summaryrefslogtreecommitdiffstats
path: root/base/server
Commit message (Collapse)AuthorAgeFilesLines
* Added deployment parameters to construct pki_clone_uri.Endi S. Dewata2015-05-223-4/+6
| | | | | | | | New parameters have been added into the default.cfg to specify the master hostname and port for pki_clone_uri. By default they point to the security domain. The man page has been updated as well. https://fedorahosted.org/pki/ticket/1385
* Fixed key archival problem in CLI with separate KRA instance.Endi S. Dewata2015-05-222-54/+96
| | | | | | | | | | The CLI has been modified such that when enrolling a certificate with key archival it will obtain the transport certificate from the CA instead of KRA because the KRA may not reside on the same instance. The CA REST service has been modified such that it will obtain the transport certificate from the KRA connector. https://fedorahosted.org/pki/ticket/1384
* Cleaned up log messages in ConfigurationUtils.getPortFromSecurityDomain().Endi S. Dewata2015-05-221-4/+16
| | | | https://fedorahosted.org/pki/ticket/1372
* Fix XSS attacks on the dogtag administration page #1373.Jack Magne2015-05-1512-141/+127
| | | | | | | | | | | | Porting this set of fixes over from last downstream release upstream. Upon further review, decided to fix a few missing things pointed out by the code review and a few other things: 1. Too many copies of escapeJavaScriptString all over the place. Consolidated the two related functions "escapeJavaScriptString" and "escapeJavaScriptStringHTML" methods in the CMSTemplate class to be called everywhere. Removed the duplicated methods in other classes. 2. There were some places where "escapeJavaScriptString" was called, when we really wanted "escapeJavaScriptStringHTML". Fixed that everywhere. One reason for this is a copied version of "escapeJavaScriptString" actually was identical to CMSTemplate.escapeJavaScriptString, which has been removed. XSS fixes.
* Ticket 1160 audit needed for getKeyInfo; audit missing for auth/authz at ↵Christina Fu2015-05-141-1/+9
| | | | REST. This patch addresses: (2) audit needed for getKeyInfo, the 2nd part of this ticket where the key services are missing some auditing.
* Fixed pylint warning in pkihelper.py.Endi S. Dewata2015-05-141-1/+1
|
* Fixed problem redeploying subsystem.Endi S. Dewata2015-05-141-3/+13
| | | | | | | | The pki-server subsystem-enable CLI has been modified to deploy the subsystem from a custom location if available, or from the default location otherwise. https://fedorahosted.org/pki/ticket/1381
* modify contents of serverCertNick.confMatthew Harmsen2015-05-133-0/+48
| | | | | - PKI TRAC Ticket #1370 - pkispawn: installation with HSM from external CA should hold off prepending token name in serverCertNick.conf till phase 2
* Ticket 1160 audit logging needed: REST API auth/authz; kra for getKeyInfoChristina Fu2015-05-134-39/+281
| | | | | | - (1) REST API auth/authz - this patch addresses the first part of this ticket where auditing is completely missing for authentication and authorization at the REST interface.
* Refactored upgrade scripts.Endi S. Dewata2015-05-119-186/+35
| | | | | | | The upgrade scripts have been modified to use the uid and gid provided by PKIInstance object. https://fedorahosted.org/pki/ticket/1341
* Added options for internal token and replication passwords.Endi S. Dewata2015-05-114-20/+30
| | | | | | | | The installation code has been modified such that the admin can optionally specify passwords for internal token and replication. Otherwise the code will generate random passwords like before. https://fedorahosted.org/pki/ticket/1354
* Patches to get nuxwdog working with systemdAde Lee2015-05-1014-34/+130
| | | | | | | | | | | | | | | | | | | | | | This patch adds some new unit files and targets for starting instances with nuxwdog, as well as logic within the pki-server nuxwdog module to switch to/from the old and new systemd unit files. It also corrects some issues found in additional testing of the nuxwdog change scripts. To use nuxwdog to start the instance, a user needs to do the following: 1. Create an instance normally. 2. Run: pki-server instance-nuxwdog-enable <instance_name> 3. Start the instance using: systemctl start pki-tomcatd-nuxwdog@<instance_name>.service To revert the instance, simply do the following: 1. Run: pki-server instance-nuxwdog-disable <instance_name> 2. Start the instance using: systemctl start pki-tomcatd@<instance_name>.service
* Fixed installation logs.Endi S. Dewata2015-05-081-6/+13
| | | | | | | | | To help troubleshooting installation failures the pkihelper.py has been modified to display the error code returned by the server before parsing the error message. If there is a parsing error, the unparsed message will now be displayed. The redundant 'raise' and 'return' statements have been removed.
