| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
| |
To avoid confusion, the isSelfTestCriticalAtStartup() and
isSelfTestCriticalOnDemand() in SelfTestSubsystem have been
modified to no longer log an error message if the selftest
being checked does not exist in the corresponding property
in CS.cfg.
https://fedorahosted.org/pki/ticket/2432
|
| |
|
|
|
|
|
| |
To help troubleshooting the selftest log has been modified to
include the cert validation error message returned by JSS.
https://fedorahosted.org/pki/ticket/2436
|
| |
|
|
|
|
|
|
| |
The dialog box for adding user certificate in TPS UI has been
modified to no longer mention PKCS #7. The REST service itself
still accepts PKCS #7, but it should be cleaned up in the future.
https://fedorahosted.org/pki/ticket/2437
|
| |
|
|
|
|
|
|
|
|
|
| |
The pkispawn has been modified to improve the way it displays the
error message returned by SystemConfigService.configure(). If the
method throws a PKIException, the response is returned as a JSON
message, so pkispawn will parse it and display the actual error
message. For other exceptions pkispawn will display the entire
HTML message returned by Tomcat.
https://fedorahosted.org/pki/ticket/2399
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To fix cloning issue in IPA the security_database.py has been
modified to import all certificates and keys in the PKCS #12 file
before the PKI server is started. Since the PKCS #12 generated by
IPA may not contain the certificate trust flags, the script will
also reset the trust flags on the imported certificates (i.e.
CT,C,C for CA certificate and u,u,Pu for audit certificate).
The ConfigurationUtils.restoreCertsFromP12() is now redundant and
it should be removed in the future, but for now it has been
modified to set the same trust flags on imported certificates.
The CryptoUtil.importCertificateChain() has also been modified to
set the same trust flags on imported certificates.
https://fedorahosted.org/pki/ticket/2424
|
| |
|
|
|
|
|
|
| |
To help troubleshooting cloning issues the security_databases.py
has been modified to log the content of the PKCS #12 file before
import and the NSS database after import.
https://fedorahosted.org/pki/ticket/2424
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ConfigCertApprovalCallback has been modified such that it
logs the server certificate being validated and can be configured
to ignore certain validation errors.
The ConfigurationUtils has been modified to use the
ConfigCertApprovalCallback to show and validate the server
certificate in all GET and POST operations except for the
importCertChain() in which the code needs to ignore untrusted
issuer in order to get the certificate chain via SSL.
https://fedorahosted.org/pki/ticket/2424
|
| | |
|
| |
|
|
|
|
| |
Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1353245
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
|
| |
|
|
| |
This patch fixes the issue that when an agent visit one of the CA's system cert request records, exception is thrown.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
The CMake create_symlink command fails if the link target does not
exist already. Since PKI JAR files may not exist at build time, the
commands to create the links to those files have been replaced with
the ln -sf command which will create the links regardless of the
targets' existence.
https://fedorahosted.org/pki/ticket/2403
|
| |
|
|
|
|
|
| |
Need to put pki_server_side_keygen in a conditional to avoid
breaking other subsystem deployments.
Ticket 2418
|
| |
|
|
| |
Ticket 2418
|
| |
|
|
|
|
|
|
|
|
| |
The deployment tool has been modified to set up SELinux contexts
after all instance files have been created to ensure they have the
correct contexts.
An upgrade script has been added to fix existing instances.
https://fedorahosted.org/pki/ticket/2421
|
| |
|
|
|
|
|
|
| |
An upgrade script has been added to replace the <instance>/common
in existing instances with a link to /usr/share/pki/server/common
which contains links to server dependencies.
https://fedorahosted.org/pki/ticket/2403
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #2406 Make starting CRL Number configurable
This simple patch provides a pkispawn config param that passes
some starting crl number value to the config process.
Here is a sample:
[CA]
pki_ca_starting_crl_number=4000
After the CA comes up the value of "crlNumber" in the db will
reflect that value of 4000.
Currently no other values are changed. We can talk about if we
need more values reset in the given case.
Also, this creates a setting in the CS.cfg
ca.crl.MasterCrl.startingCrlNumber=4000
This setting is only consulted when the crl Issuing Point record is created
for the first time.
|
| |
|
|
|
|
|
|
|
| |
The deployment tool has been modified to link <instance>/common
to /usr/share/pki/server/common instead of creating separate links
for each dependency. This allows the RPM spec to customize the
links for different platforms.
https://fedorahosted.org/pki/ticket/2403
|
| |
|
|
|
|
|
|
|
| |
The operations script has been modified to generate pki.policy
dynamically from links in the <instance>/common/lib directory.
This allows the pki.policy to match the actual paths in different
platforms.
https://fedorahosted.org/pki/ticket/2403
|
| |
|
|
|
|
|
|
|
|
| |
To help troubleshooting build issues, some CMake dependencies have
been added to some targets even though the actual codes do not
require those dependencies. This will ensure the targets are built
sequentially so build failures can be found more easily at the end
of the build log.
https://fedorahosted.org/pki/ticket/2403
|
| |
|
|
| |
Trivial fix.
|
| |
|
|
|
|
|
| |
The string splice operation in substitute_deployment_params() has
been fixed to include the rest of the string.
https://fedorahosted.org/pki/ticket/2399
|
| |
|
|
|
|
|
|
| |
To help troubleshooting the SystemConfigService has been modified
to chain the original exception and to log stack trace into the
debug log.
