summaryrefslogtreecommitdiffstats
path: root/base/server
Commit message (Collapse)AuthorAgeFilesLines
...
* Remove unused importFraser Tweedale2017-02-221-1/+0
| | | | Part of: https://fedorahosted.org/pki/ticket/2601
* Secured PKI UI main page.Endi S. Dewata2017-02-211-0/+22
| | | | | | | A web.xml has been added to /pki web application to require SSL connection to access the PKI UI main page at /pki/ui. https://fedorahosted.org/pki/ticket/2582
* Reorganized PKI UI pages.Endi S. Dewata2017-02-213-163/+273
| | | | | | | | | | | | Previously the index.jsp of the ROOT web application was storing PKI UI main page which contains links to PKI subsystems installed on the instance. Now the file has been changed to redirect to /pki which provides a new PKI UI welcome page. The PKI UI main page itself has been moved to /pki/ui. https://fedorahosted.org/pki/ticket/2582
* Refactored pki-ui.js.Endi S. Dewata2017-02-202-152/+172
| | | | | For clarity the non-UI code in the pki-ui.js has been moved into pki.js.
* Fix NPE in server shutdown when startup failedFraser Tweedale2017-02-201-1/+2
| | | | | | | | If server startup fails, the shutdown() routine tries to shut down the logger instance, which may not have been initialised. This raises a NullPointerException which can mask the original exception. Only attempt to shut down the logger instance if it is non-null.
* Added log message in CMCAuth.Endi S. Dewata2017-02-171-0/+2
| | | | | To help troubleshooting the CMCAuth has been modified to log a message when the CMC is missing.
* Refactored PKIService class.Endi S. Dewata2017-02-155-92/+111
| | | | | | | | | The subsystem-based methods and fields in PKIService class have been moved into a new SubsystemService class to allow creating more generic non-subsystem-based services. The classes that use these methods and fields have been updated accordingly.
* Allow DirAclAuthz to be configured to read alternative entryFraser Tweedale2017-02-101-3/+23
| | | | | | | | | | Add the `searchBase' parameter for DirAclAuthz instances. If specified, it prepends the searchBase to the baseDN. This allows reusing an existing LDAP connection config (e.g. "internaldb") whilst changing where the instances loads the ACLs from. Part of: https://fedorahosted.org/pki/ticket/1359 Fixes: https://fedorahosted.org/pki/ticket/2525
* Add upgrade script to add CommonNameToSANDefault pluginFraser Tweedale2017-02-091-0/+67
| | | | Part of: https://fedorahosted.org/pki/ticket/1710
* Add profile component that copies CN to SAN dNSNameFraser Tweedale2017-02-091-0/+215
| | | | | | | | | | | | | Add the 'CommonNameToSANDefault' profile default class. When used on a profile, this will examine the (most-specific) Common Name in the Subject DN, and if it looks like a DNS name, will add it to the Subject Alternative Name extension, creating the extension if it does not already exist. Also add upgrade scriptlet to add the component to registry.cfg in existing installations. Fixes: https://fedorahosted.org/pki/ticket/1710
* Remove unused dependency from tomcat classes buildFraser Tweedale2017-02-071-1/+0
|
* Fixed MergePKIWebapps upgrade script.Endi S. Dewata2017-02-041-5/+7
| | | | | | | The MergePKIWebapps upgrade script has been modified to ensure that the old deployment descriptors exist before deleting them. https://fedorahosted.org/pki/ticket/2582
* Troubleshooting improvements for CAEnrollProfile.Endi S. Dewata2017-02-021-13/+18
| | | | | To help troubleshooting the CAEnrollProfile class has been modified to chain the original exceptions.
