summaryrefslogtreecommitdiffstats
path: root/base/server
Commit message (Collapse)AuthorAgeFilesLines
* Fixed KRA install problem.branch-10.2.7-dev1Endi S. Dewata2016-04-022-28/+44
| | | | | | | | | | | | | Currently when installing an additional subsystem to an existing instance the install tool always generates a new random password in the pki_pin property which would not work with the existing NSS database. The code has been modified to load the existing NSS database password from the instance if the instance already exists. The PKIInstance class has been modified to allow loading partially created instance to help the installation. https://fedorahosted.org/pki/ticket/2247
* Install tools clean-up.Endi S. Dewata2016-04-025-16/+13
| | | | | | | | | | | | Some variables in pkispawn and pkidestroy have been renamed for clarity. The unused PKI_CERT_DB_PASSWORD_SLOT variable has been removed. The constant pki_self_signed_token property has been moved into default.cfg. https://fedorahosted.org/pki/ticket/2247
* Fix escaping of password fields to prevent interpolationChristian Heimes2016-04-021-0/+3
| | | | | | | | | | Some password and pin fields are missing from the no_interpolation list. One entry is misspelled. A '%' in password field such as pki_clone_pkcs12_password causes an installation error. https://fedorahosted.org/pki/ticket/1703 Signed-off-by: Christian Heimes <cheimes@redhat.com>
* Fixed certificate chain import problem.Endi S. Dewata2016-04-021-10/+13
| | | | | | | | | | | | In the external CA case if the externally-signed CA certificate is included in the certificate chain the CA certificate may get imported with an incorrect nickname. The code has been modified such that the certificate chain is imported after the CA certificate is imported with the proper nickname. https://fedorahosted.org/pki/ticket/2022
* Added support for cloning 3rd-party CA certificates.Endi S. Dewata2016-04-021-0/+19
| | | | | | | | | | | | | | | | | | | | | | | The installation code has been modified such that it imports all CA certificates from the PKCS #12 file for cloning before the server is started using certutil. The user certificates will continue to be imported using the existing JSS code after the server is started. This is necessary since JSS is unable to preserve the CA certificate nicknames. The PKCS12Util has been modified to support multiple certificates with the same nicknames. The pki pkcs12-cert-find has been modified to show certificate ID and another field indicating whether the certificate has a key. The pki pkcs12-cert-export has been modified to accept either certificate nickname or ID. The pki pkcs12-import has been modified to provide options for importing only user certificates or CA certificates. https://fedorahosted.org/pki/ticket/1742
* Additional clean-ups for PKCS #12 utilities.Endi S. Dewata2016-04-024-19/+20
| | | | | | | | | | | | | | | | The pki_server_external_cert_path has been renamed to pki_server_external_certs_path to match the file name. A default pki_server_external_certs_path has been added to default.cfg. The pki pkcs12-export has been modified to export into existing PKCS #12 file by default. The pki-server instance-cert-export has been modified to accept a list of nicknames to export. https://fedorahosted.org/pki/ticket/1742
* Renamed PKCS #12 options for consistency.Endi S. Dewata2016-04-026-41/+41
| | | | | | | The pki CLI's --pkcs12 options has been renamed to --pkcs12-file for consistency with pki-server CLI options. https://fedorahosted.org/pki/ticket/1742
* Handle import and export of external certsAde Lee2016-04-029-14/+345
| | | | | | | | | | | | | | | | | | | | | | Ticket 1742 has a case where a third party CA certificate has been added by IPA to the dogtag certdb for the proxy cert. There is no way to ensure that this certificate is imported when the system is cloned. This patch will allow the user to import third party certificates into a dogtag instance through CLI commands (pki-server). The certs are tracked by a new instance level configuration file external_certs.conf. Then, when cloning: 1. When the pk12 file is created by the pki-server ca-clone-prepare command, the external certs are automatically included. 2. When creating the clone, the new pki_server_pk12_path and password must be provided. Also, a copy of the external_certs.conf file must be provided. 3. This copy will be read and merged with the existing external_certs.conf if one exists.