* Get profile ID from DN instead of CN attributeFraser Tweedale2015-05-081-8/+15
|
* Simple fix for this is not requiring the pki_client_database_password to be ↵Jack Magne2015-05-071-1/+3
| | | | | | set when performing a clone operation. Tested with a cloned CA and a couple of other subysstems, such as OCSP.
* Fix #1351 pki securitydomain-get-install-token fails when run with caadmin user.Jack Magne2015-05-072-70/+10
| | | | | | | | | | The short term solution to this problem was to remove the man page information and all references to the command line module reponsible for this issue. The installer already has an alternative method to remove a subsystem from the security domain list. We now assume the alternate method and don't even try to find the token at this point. A user at the command line of the pki command will no longer be able to attempt this as well. Tested this to verify that the man page for the "securtydomain" command no longer mentions or documents the "get-install-token" variant. Tested to verify that this command can't be manually called from the command line using "pki". This attempt results in an "unknown module". Tested by installing and uninstalling a subsytem. The security domain was kept up to date as expected for each install over remove attempted.
* Fixed pylint warnings.Endi S. Dewata2015-05-071-0/+3
| | | | | | | The pki.server Python module has been fixed to remove pylint warnings generated by recent changes. https://fedorahosted.org/pki/ticket/1353
* Fixed migration tool to update Tomcat libraries.Endi S. Dewata2015-05-062-7/+44
| | | | | | | | The migration tool has been fixed to update the links to Tomcat libraries in the instance folder to match the current Tomcat version installed on the system. https://fedorahosted.org/pki/ticket/1353
* Ticket 1295 Upgrade script for - CA: OCSP via GET does not workChristina Fu2015-05-051-0/+79
|
* Fixed authentication data in audit log.Endi S. Dewata2015-05-051-0/+100
| | | | | | | | | | | The REST methods may be executed by different threads even though they are invoked in the same session. A new interceptor has been added to all subsystems to make sure the SessionContext is created properly for each thread. This will fix the authentication data in the audit log. The SessionContext has also been improved to use ThreadLocal instead of a global Hashtable. https://fedorahosted.org/pki/ticket/1054
* Fix interactive install to not reprompt for portsAde Lee2015-04-293-7/+53
| | | | | Ports are already set when deploying into an existing instance. Having a user re-enter these is repetitious and error prone.
* Trac Ticket 1196 - serverCertNick.conf is replaced incorrectlyAde Lee2015-04-291-1/+3
| | | | | When second subsystem is installed, serverCertNick.conf and other top level tomcat config files should not be replaced.
* Code cleanup - simplify pkispawn codeAde Lee2015-04-2910-749/+716
| | | | | All subsystems are now tomcat instances. Conditionals based on whether the subsystem is a tomcat instance or not are no longer required.
* Add nuxwdog to java policyAde Lee2015-04-281-0/+3
| | | | | This allows PKI server to be loaded with nuxwdog library when java security policy is enabled.
* Add ability to pki-server to enable/disable nuxwdog for an instanceAde Lee2015-04-283-2/+447
| | | | | | This adds the ability to either enable or disable an instance using the pki-server utility. Additional documentation and additions to the man pages will be added in a separate patch.
* Fixed problem deploying without theme.Endi S. Dewata2015-04-241-12/+13
| | | | | | | The deployment tool has been modified to deploy the pki.xml only if the theme package is installed. https://fedorahosted.org/pki/ticket/499
* Remove duplicate prompt on nuxwdog startupAde Lee2015-04-231-0/+49
|
* Added direct deployment for theme.Endi S. Dewata2015-04-239-29/+163
| | | | | | | | The deployment tool has been modified to deploy the theme files directly from /usr/share/pki. New deployment descriptors have been added for admin templates and JS library. https://fedorahosted.org/pki/ticket/499
* Enumerate profiles in order of discoveryFraser Tweedale2015-04-233-4/+8
| | | | | | Recent change (d83f688) changed the order of profile enumeration. Track profiles using a LinkedHashMap to restore old behaviour where profiles were enumerated in the order they were discovered.
* Moved color settings to CSS.Endi S. Dewata2015-04-225-5/+5
| | | | | | | The templates have been modified to remove hard-coded background color settings and use the styles defined in a new CSS file. https://fedorahosted.org/pki/ticket/1296
* Moved CSS files to theme package.Endi S. Dewata2015-04-224-9986/+0
| | | | | | | The CSS files have been moved into the theme package to allow more control of the UI appearance. https://fedorahosted.org/pki/ticket/499
* Moved fonts and images to theme package.Endi S. Dewata2015-04-2221-0/+0
| | | | | | | The fonts and images have been moved into the theme package to allow more control of the UI appearance. https://fedorahosted.org/pki/ticket/499
* Added direct deployment for all subsystems.Endi S. Dewata2015-04-224-201/+3
| | | | | | | | The deployment tool has been modified to deploy all subsystems directly from the /usr/share/pki. This will simplify updating the templates in the web applications. https://fedorahosted.org/pki/ticket/499
* Fixed build issues.Endi S. Dewata2015-04-221-1/+0
| | | | | The code has been modified to fix tomcatjss and python-sphinx issues.
