticket/1742
|
|
|
|
| |
(cherry picked from commit 7638c5af03e50c4a59a2f7a2c96483bfae27045c)
|
|
|
|
|
|
|
|
|
|
| |
Tomcat 8.0.32 has moved org.apache.tomcat.ContextBind into
tomcat-api.jar. Add tomcat-api.jar to javac classpath to compile pki
with latest Tomcat.
https://fedorahosted.org/pki/attachment/ticket/2222
(cherry picked from commit 263dc2152640a95c8ca9b2829e74cce3a877f077)
(cherry picked from commit a7055d92466463d444da83db94c7b775a33e6aa0)
|
|
|
|
|
|
|
|
| |
We do a check for the dnsdomainname, which fails in Openstack
CI because this is not set. Instead of exiting, default to
the hostname.
(cherry picked from commit 795465f8620a0a10092435dce46e4cff93dbc20a)
|
|
|
|
|
|
|
|
|
|
| |
Due to a recent change the KRA installation failed because the
installer was trying to read the pki_external_csr_path parameter
which is not available for KRA installation. The installer has
been fixed to read the parameter in external CA case only.
https://fedorahosted.org/pki/ticket/456
(cherry picked from commit d42f39334ce4b4f5fa89707bfb6145039ff04579)
|
|
|
|
|
|
|
|
| |
The pki.nss module has been renamed into pki.nssdb to prevent
conflicts with the nss module.
https://fedorahosted.org/pki/ticket/456
(cherry picked from commit 9609f4e6035d3cdff19a0f78caee2d08b095c8ba)
|
|
|
|
|
|
|
|
| |
The pkispawn has been modified to display the proper summary for
external CA and existing CA cases.
https://fedorahosted.org/pki/ticket/456
(cherry picked from commit 66a4b7e635a4456a102221049c58c461d3429093)
|
|
|
|
|
|
|
|
|
| |
The CAValidityDefault has been modified to use Calendar API to
calculate the certificate validity range to be consistent with
the ValidityConstraint and ValidityDefault.
https://fedorahosted.org/pki/ticket/1682
(cherry picked from commit 9193fe5191d1bd857b7e1f5a398c6a279b42ec84)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The installation code for external CA case has been fixed such
that IPA can detect step 1 completion properly.
The code that handles certificate data conversion has been fixed
to reformat base-64 data for PEM output properly.
The installation summary for step 1 has been updated to provide
more accurate information.
https://fedorahosted.org/pki/ticket/456
(cherry picked from commit 449e4357e733a70e8f27f65f69ca8f0f7c8b5b21)
|
|
|
|
|
|
|
|
| |
The pki-cert and pki-server-subsystem man pages have been updated
to include recent changes.
https://fedorahosted.org/pki/ticket/456
(cherry picked from commit 3294f5087997427d060bce85d033652f7a8431da)
|
|
|
|
|
|
|
|
|
|
|
|
| |
The deployment procedure for external CA has been modified
such that it generates the CA CSR before starting the server.
This allows the same procedure to be used to import CA
certificate from an existing server. It also removes the
requirement to keep the server running while waiting to get
the CSR signed by an external CA.
https://fedorahosted.org/pki/ticket/456
(cherry picked from commit 20c985ae773b26f653cac6d22bd9d93923e18c8e)
|
|
|
|
|
|
|
|
|
| |
A new command has been added to export a system certificate, the
CSR, and the key. This command can be used to migrate a system
certificate into another instance.
https://fedorahosted.org/pki/ticket/456
(cherry picked from commit 9dce4a497f7c977a3c453972706eeb325bd33275)
|
|
|
|
|
|
|
|
|
| |
It is possible for the CMS getStatus resource to indicate that CMS
is ready when the initial loading of profiles (which is performed by
another thread) is not complete. During startup, wait for the
initial loading of profiles to complete before continuing.
Fixes: https://fedorahosted.org/pki/ticket/1702
|
|
|
|
|
|
|
|
| |
The file-based LDAP profile subsystem does not update profiles
correctly. Ensure that each commit of the underlying config store
refreshes the profile inputs, outputs and policy objects.
Part of: https://fedorahosted.org/pki/ticket/1700
|
|
|
|
|
|
|
|
|
|
|
|
| |
Deleting and then immediately recreating a profile can result in the
new profile temporarily going missing, if the DELETE
EntryChangeControl is processed after profile readdition.
Handle this case by tracking the nsUniqueId of entries that are
deleted by an LDAPProfileSubsystem and NOT (re-)forgetting the
profile when the subsequent EntryChangeControl gets processed.
Fixes: https://fedorahosted.org/pki/ticket/1700
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Avoid race conditions in the LDAPProfileSubsystem by tracking the
most recently known entryUSN of profiles' LDAP entries.
As part of this change, add the commitProfile method to the
IProfileSubsystem interface, remove commit behaviour from the
enableProfile and disableProfile methods and update ProfileService
and ProfileApproveServlet to commit the profile (using the
commitProfile method) where needed.