* Merged /pki webapps.Endi S. Dewata2017-01-308-157/+86
| | | | | | | | | | | | | | | | | | | Previously the /pki webapp was only added if the theme was present during installation, and there were separate webapps for /pki/admin and /pki/js. If the theme was installed later, the /pki webapp had to be configured manually. To simplify the installation and to support other developments (e.g. login banner), the /pki webapp will always be added during installation regardless of theme, and the /pki/admin and /pki/js webapps are merged into /pki webapp. When the theme package is installed, it will create links in /pki webapp so the theme files will become available without additional configuration. An upgrade script has been added to merge the /pki webapp in existing instances. https://fedorahosted.org/pki/ticket/2582
* Replaced CryptoManager.getTokenByName().Endi S. Dewata2017-01-2713-143/+44
| | | | | | | | | Direct invocations of CryptoManager.getTokenByName() have been replaced with CryptoUtil.getCryptoToken() and getKeyStorageToken() to ensure that internal token names are handled consistently both in normal mode and FIPS mode. https://fedorahosted.org/pki/ticket/2556
* Fixed problem searching the latest certificate request.Endi S. Dewata2017-01-271-0/+6
| | | | | | | | | | | Previously if a certificate request page only has one entry the entry itself will be removed from the page, resulting in a blank page. The QueryReq.trim() has been modified not to remove the marker entry if it's the only entry in the page. https://fedorahosted.org/pki/ticket/2450
* Fixed inconsistent internal token detection.Endi S. Dewata2017-01-2621-139/+129
| | | | | | | | The codes that detect internal token name have been modified to use CryptoUtil.isInternalToken() such that the comparison can be done consistently both in normal mode and FIPS mode. https://fedorahosted.org/pki/ticket/2556
* Updated CryptoUtil.Endi S. Dewata2017-01-261-1/+1
| | | | | | | | | | | | | | | | | | | The CryptoUtil has been modified to provide two separate methods to obtain a token given the token name: - getCryptoToken() returns crypto token - getKeyStorageToken() returns key storage token The getKeyStorageToken() was renamed from the existing getTokenByName(). All codes using the old method have been updated accordingly. If the provided token name matches internal token name the methods will return the corresponding internal crypto/key storage token. The isInternalToken() was modified to check for empty string in addition to the short and full name of the internal token. https://fedorahosted.org/pki/ticket/2556
* Replaced internal token short name literals.Endi S. Dewata2017-01-2411-51/+56
| | | | | | | The internal token short name literals have been replaced with CryptoUtil.INTERNAL_TOKEN_NAME. https://fedorahosted.org/pki/ticket/2556
* Fixed Javadoc failure caused by HTML special characters.Endi S. Dewata2017-01-241-1/+1
| | | | | The CMSTemplate has been fixed to escape HTML special characters in method documentation.
* Add option to remove signing cert entryAde Lee2017-01-242-0/+8
| | | | | | | | | | | | | | | In the migration case, it is useful to delete the initially created signing certificate database record and have that be imported through the ldif data import instead. Therefore, we add an option to remove this entry. The user also needs to provide the serial number for the entry. This resolves the following tickets/BZs: BZ# 1409949/Trac 2573 - CA Certificate Issuance Date displayed on CA website incorrect BZ# 1409946/Trac 2571 - Request ID undefined for CA signing certificate
* Replaced internal token full name literals.Endi S. Dewata2017-01-2410-28/+32
| | | | | | | The internal token full name literals have been replaced with CryptoUtil.INTERNAL_TOKEN_FULL_NAME. https://fedorahosted.org/pki/ticket/2556
* Use BigInteger for entryUSNFraser Tweedale2017-01-231-6/+7