* Implement total ordering for PKISubsystem and PKIInstanceChristian Heimes2016-04-021-0/+45
| | | | | | | | In Python 3 subclasses no longer implement automatic ordering. To provide ordering for sort() and custom comparison, __eq__ and __lt__ are required. https://fedorahosted.org/pki/ticket/2216
* Py3 modernization: libmodernize.fixes.fix_importChristian Heimes2016-04-0248-0/+53
| | | | | | | | | | | | | | Enforce absolute imports or explicit relative imports. Python 3 no longer supports implicit relative imports, that is unqualified imports from a module's directory. In order to load a module from the same directory inside a package, use from . import module The future feature 'from __future__ import absolute_import' ensures that pki uses absolute imports on Python 2, too. See https://www.python.org/dev/peps/pep-0328/
* Added mechanism to import system certs via PKCS #12 file.Endi S. Dewata2016-04-026-77/+126
| | | | | | | | | | | | | | | | | | | | | | The installation tool has been modified to provide an optional pki_server_pkcs12_path property to specify a PKCS #12 file containing certificate chain, system certificates, and third-party certificates needed by the subsystem being installed. If the pki_server_pkcs12_path is specified the installation tool will no longer download the certificate chain from the security domain directly, and it will no longer import the PKCS #12 containing the entire master NSS database specified in pki_clone_pkcs12_path. For backward compatibility, if the pki_server_pkcs12_path is not specified the installation tool will use the old mechanism to import the system certificates. The ConfigurationUtils.verifySystemCertificates() has been modified not to catch the exception to help troubleshooting. https://fedorahosted.org/pki/ticket/1742
* Added pki-server commands to export system certificates.Endi S. Dewata2016-04-029-33/+1020
| | | | | | | | | | | | | | | | Some pki-server commands have been added to simplify exporting the required certificates for subsystem installations. These commands will invoke the pki pkcs12 utility to export the certificates from the instance NSS database. The pki-server ca-cert-chain-export command will export the the certificate chain needed for installing additional subsystems running on a separate instance. The pki-server <subsystem>-clone-prepare commands will export the certificates required for cloning a subsystem. https://fedorahosted.org/pki/ticket/1742
* Build using tomcat 7.0.68 on F22Matthew Harmsen2016-03-291-0/+5
| | | | (cherry picked from commit 7638c5af03e50c4a59a2f7a2c96483bfae27045c)
* pki-tomcat8 needs tomcat-api.jar to compileChristian Heimes2016-03-291-1/+9
| | | | | | | | | | Tomcat 8.0.32 has moved org.apache.tomcat.ContextBind into tomcat-api.jar. Add tomcat-api.jar to javac classpath to compile pki with latest Tomcat. https://fedorahosted.org/pki/attachment/ticket/2222 (cherry picked from commit 263dc2152640a95c8ca9b2829e74cce3a877f077) (cherry picked from commit a7055d92466463d444da83db94c7b775a33e6aa0)
* Modify dnsdomainname test in pkispawnAde Lee2016-03-293-3/+3
| | | | | | | | We do a check for the dnsdomainname, which fails in Openstack CI because this is not set. Instead of exiting, default to the hostname. (cherry picked from commit 795465f8620a0a10092435dce46e4cff93dbc20a)
* Fixed KRA installation.Endi S. Dewata2016-02-223-3/+3
| | | | | | | | | | Due to a recent change the KRA installation failed because the installer was trying to read the pki_external_csr_path parameter which is not available for KRA installation. The installer has been fixed to read the parameter in external CA case only. https://fedorahosted.org/pki/ticket/456 (cherry picked from commit d42f39334ce4b4f5fa89707bfb6145039ff04579)
* Renamed pki.nss into pki.nssdb.Endi S. Dewata2016-02-223-8/+8
| | | | | | | | The pki.nss module has been renamed into pki.nssdb to prevent conflicts with the nss module. https://fedorahosted.org/pki/ticket/456 (cherry picked from commit 9609f4e6035d3cdff19a0f78caee2d08b095c8ba)
* Fixed installation summary for existing CA.Endi S. Dewata2016-02-223-10/+26