Part of: https://fedorahosted.org/pki/ticket/1700
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki-server migrate command has been modified such that if there
is no specific Tomcat version specified it will use the current
Tomcat version.
The top attribute in the CLI class was not functioning properly,
so it has been replaced with get_top_module() method.
The getopt() invocations in pki-server subcommands have been
replaced with gnu_getopt() to allow intermixing options and
arguments.
https://fedorahosted.org/pki/ticket/1310
(based upon Edewata patch c7bc6eb94aa64c89467f9394554f860dc485ad94)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ConfigurationUtils and CertUtil have been modified to use
PKIConnection which uses Apache HttpClient instead of the legacy
custom HttpClient. The POST request content is now created using
MultivaluedMap.
The PKIConnection has been modified to provide a get() method to
send an HTTP GET request. The post() method was modified to accept
a path parameter.
https://fedorahosted.org/pki/ticket/342
(cherry picked from commit aaacd71a2f125501645885d3da1de18459782572)
|
|
|
|
|
|
|
|
|
|
|
| |
The unused configuration wizard servlet has been removed to
simplify refactoring other codes.
The remaining references in CertUtil and ConfigurationUtils
have been removed as well.
https://fedorahosted.org/pki/ticket/1120
(cherry picked from commit 60fa66aa04ec61350420d95a554c0cec7834ebbd)
|
|
|
|
|
|
|
|
|
|
| |
The PasswdUserDBAuthentication.authenticate() has been modified
such that it uses the UGSubsystem to find the user in the proper
LDAP subtree to avoid matching other LDAP entries that contain
a uid attribute.
https://fedorahosted.org/pki/ticket/1580
(cherry picked from commit 017d582ba50fe4ffc4bedf40a5229fb6aa381b37)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is an interim solution for supporting HSM failover by automatically
shutting down the server when signing key becomes inaccessible.
At auto-shutdown, a crumb fiile will be left in the instance directory
for an external daemon to detect and restart, if necessary.
Due to limitation of the watch dog (nuxwdog) at present time,
the restart option currently only works if started with watch dog (nuxwdog),
and it will prompt for passwords on the terminals.
The restart counter is to prevent the server from going into an infinite restart
loop. Administrator will have to reset autoShutdown.restart.count to 0 when max
is reached.
(cherry picked from commit 5a9ecad9172f76ca1b94b40aedcdd49d009aceb1)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CertProcessor.setCredentialsIntoContext() and CAProcessor.
authenticate() methods have been modified such that they can
accept credentials provided via the AuthCredentials (for REST
services) or via the HttpServletRequest (for legacy servlets).
The CertEnrollmentRequest has been modified to inherit from
ResourceMessage such that REST clients can provide the credentials
via request attributes.
https://fedorahosted.org/pki/ticket/1463
(cherry picked from commit 6c5fc90ffedcd7be17a2d014915f8e908e2488d5)
|
|
|
|
|
|
|
|
|
|
| |
The EnrollmentProcessor.processEnrollment() and RenewalProcessor.
processRenewal() methods that take CMSRequest object have been
moved into ProfileSubmitServlet because they are only used by
the legacy servlet.
https://fedorahosted.org/pki/ticket/1463
(cherry picked from commit 0e728a28c1a5515bb7dbf5ee799c093bd6db6813)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki-server subsystem-cert-update has been modified to support
secure database connection with client certificate authentication.
The certificate and the private key will be exported temporarily
into PEM files so python-ldap can use them.
The pki client-cert-show has been modified to provide an option
to export client certificate's private key.
https://fedorahosted.org/pki/ticket/1551
(cherry picked from commit f153bd8a455953698e8af5085cd3cd7b368b1247)
Conflicts:
base/server/upgrade/10.2.0/01-AddTLSRangeSupport
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to a certificate mapping issue the subsystem certificate can
be mapped into either the subsystem user or pkidbuser, which may
cause problems since the users don't belong to the same groups.
As a temporary solution the pkidbuser is now added into the same
groups. This way the client subsystem can always access the
services regardless of which user the certificate is actually
mapped to.
