summaryrefslogtreecommitdiffstats
path: root/base/server
Commit message (Collapse)AuthorAgeFilesLines
...
* Ticket 2389 Installation: subsystem certs could have notAfter beyond CA ↵Christina Fu2016-06-292-0/+26
| | | | | | | signing cert in case of external or existing CA This patch implements validity check on the notAfter value of the certInfo and adjusts it to that of the CA's notAfter if exceeding
* Normalize default softokn nameMatthew Harmsen2016-06-281-0/+10
| | | | | - PKI TRAC Ticket #2311 - When pki_token_name=Internal, consider normalizing it to "internal"
* Fixed KRA cloning issue.Endi S. Dewata2016-06-292-10/+37
| | | | | | | | | | | | | The pki pkcs12-import CLI has been modified not to import certificates that already exist in the NSS database unless specifically requested with the --overwrite parameter. This will avoid changing the trust flags of the CA signing certificate during KRA cloning. The some other classes have been modified to provide better debugging information. https://fedorahosted.org/pki/ticket/2374
* Fixes: Invalid instance exception issue.Amol Kahat2016-06-281-3/+37
| | | | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1348433
* Fixes pki-server subsystem-* --help options.Amol Kahat2016-06-281-74/+81
| | | | Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1340718
* Fixed problem reading HSM password from password file.Endi S. Dewata2016-06-283-24/+50
| | | | | | | | | | | | | A new method get_token_password() has been added into PKIInstance Python class in order to read the token password correctly from password.conf. If the token is an internal token, it will read the 'internal' password. If it is an HSM it will read the password for 'hardware-<token>'. The codes that call the get_password() to get token password have been modified to use get_token_password() instead. https://fedorahosted.org/pki/ticket/2384
* Ticket #2298 Part3- trim down debug log in non-TMS crmf enrollmentsChristina Fu2016-06-179-40/+58
|
* UdnPwdDirAuth authentication plugin instance is not working.Jack Magne2016-06-173-203/+0
| | | | | | | | Ticket #1579 : UdnPwdDirAuth authentication plugin instance is not working. Since this class no longer works, we felt it best to just remove it from the server. This patch removes the references and files associated with this auth method.
* Added upgrade script to fix JAVA_HOME.Endi S. Dewata2016-06-173-0/+107
| | | | https://fedorahosted.org/pki/ticket/2363
* Fixed Java dependency.Endi S. Dewata2016-06-179-28/+43
| | | | | | | | | | The code has been modified to use the JAVA_HOME path specified in the pki.conf. The spec file has been modified to depend specifically on OpenJDK 1.8.0 and to provide the default JAVA_HOME path for the pki.conf. https://fedorahosted.org/pki/ticket/2363
* Ticket #2298 exclude some ldap record attributes with key archival This is ↵Christina Fu2016-06-167-31/+198
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | part 2 of: https://fedorahosted.org/pki/ticket/2298 [non-TMS] for key archival/recovery, not to record certain data in ldap and logs This patch allows one to exclude certain ldap attributes from the enrollment records for crmf requests (both CRMF, and CMC CRMF). The following are the highlights: * CRMF Manual approval profile is disabled: caDualCert.cfg - If excludedLdapAttrs.enabled is true, then this profile will not work, as the crmf requests (by default it is false) are not written to ldap record for agents to act on * excludedLdapAttrs.attrs can be used to configure the attribute list to be excluded * a new CRMF "auto approval" (directory based, needs to be setup) is provided * if excludedLdapAttrs.enabled is true (in both ca and kra), the following fields are not written to the ldap record in case of CRMF: (note: the code deliberately use literal strings on purpose for the reason that the exact literal strings need to be spelled out in excludedLdapAttrs.attrs if the admin chooses to override the default) "req_x509info", "publickey", "req_extensions", "cert_request", "req_archive_options", "req_key" * Because of the above (possible exclusion of cert requests in record, profiles that require agent manual approval will no longer function in the case that excludedLdapAttrs.enabled is true * a sleepOneMinute() method is added for debugging purpose. It is not called in the final code, but is left there for future debugging purpose * code was fixed so that in KRA request will display subject name even though the x509info is missing from request * cmc requests did not have request type in records, so they had to be added for differentiation The following have been tested: * CRMF auto enroll * CRMF manual enroll/approval * CMC-CRMF enroll * both CA and KRA internal ldap are examined for correct data exclusion Note: CRMF could potentially not include key archival option, however, I am not going to differentiate them at the moment. An earlier prototype I had built attempted to do that and the signing cert's record isn't excluded for attrs write while it's CRMF request is the same as that of its encryption cert counterpart within the same request. Due to this factor (multiple cert reqs with the same request blob), I am treating them the same for exclusion.