| | | | | | | | The pkispawn has been modified to display the proper summary for external CA and existing CA cases. https://fedorahosted.org/pki/ticket/456 (cherry picked from commit 66a4b7e635a4456a102221049c58c461d3429093)
* Fixed mismatching certificate validity calculation.Endi S. Dewata2016-02-222-14/+67
| | | | | | | | | The CAValidityDefault has been modified to use Calendar API to calculate the certificate validity range to be consistent with the ValidityConstraint and ValidityDefault. https://fedorahosted.org/pki/ticket/1682 (cherry picked from commit 9193fe5191d1bd857b7e1f5a398c6a279b42ec84)
* Fixed external CA case for IPA compatibility.Endi S. Dewata2016-02-223-6/+34
| | | | | | | | | | | | | | The installation code for external CA case has been fixed such that IPA can detect step 1 completion properly. The code that handles certificate data conversion has been fixed to reformat base-64 data for PEM output properly. The installation summary for step 1 has been updated to provide more accurate information. https://fedorahosted.org/pki/ticket/456 (cherry picked from commit 449e4357e733a70e8f27f65f69ca8f0f7c8b5b21)
* Updated pki-cert and pki-server-subsystem man pages.Endi S. Dewata2016-02-221-1/+25
| | | | | | | | The pki-cert and pki-server-subsystem man pages have been updated to include recent changes. https://fedorahosted.org/pki/ticket/456 (cherry picked from commit 3294f5087997427d060bce85d033652f7a8431da)
* Added mechanism to import existing CA certificate.Endi S. Dewata2016-02-227-39/+325
| | | | | | | | | | | | The deployment procedure for external CA has been modified such that it generates the CA CSR before starting the server. This allows the same procedure to be used to import CA certificate from an existing server. It also removes the requirement to keep the server running while waiting to get the CSR signed by an external CA. https://fedorahosted.org/pki/ticket/456 (cherry picked from commit 20c985ae773b26f653cac6d22bd9d93923e18c8e)
* Added pki-server subsystem-cert-export command.Endi S. Dewata2016-02-222-0/+132
| | | | | | | | | A new command has been added to export a system certificate, the CSR, and the key. This command can be used to migrate a system certificate into another instance. https://fedorahosted.org/pki/ticket/456 (cherry picked from commit 9dce4a497f7c977a3c453972706eeb325bd33275)
* Block startup until initial profile load completedFraser Tweedale2016-01-211-2/+35
| | | | | | | | | It is possible for the CMS getStatus resource to indicate that CMS is ready when the initial loading of profiles (which is performed by another thread) is not complete. During startup, wait for the initial loading of profiles to complete before continuing. Fixes: https://fedorahosted.org/pki/ticket/1702
* Ensure config store commits refresh file-based profile dataFraser Tweedale2016-01-211-1/+38
| | | | | | | | The file-based LDAP profile subsystem does not update profiles correctly. Ensure that each commit of the underlying config store refreshes the profile inputs, outputs and policy objects. Part of: https://fedorahosted.org/pki/ticket/1700
* Handle LDAPProfileSubsystem delete-then-recreate racesFraser Tweedale2016-01-211-20/+92
| | | | | | | | | | | | Deleting and then immediately recreating a profile can result in the new profile temporarily going missing, if the DELETE EntryChangeControl is processed after profile readdition. Handle this case by tracking the nsUniqueId of entries that are deleted by an LDAPProfileSubsystem and NOT (re-)forgetting the profile when the subsequent EntryChangeControl gets processed. Fixes: https://fedorahosted.org/pki/ticket/1700
* Avoid profile race conditions by tracking entryUSNFraser Tweedale2016-01-214-26/+106
| | | | | | | | | | | | | Avoid race conditions in the LDAPProfileSubsystem by tracking the most recently known entryUSN of profiles' LDAP entries. As part of this change, add the commitProfile method to the IProfileSubsystem interface, remove commit behaviour from the enableProfile and disableProfile methods and update ProfileService and ProfileApproveServlet to commit the profile (using the commitProfile method) where needed. Part of: https://fedorahosted.org/pki/ticket/1700