| | | | | | | | | | | Currently we try to parse the entryUSN into an Integer, which wraps the 'int' primitive type. If entryUSN value is too large to fit in 'int', NumberFormatException is raised. Change LDAPProfileSubsystem and CertificateAuthority to use BigInteger for entryUSN values. Fixes: https://fedorahosted.org/pki/ticket/2579
* Refactored ConfigurationRequest.TOKEN_DEFAULT.Endi S. Dewata2017-01-211-5/+5
| | | | | | | The ConfigurationRequest.TOKEN_DEFAULT has been replaced with CryptoUtil.INTERNAL_TOKEN_FULL_NAME since they are identical. https://fedorahosted.org/pki/ticket/2556
* Refactored Constants.PR_FULL_INTERNAL_TOKEN_NAME.Endi S. Dewata2017-01-211-3/+3
| | | | | | | The Constants.PR_FULL_INTERNAL_TOKEN_NAME has been replaced with CryptoUtil.INTERNAL_TOKEN_FULL_NAME since they are identical. https://fedorahosted.org/pki/ticket/2556
* Refactored Constants.PR_INTERNAL_TOKEN_NAME.Endi S. Dewata2017-01-2110-42/+49
| | | | | | | The Constants.PR_INTERNAL_TOKEN_NAME has been replaced with CryptoUtil.INTERNAL_TOKEN_NAME since they are identical. https://fedorahosted.org/pki/ticket/2556
* Refactored Constants.PR_INTERNAL_TOKEN.Endi S. Dewata2017-01-214-18/+19
| | | | | | | The Constants.PR_INTERNAL_TOKEN has been replaced with CryptoUtil.INTERNAL_TOKEN_NAME since they are identical. https://fedorahosted.org/pki/ticket/2556
* Added upgrade script to update AJP loopback address.Endi S. Dewata2017-01-201-0/+62
| | | | | | | | An upgrade script has been added to replace IPv4- and IPv6-specific AJP loopback address with a more generic "localhost" in existing instances. https://fedorahosted.org/pki/ticket/2570
* Added global TCP Keep-Alive option.Endi S. Dewata2017-01-189-97/+144
| | | | | | | | | | | | | | | | A new tcp.keepAlive parameter has been added for CS.cfg to configure the TCP Keep-Alive option for all LDAP connections created by PKI server. By default the option is enabled. The LdapJssSSLSocketFactory has been modified to support both plain and secure sockets. For clarity, the socket factory has been renamed to PKISocketFactory. All codes that create LDAP connections have been modified to use PKISocketFactory such that the TCP Keep-Alive option can be applied globally. https://fedorahosted.org/pki/ticket/2564
* Fixed misleading error message on duplicate cert in HSM.Endi S. Dewata2017-01-051-3/+3
| | | | | | | | The ConfigurationUtils.handleCerts() has been modified to log the actual exception instead of showing the "deleteCert" operation which may not be executed yet. https://fedorahosted.org/pki/ticket/2457
* Replaced default AJP hostname with generic loopback address.Endi S. Dewata2017-01-052-2/+2
| | | | | | | | | Previously the default AJP hostname was an IPv4 loopback address. To avoid problems in IPv6 environments the default has been changed to a generic "localhost" address. The man page has been updated accordingly. https://fedorahosted.org/pki/ticket/2570
* Refactored deployment system variables.Endi S. Dewata2016-12-225-53/+20
| | | | | | To improve reusability the deployment system variables have been converted from global variables in pkiconfig.py into attributes in PKIDeployer.
* Refactored deployment timestamp variables.Endi S. Dewata2016-12-225-31/+15
| | | | | | To improve reusability the deployment timestamp variables have been converted from global variables in pkiconfig.py into attributes in PKIDeployer.
* Refactored PKIConfigParser.flatten_master_dict().Endi S. Dewata2016-12-222-23/+24
| | | | | To improve reusability the flatten_master_dict() has been moved from PKIConfigParser into PKIDeployer.
* Refactored PKIDeployer.Endi S. Dewata2016-12-225-107/+133
| | | | | To improve reusability the PKIDeployer class has been moved from the pkihelper.py into the top level pki.server.deployment module.
* Refactored pki_subsystem object in pkiconfig.py.Endi S. Dewata2016-12-215-72/+75
| | | | | | To improve reusability the pki_subsystem object has been converted from a global variable in pkiconfig.py into an attribute in PKIDeployer.
* Refactored pki_config object in pkiparser.py.Endi S. Dewata2016-12-212-22/+22
| | | | | To improve reusability the pki_config object has been moved from PKIConfigParser into PKIDeployer.