* Enableocsp checking on KRA with CA's secure port shows self test failure.Jack Magne2016-06-162-0/+5
| | | | | Here we will address this by putting a comment in the server.xml, around the area where the ocsp settings are document.
* Refactored SystemConfigService.processCerts().Endi S. Dewata2016-06-151-128/+148
| | | | | | To simplify future enhancements the code that processes each certificate in SystemConfigService.processCerts() has been moved into a separate method.
* Added entry of pki-server instance-cert command in man page.Amol Kahat2016-06-151-0/+6
|
* Fixed pki-server instance-start <instance> command. Fixed pki-server ↵Amol Kahat2016-06-151-0/+18
| | | | | | instance-stop <instance> command. https://bugzilla.redhat.com/show_bug.cgi?id=1341953
* Fixed REST response format.Endi S. Dewata2016-06-141-1/+1
| | | | | | | Some REST services have been fixed to return the response in XML format by default. https://fedorahosted.org/pki/ticket/1276
* Add man page and clarify CLI for kra-connectorAde Lee2016-06-132-28/+56
|
* Fixed --help option for instance-show, instance-start, instance-stop, ↵Amol Kahat2016-06-131-41/+42
| | | | | | instance-migrate, instance-nuxwdog-enable, instance-nuxwdog-disable. https://bugzilla.redhat.com/show_bug.cgi?id=1339263
* Add man page entry for pki-server instance-cert-export commandAde Lee2016-06-101-0/+10
| | | | Ticket 2339
* Add man page info for number range parametersAde Lee2016-06-101-0/+13
| | | | Ticket 2318
* Fixed TPS VLV sort orders.Endi S. Dewata2016-06-104-55/+65
| | | | | | | | | | | | | | | The TPS VLVs for tokens and activities has been modified to sort the results by date in reverse order. The DBRegistry.getLDAPAttributes() was modified to support reverse sort order by recognizing the "-" prefix in the list of sort keys and pass it to LDAP. The DBVirtualList.setSortKey() was modified to ignore bubble up the exceptions that happen during LDAP attribute mapping. https://fedorahosted.org/pki/ticket/2263 https://fedorahosted.org/pki/ticket/2269
* Fixed TPS VLV filters.Endi S. Dewata2016-06-101-1/+1
| | | | | | | | | | | | Previously TPS VLVs for tokens and activities were defined using presence filters of some optional attributes. If the optional attribute is missing the entry will not be included in the search result. The VLVs have now been modified to use object class matching filters to ensure they match all tokens and activities. https://fedorahosted.org/pki/ticket/2354
* Updated KRA VLV management CLI.Endi S. Dewata2016-06-081-25/+141
| | | | | | A new pki-server kra-db-vlv-find command has been added to list existing KRA VLV indexes. The pki-server kra-db-vlv-reindex has been modified to wait until the reindex is complete.