* Extract LDAPControl search function to LDAPUtilFraser Tweedale2016-01-211-11/+4
|
* Added automatic Tomcat migration.Matthew Harmsen2015-11-015-27/+51
| | | | | | | | | | | | | | | | | The pki-server migrate command has been modified such that if there is no specific Tomcat version specified it will use the current Tomcat version. The top attribute in the CLI class was not functioning properly, so it has been replaced with get_top_module() method. The getopt() invocations in pki-server subcommands have been replaced with gnu_getopt() to allow intermixing options and arguments. https://fedorahosted.org/pki/ticket/1310 (based upon Edewata patch c7bc6eb94aa64c89467f9394554f860dc485ad94)
* Replaced legacy HttpClient.Endi S. Dewata2015-10-234-307/+261
| | | | | | | | | | | | | | The ConfigurationUtils and CertUtil have been modified to use PKIConnection which uses Apache HttpClient instead of the legacy custom HttpClient. The POST request content is now created using MultivaluedMap. The PKIConnection has been modified to provide a get() method to send an HTTP GET request. The post() method was modified to accept a path parameter. https://fedorahosted.org/pki/ticket/342 (cherry picked from commit aaacd71a2f125501645885d3da1de18459782572)
* Removed unused WizardServlet.Endi S. Dewata2015-10-2326-6975/+59
| | | | | | | | | | | The unused configuration wizard servlet has been removed to simplify refactoring other codes. The remaining references in CertUtil and ConfigurationUtils have been removed as well. https://fedorahosted.org/pki/ticket/1120 (cherry picked from commit 60fa66aa04ec61350420d95a554c0cec7834ebbd)
* Fixed user search in PasswdUserDBAuthentication.Endi S. Dewata2015-10-063-73/+50
| | | | | | | | | | The PasswdUserDBAuthentication.authenticate() has been modified such that it uses the UGSubsystem to find the user in the proper LDAP subtree to avoid matching other LDAP entries that contain a uid attribute. https://fedorahosted.org/pki/ticket/1580 (cherry picked from commit 017d582ba50fe4ffc4bedf40a5229fb6aa381b37)
* Ticket #1593 auto-shutdown - for HSM failover supportChristina Fu2015-10-013-19/+178
| | | | | | | | | | | | | | | This is an interim solution for supporting HSM failover by automatically shutting down the server when signing key becomes inaccessible. At auto-shutdown, a crumb fiile will be left in the instance directory for an external daemon to detect and restart, if necessary. Due to limitation of the watch dog (nuxwdog) at present time, the restart option currently only works if started with watch dog (nuxwdog), and it will prompt for passwords on the terminals. The restart counter is to prevent the server from going into an infinite restart loop. Administrator will have to reset autoShutdown.restart.count to 0 when max is reached. (cherry picked from commit 5a9ecad9172f76ca1b94b40aedcdd49d009aceb1)
* Refactored certificate processors.Endi S. Dewata2015-09-308-48/+107
| | | | | | | | | | | | | | The CertProcessor.setCredentialsIntoContext() and CAProcessor. authenticate() methods have been modified such that they can accept credentials provided via the AuthCredentials (for REST services) or via the HttpServletRequest (for legacy servlets). The CertEnrollmentRequest has been modified to inherit from ResourceMessage such that REST clients can provide the credentials via request attributes. https://fedorahosted.org/pki/ticket/1463 (cherry picked from commit 6c5fc90ffedcd7be17a2d014915f8e908e2488d5)
* Relocated legacy cert enrollment methods.Endi S. Dewata2015-09-304-51/+72
| | | | | | | | | | The EnrollmentProcessor.processEnrollment() and RenewalProcessor. processRenewal() methods that take CMSRequest object have been moved into ProfileSubmitServlet because they are only used by the legacy servlet. https://fedorahosted.org/pki/ticket/1463 (cherry picked from commit 0e728a28c1a5515bb7dbf5ee799c093bd6db6813)