Bugzilla Bug #1258634 - CA fails to authenticate to KRA for archival
https://fedorahosted.org/pki/ticket/1595
(cherry picked from commit e6f8b52e97926e7b6c30a6ce958a7e590c2e6b76)
Conflicts:
base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
|
|
|
|
|
|
|
|
|
|
| |
A set of new pki-server commands have been added to simplify
updating the cert data and cert request stored in the CS.cfg with
the cert data and cert request stored in the NSS and LDAP database,
respectively.
https://fedorahosted.org/pki/ticket/1551
(cherry picked from commit 7ed1e32c574a2ee93a62297d16e07a7071e696d7)
|
|
|
|
|
|
| |
join security domain Investigation shows that this issue occurs when the non-CA subsystem's SSL server and client keys are also on the HSM. While browsers (on soft token) have no issue connecting to any of the subsystems on HSM, subsystem to subsystem communication has issues when the TLS_ECDHE_RSA_* ciphers are turned on. We have decided to turn off the TLS_ECDHE_RSA_* ciphers by default (can be manually turned on if desired) based on the fact that: 1. The tested HSM seems to have issue with them (will still continue to investigate) 2. While the Perfect Forward Secrecy provides added security by the TLS_ECDHE_RSA_* ciphers, each SSL session takes 3 times longer to estabish. 3. The TLS_RSA_* ciphers are adequate at this time for the CS system operations
(cherry picked from commit 89211b9915e9c3e034d311ac0fa7091e9e08bde8)
|
|
|
|
|
|
|
|
|
|
| |
This patch fixes the RSA ciphers that were mistakenly turned on under ECC
section, and off under RSA section. A few adjustments have also been made
based on Bob Relyea's feedback. A new file, <instance>/conf/ciphers.info
was also created to
1. provide info on the ciphers
2. provide default rsa and ecc ciphers for admins to incorporate into earlier
instances (as migration script might not be ideal due to possible customization)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There were some things wrong with the setpin utility.
1. There were some syntax violations that had to be dealt with or a DS with syntax checking
would not be pleased.
2. The back end is expecting a byte of hash data at the beginning of the pin.
In our case we are sending NO hash so we want this code at the beginning '-'
3. We also need to prepend the dn in front of the pin so the back end can verify the set pin.
Tested to work during both steps of the setpin process: 1) Creating the schema, 2) creating the pin.
Tested to work with actual PinBased Enrollment.
4. Fix also now supports the SHA256 hashing method only, with the sha256 being the default hash.
The no hash option is supported but puts the pin in the clear.
(cherry picked from commit f60846e025ff5492e8c05ccf525fe8df1b59bba6)
|
|
|
|
| |
(cherry picked from commit de2c76f989adcf79b083c7f324c1b9b68571f83a)
|
|
|
|
|
|
|
|
|
|
| |
The ListCerts servlet and the templates have been fixed to pass
the skipRevoked and skipNonValid parameters to the subsequent page.
Some debugging messages have been cleaned up as well.
https://fedorahosted.org/pki/ticket/1538
(cherry picked from commit 24d7d88bd0d8b79fe5b8b6dfd84238399bc1433c)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We currently disable the cert status maintenance thread on
clone CAs because CRL processing should only be done on the
master CA. Currently, the maintenance thread also performs
other checks on serial number ranges and settings. By disabling
the maintenance thread, we disable these checks too.
To fix this, we have separated the serial number checks into a
different maintenance thread, so that these tasks will occur
even if the cert status thread is disabled.
Bugzilla # 1251606
(cherry picked from commit d3d80046fd6985b809900005a685695d3181d9d3)
|
|
|
|
|
|
|
| |
- PKI TRAC Ticket #1443 - pkidaemon status tomcat list URLs under PKI
subsystems which are not accessible
- PKI TRAC Ticket #1518 - OCSP ee url returned by pkidaemon status tomcat
shows an error page
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-
This patch adds a feature to allow a directory based authentication plugin
to use bound ldap conneciton instead of anonymous.
Two files need to be edited
1. <instance>/conf/password.conf
add a "tag" and the password of the binding user dn to the file
e.g. externalLDAP=password123
2. <instance>/ca/CS.cfg
add the tag to cms.passwordlist:
e.g. cms.passwordlist=internaldb,replicationdb,externalLDAP
add the authPrefix of the auths entry for the authentication instance
e.g. externalLDAP.authPrefix=auths.instance.UserDirEnrollment
add relevant entries to the authentication instance
e.g. auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true
auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth
auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=uid=rhcs,ou=serviceaccounts,dc=EXAMPLE,dc=com
auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP
|
|
|
|
|
|
|
|
|
|
|
|
| |
The CA services have been modified to inject request hostname and
address into the certificate request object such that they will be
stored in the database. This fixes the problem with requests
submitted either via the UI or the CLI.
An unused method in CertRequestResource has been removed. Some
debug messages have been cleaned as well.
https://fedorahosted.org/pki/ticket/1535
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When setting up a clone, indexes are added before the
replication agreements are set up and the consumer is initialized.
Thus, as data is replicated and added to the clone db, the
data is indexed.
When cloning is done with the replication agreements already set
up and the data replicated, the existing data is not indexed and
cannot be accessed in searches. The data needs to be reindexed.
Related to ticket 1414
|
|
|
|
|
|
|
|
| |
Ticket #1523
Move the dire warning about the crypto object to sections where it applies.
Also slightly changed the message due to context.
|
|
|
|
|
| |
- PKI TRAC Ticket #1524 - pkispawn: certutil options incorrect for creating
ecc admin certificate
|