* Added TPS VLV management CLI.Endi S. Dewata2016-06-082-0/+506
| | | | | | | | | A set of pki-server commands has been added to simplify upgrading TPS VLV indexes. https://fedorahosted.org/pki/ticket/2354 https://fedorahosted.org/pki/ticket/2263 https://fedorahosted.org/pki/ticket/2269
* Fix name fields in man pages for correct man -k outputAde Lee2016-06-084-4/+4
| | | | Ticket 1563
* Lightweight CAs: add method to renew certificateFraser Tweedale2016-06-051-1/+8
| | | | | | | | | | | | | | | Add the CertificateAuthority.renewAuthority() method that creates and processes a renewal request for the lightweight CA's signing cert. The new certificate replaces the old certificate in the NSSDB and the serial number is stored in the 'authoritySerial' attribute. Clones observe when the 'authoritySerial' attribute has changed and update the certificate in their NSSDB, too. The renewal behaviour is available in the REST API as a POST to /ca/rest/authorities/<id>/renew. Fixes: https://fedorahosted.org/pki/ticket/2327
* Lightweight CAs: renew certs with same issuerFraser Tweedale2016-06-051-0/+7
| | | | | | | | When renewing a certificate, propagate the Authority ID from the original request to the new request, to ensure that the new certificate is issued by the same issuer as the original. Part of: https://fedorahosted.org/pki/ticket/2327
* Show KeyOwner info when viewing recovery requests.Jack Magne2016-06-031-2/+25
| | | | | | | | | | | | | | | | This simple fix will grab the subject info out of the cert associated with either pending or complete recovery requests being viewed in the KRA UI. For example: KeyOwner: UID=jmagne, O=Token Key User Will be displayed. This simple fix should be good enough for this round, despite the bug asking about agent info and such. Ticket : Ticket #1512 : Key owner info missing from the Search results of Recovery request
* Fixed truncated token activity message in TPS UI.Endi S. Dewata2016-06-031-3/+3
| | | | | | | | | | | | The TPS UI has been modified to display the token activity message in a textarea to avoid truncation. The UI framework class has been modified to handle textarea. The CSS has been modified to align the field label with the top of textarea. https://fedorahosted.org/pki/ticket/2299
* Ticket #2352 [TMS] missing netkeyKeyRecovery requests option in KRA agent ↵Christina Fu2016-06-031-0/+2
| | | | for "List Request" This patch allows KRA agent to list netkeyKeyRecovery requests.
* Add option to modify ajp_host to pkispawnAde Lee2016-06-036-2/+10
| | | | | | | | This allows IPA to handle the case of a pure ipv6 environment in which the ipv4 loopback interface is not available. Ticket 1717
* Add commands to db-server to help with DB related changesAde Lee2016-06-033-3/+449
| | | | | | | | | | | | | | Added pki-server kra-db-vlv-add, kra-db-vlv-del, kra-db-vlv-reindex Added pki-server db-schema-upgrade If the admin has the directory manager (or equivalent) simple creds, then they can enter them as parameters and perform the operations. Otherwise, they can specify --generate-ldif to generate LDIF files containing the changes that need to be implemented, and implement them using GSSAPI or otherwise. Tickets 2320, 2319
* Lightweight CAs: remove pki-ipa-retrieve-key scriptFraser Tweedale2016-06-032-56/+0
| | | | | | | | | For the benefit of code locality and subsequent to the generalisation of IPACustodiaKeyRetriever to ExternalProcessKeyRetriever, the pki-ipa-retrieve-key script is being moved to the FreeIPA codebase. Part of: https://fedorahosted.org/pki/ticket/1625
* Include serial of revoked cert in CertRequestInfoFraser Tweedale2016-06-031-0/+8
| | | | | | | | | When manufacturing a CertRequestInfo, CertRequestInfoFactory includes the serial number of issued certs, but does not show serial numbers of revoked certs for completed revocation requests. Include the serial number for this case. Fixes: https://fedorahosted.org/pki/ticket/1073
* Ticket #2271 Part2:TMS:removing/reducing debug log printout of dataChristina Fu2016-06-026-24/+39
| | | | | | | This patch comments out unneeded data in TMS debug logs (TPS&TKS); It reduces the size of the debug logs by a lot. Note that for ease of later development debugging, the debug lines are commented out instead of being removed
* Fix legacy servlets to check realm when requesting recoveryAde Lee2016-06-022-10/+39
|
* Change legacy requests servlet to check realmAde Lee2016-06-021-0/+26
| | | | | | | | | | The legacy KRA servlet has been modified to check the realm if present in the request, or only return non-realm requests if not present. No attempt is made to fix the error reporting of the servlet. As such, an authz failure due to the realm check is handled in the same way that other authz failures are handled.