* Added support for secure database connection in CLI.Endi S. Dewata2015-09-233-12/+97
| | | | | | | | | | | | | | | | The pki-server subsystem-cert-update has been modified to support secure database connection with client certificate authentication. The certificate and the private key will be exported temporarily into PEM files so python-ldap can use them. The pki client-cert-show has been modified to provide an option to export client certificate's private key. https://fedorahosted.org/pki/ticket/1551 (cherry picked from commit f153bd8a455953698e8af5085cd3cd7b368b1247) Conflicts: base/server/upgrade/10.2.0/01-AddTLSRangeSupport
* Fixed pkidbuser group memberships.Matthew Harmsen2015-09-231-28/+59
| | | | | | | | | | | | | | | | | | Due to a certificate mapping issue the subsystem certificate can be mapped into either the subsystem user or pkidbuser, which may cause problems since the users don't belong to the same groups. As a temporary solution the pkidbuser is now added into the same groups. This way the client subsystem can always access the services regardless of which user the certificate is actually mapped to. Bugzilla Bug #1258634 - CA fails to authenticate to KRA for archival https://fedorahosted.org/pki/ticket/1595 (cherry picked from commit e6f8b52e97926e7b6c30a6ce958a7e590c2e6b76) Conflicts: base/server/cms/src/com/netscape/cms/servlet/csadmin/ConfigurationUtils.java
* Added CLI to update cert data and request in CS.cfg.Endi S. Dewata2015-09-236-81/+720
| | | | | | | | | | A set of new pki-server commands have been added to simplify updating the cert data and cert request stored in the CS.cfg with the cert data and cert request stored in the NSS and LDAP database, respectively. https://fedorahosted.org/pki/ticket/1551 (cherry picked from commit 7ed1e32c574a2ee93a62297d16e07a7071e696d7)
* Ticket 1566 on HSM, non-CA subystem installations failing while trying to ↵Christina Fu2015-08-192-18/+26
| | | | | | join security domain Investigation shows that this issue occurs when the non-CA subsystem's SSL server and client keys are also on the HSM. While browsers (on soft token) have no issue connecting to any of the subsystems on HSM, subsystem to subsystem communication has issues when the TLS_ECDHE_RSA_* ciphers are turned on. We have decided to turn off the TLS_ECDHE_RSA_* ciphers by default (can be manually turned on if desired) based on the fact that: 1. The tested HSM seems to have issue with them (will still continue to investigate) 2. While the Perfect Forward Secrecy provides added security by the TLS_ECDHE_RSA_* ciphers, each SSL session takes 3 times longer to estabish. 3. The TLS_RSA_* ciphers are adequate at this time for the CS system operations (cherry picked from commit 89211b9915e9c3e034d311ac0fa7091e9e08bde8)
* Ticket #1556 Weak HTTPS TLS ciphersChristina Fu2015-08-144-34/+110
| | | | | | | | | | This patch fixes the RSA ciphers that were mistakenly turned on under ECC section, and off under RSA section. A few adjustments have also been made based on Bob Relyea's feedback. A new file, <instance>/conf/ciphers.info was also created to 1. provide info on the ciphers 2. provide default rsa and ecc ciphers for admins to incorporate into earlier instances (as migration script might not be ideal due to possible customization)
* setpin utility doesn't set the pin for users.Jack Magne2015-08-141-0/+5
| | | | | | | | | | | | | | | | | | | | There were some things wrong with the setpin utility. 1. There were some syntax violations that had to be dealt with or a DS with syntax checking would not be pleased. 2. The back end is expecting a byte of hash data at the beginning of the pin. In our case we are sending NO hash so we want this code at the beginning '-' 3. We also need to prepend the dn in front of the pin so the back end can verify the set pin. Tested to work during both steps of the setpin process: 1) Creating the schema, 2) creating the pin. Tested to work with actual PinBased Enrollment. 4. Fix also now supports the SHA256 hashing method only, with the sha256 being the default hash. The no hash option is supported but puts the pin in the clear. (cherry picked from commit f60846e025ff5492e8c05ccf525fe8df1b59bba6)