https://fedorahosted.org/pki/ticket/2399
|
| |
|
|
|
|
|
|
|
| |
The pkispawn installation summary has been modified not to
show the admin certificate nickname and NSS database if
pki_client_database_purge or pki_clone is set to true since
the NSS database will not be created in those cases.
https://fedorahosted.org/pki/ticket/2399
|
| |
|
|
|
|
|
|
| |
The pkispawn has been modified such that if the admin selects to
import the admin certificate the admin will not be asked where to
export the certificate.
https://fedorahosted.org/pki/ticket/2399
|
| |
|
|
|
|
|
|
| |
The pki client-cert-validate has been modified to add the missing
EmailRecipient and to list the supported cert usages.
https://fedorahosted.org/pki/ticket/2376
https://fedorahosted.org/pki/ticket/2399
|
| |
|
|
|
|
|
| |
The pkihelper.py has been modified to display the correct external
command name on system certificate validation error.
https://fedorahosted.org/pki/ticket/2399
|
| |
|
|
|
|
|
| |
fixes: https://fedorahosted.org/pki/ticket/1667
Signed-off-by: Geetika Kapoor <gkapoor@redhat.com>
Reviewed-by: Fraser Tweedale <ftweedal@redhat.com>
|
| |
|
|
| |
This patch addresses the issue that with the previous patch, the regular (non-external and non-existing) CA installation fails.
|
| |
|
|
|
|
|
|
| |
The pki-server CLI has been modified to catch all exceptions and
display a simple exception message. In verbose mode it will
display the stack trace.
https://fedorahosted.org/pki/ticket/2381
|
| |
|
|
|
|
|
| |
The pki-server subsystem-* commands have been updated to validate
the instance and subsystem before proceeding with the operation.
https://fedorahosted.org/pki/ticket/2399
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Support to allow the TPS to do the following:
1. Request that the TKS creates a shared secret with the proper ID, pointing to the TPS.
2. Have the TKS securely return the shared secret back to the TPS during the end of configuration.
3. The TPS then imports the wrapped shared secret into it's own internal NSS db permanenty and.
4. Given a name that is mapped to the TPS's id string.
Additional fixes:
1. The TKS was modified to actually be able to use multiple shared secrets registered by
multiple TPS instances.
Caveat:
At this point if the same remote TPS instance is created over and over again, the TPS's user
in the TKS will accumulate "userCert" attributes, making the exportation of teh shared secret
not functional. At this point we need to assume that the TPS user has ONE "userCert" registered
at this time.
|
| |
|
|
|
| |
- PKI TRAC Ticket #1405 - Add additional HSM details to 'pki_default.cfg' &
'pkispawn' man pages
|
| |
|
|
| |
Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
|
| |
|
|
| |
Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
|
| |
|
|
| |
Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
|
| |
|
|
| |
Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
|
| |
|
|
| |
Partially Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
|
| |
|
|
|
|
|
|
|
|
|
| |
The pki-server ca-* commands have been modified to validate
the instance and the CA subsystem before proceeding with the
operation.
The usage() methods and invocations have been renamed into
print_help() for consistency.
https://fedorahosted.org/pki/ticket/2364
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The pki-server subsystem-cert-update is supposed to restore the
system certificate data and requests into CS.cfg. The command was
broken since the CASubsystem class that contains the code to find
the certificate requests from database was not loaded correctly.
To fix the problem the CASubsystem class has been moved into the
pki/server/__init__.py.
All pki-server subsystem-* commands have been modified to check
the validity of the instance.
An option has been added to the pki-server subsystem-cert-show
command to display the data and request of a particular system
certificate.
The redundant output of the pki-server subsystem-cert-update has
been removed. The updated certificate data and request can be
obtained using the pki-server subsystem-cert-show command.
https://fedorahosted.org/pki/ticket/2385
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CMS startup was changed a while back to wait for
LDAPProfileSubsystem initialisation, while LDAPProfileSubsystem
initialisation waits for all known profiles to be loaded by the LDAP
persistent search thread. If the ou=certificateProfiles container
object does not exist, startup hangs.
This can cause a race condition in FreeIPA upgrade. FreeIPA
switches the Dogtag instance to the LDAPProfileSubsystem and
restarts it. The restart fails because the container object does
not get added until after the restart.
Update LDAPProfileSubsystem to add the container object itself, if
it is missing, before commencing the persistent search.
Fixes: https://fedorahosted.org/pki/ticket/2285
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The AuthInfoAccessExtDefault profile component constructs an OCSP
URI based on the current host and port, if no URI is explicitly
configured in the profile.
Update the component to look in CS.cfg for the "ca.defaultOcspUri"
config, and use its value if present. If not present, the old
behaviour prevails.
Also add the 'pki_default_ocsp_uri' pkispawn config to add the
config during instance creation, so that the value will be used for
the CA and system certificates.
Fixes: https://fedorahosted.org/pki/ticket/2387
|
| |
|
|
|
|
|
|
| |
Look for the right JAX-RS API JAR (it has moved in Fedora 25).
Also remove a lot of redundant 'find_file' operations for this JAR.
Fixes: https://fedorahosted.org/pki/ticket/2373
|
| |
|
|
| |
Partially fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
|
| |
|
|
| |
Partially Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1351295
|
| |
|
|
| |
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1349769
|
| |
|
|
| |
Fixes : https://bugzilla.redhat.com/show_bug.cgi?id=1351096
|
| |
|
|
|
|
| |
This patch removes references to the ciphers currently unsupported by NSS:
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
|
| |
|
|
|
| |
- PKI TRAC Ticket #1607 - [MAN] man pkispawn has inadequate description for
shared vs non shared tomcat instance installation
|