* Parameterized ROOT's index.jsp.Endi S. Dewata2015-04-221-2/+27
| | | | https://fedorahosted.org/pki/ticket/1296
* Add back the getPassword(tag) code to handle old tomcatjss interfaceAde Lee2015-04-221-0/+5
|
* Added pki-server-nuxwdog tool to create config file for nuxwdogAde Lee2015-04-221-0/+43
| | | | | This config file can be used in starting up the instance in a standalone fashion.
* Changes to config files to support nuxwdogAde Lee2015-04-225-1/+16
| | | | Specifically changes to CS.cfg, server.xml and tomcat.conf
* Add nuxwdog functionality to DogtagAde Lee2015-04-2214-38/+489
| | | | | | | | | | | | This is the first of several commits. This adds a LifecycleListener to call init() on the nuxwdog client before any connectors or webapps start up, and call sendEndInit() once initialization completes. Code is also added to prompt for and test required passwords on startup. All that is required to use nuxwdog is to start the server using nuxwdog. An environment variable will be set that will trigger creation of the NuxwdogPasswordStore. We expect tags for the required passwords to be in cms.passwordList
* Only read pki_profiles_in_ldap when spawning CA instanceFraser Tweedale2015-04-221-5/+4
|
* Ticket 1316 Allow adding SAN to server cert during the install processChristina Fu2015-04-217-10/+135
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Usage: * under /usr/share/pki/ca/conf, you will find a new file called serverCert.profile.exampleWithSANpattern * copy existing serverCert.profile away and replace with serverCert.profile.exampleWithSANpattern * edit serverCert.profile.exampleWithSANpattern - follow the instruction right above 8.default. - save and quit * cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg - follow the instruction right above policyset.serverCertSet.9 - save and quit * save away and edit the ca config file for pkispawn: (note: you can add multiple SAN's delimited by ',' for pki_san_server_cert - add the following lines, e.g. pki_san_inject=True pki_san_server_cert=host1.Example.com - do the same pkispawn cfg changes for kra or any other instances that you plan on creating * create your instance(s) check the sl sever cert, it should contain something like the following: Identifier: Subject Alternative Name - 2.5.29.17 Critical: no Value: DNSName: host1.Example.com
* Added server migration command.Endi S. Dewata2015-04-214-5/+536
| | | | | | | | | | | | New pki-server CLI commands have been added to migrate the server configuration from Tomcat 7 to Tomcat 8 and vice versa. These commands can be used later during system upgrade to migrate existing instances from Tomcat 7 in F22 to Tomcat 8 in F23. The Python CLI framework has been refactored to provide a way to find other CLI modules by the command names. https://fedorahosted.org/pki/ticket/1264
* Added support for Tomcat 8.Endi S. Dewata2015-04-2119-30/+866
| | | | | | | | | | | | The Dogtag code has been modified to support both Tomcat 7 and 8. All files depending on a specific Tomcat version are now stored in separate folders. The build scripts have been modified to use the proper folder for the target platform. The tomcatjss dependency has been updated as well. The upgrade script will be added in a separate patch. https://fedorahosted.org/pki/ticket/1264
* Add HSM passwords to pkispawnMatthew Harmsen2015-04-213-4/+66
| | | | - PKI TRAC Ticket #1200 - make sure pkispawn works with hsm (passwords)
* Fixed action menu in TPS UI.Endi S. Dewata2015-04-172-10/+34
| | | | | | | | | | The TPS UI has been modified to display the appropriate actions menu based on the roles of the user. TPS agent can only enable and disable profiles, and also approve or reject pending requests. TPS admin can only edit disabled profiles, then submit it for approval, or cancel the request. https://fedorahosted.org/pki/ticket/1292
* Customized TPS UI menu based on user roles.Endi S. Dewata2015-04-172-9/+16
| | | | | | | | | | | The TPS UI has been modified to customize the navigation menu based on the roles of the user currently logged in. TPS agents do not have access to users, groups, config, authenticators, connectors, profile mappings, audit, and self tests, so the corresponding menu items will be hidden. TPS admins have access to all menu items. https://fedorahosted.org/pki/ticket/1292
* Remove unneeded class EnrollProfileContextFraser Tweedale2015-04-162-35/+2
|
* Fix incorrect class name in debug messageFraser Tweedale2015-04-161-1/+1
|
* Remove duplicate getRequestQueue codeFraser Tweedale2015-04-161-2/+1
|
* Remove unused RequestSubsystem constructorFraser Tweedale2015-04-161-6/+0
|
generated by cgit (git 2.34.1) at 2024-10-05 13:19:34 +0000