* One-liner fix to conditional for new SerialNumberUpdateTaskAde Lee2015-08-141-2/+2
| | | | (cherry picked from commit de2c76f989adcf79b083c7f324c1b9b68571f83a)
* Fixed missing query parameters in ListCerts page.Endi S. Dewata2015-08-141-31/+29
| | | | | | | | | | The ListCerts servlet and the templates have been fixed to pass the skipRevoked and skipNonValid parameters to the subsequent page. Some debugging messages have been cleaned up as well. https://fedorahosted.org/pki/ticket/1538 (cherry picked from commit 24d7d88bd0d8b79fe5b8b6dfd84238399bc1433c)
* Separate range and cert status threadsAde Lee2015-08-141-4/+76
| | | | | | | | | | | | | | | | We currently disable the cert status maintenance thread on clone CAs because CRL processing should only be done on the master CA. Currently, the maintenance thread also performs other checks on serial number ranges and settings. By disabling the maintenance thread, we disable these checks too. To fix this, we have separated the serial number checks into a different maintenance thread, so that these tasks will occur even if the cert status thread is disabled. Bugzilla # 1251606 (cherry picked from commit d3d80046fd6985b809900005a685695d3181d9d3)
* remove more inaccessible URLs from server.xmlMatthew Harmsen2015-08-074-16/+12
| | | | | | | - PKI TRAC Ticket #1443 - pkidaemon status tomcat list URLs under PKI subsystems which are not accessible - PKI TRAC Ticket #1518 - OCSP ee url returned by pkidaemon status tomcat shows an error page
* Ticket 1531 Directory auth plugin requires LDAP anonymous bindsChristina Fu2015-08-076-12/+131
| | | | | | | | | | | | | | | | | | | | - This patch adds a feature to allow a directory based authentication plugin to use bound ldap conneciton instead of anonymous. Two files need to be edited 1. <instance>/conf/password.conf add a "tag" and the password of the binding user dn to the file e.g. externalLDAP=password123 2. <instance>/ca/CS.cfg add the tag to cms.passwordlist: e.g. cms.passwordlist=internaldb,replicationdb,externalLDAP add the authPrefix of the auths entry for the authentication instance e.g. externalLDAP.authPrefix=auths.instance.UserDirEnrollment add relevant entries to the authentication instance e.g. auths.instance.UserDirEnrollment.ldap.ldapBoundConn=true auths.instance.UserDirEnrollment.ldap.ldapauth.authtype=BasicAuth auths.instance.UserDirEnrollment.ldap.ldapauth.bindDN=uid=rhcs,ou=serviceaccounts,dc=EXAMPLE,dc=com auths.instance.UserDirEnrollment.ldap.ldapauth.bindPWPrompt=externalLDAP
* Fixed missing cert request hostname and address.Endi S. Dewata2015-08-054-27/+33
| | | | | | | | | | | | The CA services have been modified to inject request hostname and address into the certificate request object such that they will be stored in the database. This fixes the problem with requests submitted either via the UI or the CLI. An unused method in CertRequestResource has been removed. Some debug messages have been cleaned as well. https://fedorahosted.org/pki/ticket/1535
* Add code to reindex data during cloning without replicationAde Lee2015-07-315-30/+78
| | | | | | | | | | | | | When setting up a clone, indexes are added before the replication agreements are set up and the consumer is initialized. Thus, as data is replicated and added to the clone db, the data is indexed. When cloning is done with the replication agreements already set up and the data replicated, the existing data is not indexed and cannot be accessed in searches. The data needs to be reindexed. Related to ticket 1414
* Firefox warningJack Magne2015-07-311-9/+0
| | | | | | | | Ticket #1523 Move the dire warning about the crypto object to sections where it applies. Also slightly changed the message due to context.
* Add certutil options for ECCMatthew Harmsen2015-07-285-5/+38
| | | | | - PKI TRAC Ticket #1524 - pkispawn: certutil options incorrect for creating ecc admin certificate
generated by cgit (git 2.34.1) at 2024-06-21 05:03:01 +0000