* Refactored user_config object in pkiconfig.py.Endi S. Dewata2016-12-213-12/+13
| | | | | | To improve reusability the user_config object has been converted from a global variable in pkiconfig.py into an attribute in PKIDeployer.
* Refactored master & slots dictionaries creation.Endi S. Dewata2016-12-214-11/+39
| | | | | | | To improve reusability the deployment tools have been modified such that the master and slots dictionary objects are created in PKIDeployer at the beginning of the program. The PKIConfigParser has been modified to use the same dictionary objects.
* Refactored pki_copytree().Endi S. Dewata2016-12-211-78/+2
| | | | | | The pki_copytree() has been moved from pkihelper.py into pki/util.py such that it can be reused in non-deployment scenarios.
* Removed redundant find_file() for Tomcat libraries.Endi S. Dewata2016-12-185-117/+0
| | | | | | | The CMake scripts have been modified to remove redundant invocations of find_file() to find Tomcat libraries. https://fedorahosted.org/pki/ticket/2560
* Fixed pki-tools build order.Endi S. Dewata2016-12-181-1/+1
| | | | | | | | To help troubleshooting build issues the pki-tools build targets have been modified such that they run sequentially. This way error messages will be easier to find in the build log. https://fedorahosted.org/pki/ticket/2463
* Define "req_authority_id" IRequest extdata key in IRequestFraser Tweedale2016-12-125-6/+5
| | | | Part of: https://fedorahosted.org/pki/ticket/1359
* Define "profileId" IRequest extdata key in one placeFraser Tweedale2016-12-1215-18/+17
| | | | Part of: https://fedorahosted.org/pki/ticket/1359
* Define "auth_token" IRequest extdata key prefix in one placeFraser Tweedale2016-12-123-8/+14
| | | | Part of: https://fedorahosted.org/pki/ticket/1359
* Add getAuthzManagerNameByRealm to IAuthzSubsystemFraser Tweedale2016-12-121-7/+9
| | | | | | | | | The getAuthzManagerByRealm public method is defined in AuthzSubsystem but to support external principals we want to make this part of the IAuthzSubsystem interface, so other classes (e.g. ACLInterceptor) can use it. Part of: https://fedorahosted.org/pki/ticket/1359
* Allow ':' to appear in ACL expressionsFraser Tweedale2016-12-121-1/+3
| | | | | | | | | | Currently if ':' appears in an ACL expression (e.g. a group name, as occurs in FreeIPA permissions), the ACL gets parsed incorrectly. Look backwards from end of string for the final ':', so that the ACL parses correctly. Part of: https://fedorahosted.org/pki/ticket/1359
* Merge duplicate authz plugin code into superclassFraser Tweedale2016-12-123-264/+78
| | | | | | | | | | | | DirAclAuthz and BasicAclAuthz both extend AAclAuthz, but there is still a lot of duplicate code. Push the duplicated bits up into the AAclAuthz. Also remove abstract method flushResourceACLs() from AAclAuthz, and its implementation from BasicAclAuthz, because it is only implemented (meaningfully) by DirAclAuthz. Part of: https://fedorahosted.org/pki/ticket/1359
* Removed all references to 'xenroll.dll'Matthew Harmsen2016-12-091-5/+0
| | | | - PKI TRAC Ticket #2524 - Remove xenroll.dll from pki-core
* Resolve: pkispawn does not change default ecc key size from nistp256 when ↵Jack Magne2016-12-091-4/+4
| | | | | | | | | nistp384 is specified in spawn config Ticket #2552. This fix turned out simple. The client was correctly setting the required data, but it was putting the curveName in the "keySize" field of the SystemCertData object sent to the back end. The configuration routine was trying to find the name in the "curveName" field when its really in the "keySize" field. This issue is restricted to the ECC case. It is fine to simply fix this in the server, since the "keySize" is a string anyway and it makes decent sense.
generated by cgit (git 2.34.1) at 2025-09-26 23:23:47 +0000