* Fix old KRA servlets to check realmAde Lee2016-06-024-14/+96
| | | | | | | | | | | | The old KRA servlets to list and display keys do not go through the same code paths as the REST API. Therefore, they do not check the authz realm. This patch adds the relevant code. No attempt is made to fix the error handling of the old servlets. the long term solution for this is to deprecate the old servlets and make the UI use the REST API instead. Therefore, authz failures due to realm checks are handled in the same way as other authz changes.
* Fix unknown TKS host and port connector error during TPS removalMatthew Harmsen2016-06-021-10/+3
| | | | | - PKI TRAC #1677 - Pkidestroy of a TPS instance installed in a shared tomcat throws error.
* Fixed problem submitting renewal request.Endi S. Dewata2016-06-022-17/+80
| | | | | | | | | | | The RenewalProcessor.processRenewal() has been modified to get the serial number of the certificate to renew from the profile input in addition to the <SerialNumber> attribute and client certificate. The serialNum field in CertEnrollmentRequest has been modified to use CertId which accepts both decimal and hexadecimal value. https://fedorahosted.org/pki/ticket/999
* Fixed error reporting in RenewalProcessor.getSerialNumberFromCert().Endi S. Dewata2016-06-021-55/+43
| | | | | | | | | | | The RenewalProcessor.getSerialNumberFromCert() has been modified to throw an exception instead of returning null to pass the error message to the client to help troubleshooting. The code has also be modified to remove redundant null checking and redundant decoding and re-encoding. https://fedorahosted.org/pki/ticket/999
* Fix LDAP schema violation when instance name contains '_'Fraser Tweedale2016-05-302-2/+2
| | | | | | | | | | | | | | | The instance name is used in NSSDB key nicknames, which are stored in the authorityKeyNickname attribute for mapping lightweight CAs to their keys. The schema was PrintableString, which does not permit '_', causing LDAP syntax errors if the instance name contains '_'. To avoid this issue, change the attribute syntax to IA5String. Existing instances should be largely unaffected. The schema update can be successfully applied even for existing attributes, because PrintableString and IA5String share the same underlying representation in 389DS. Fixes: https://fedorahosted.org/pki/ticket/2343
* Updated system certificate selftests.Endi S. Dewata2016-05-281-6/+6
| | | | | | | | | The CertUtils.verifySystemCertByNickname() has been modified to call CryptoManager.verifyCertificate() to validate the system certificates which will provide better information (i.e. NSS error message and stack trace) to troubleshoot validation issues. https://fedorahosted.org/pki/ticket/850
* Ticket 2271 2298 key archival/recovery, not to record certain data in ldapChristina Fu2016-05-272-3/+26
| | | | | | This patch handles Ticket 2298 non-TMS key archival/recovery, as well as Ticket 2271 TMS recovery request ldap entries Fields are zeroed out before being deleted in KRA request records
* Fixed error handling in ProxyRealm.Endi S. Dewata2016-05-274-2/+94
| | | | | | | | All methods in ProxyRealms for Tomcat 7 and 8 have been modified to check whether the subsystem is available, then generate a proper error message instead of null pointer exception. https://fedorahosted.org/pki/ticket/2326
* Fixed hard-coded database name for TPS VLV indexes.Endi S. Dewata2016-05-271-0/+20
| | | | | | | | | | | | | The vlv.ldif for TPS has been modified to remove the hard-coded database name and to use customizable parameter instead. The token and activity REST services have been modified to search the database using VLV. The existing database can be fixed using the following procedure: http://pki.fedoraproject.org/wiki/Database_Upgrade_for_PKI_10.3.x#Relocating_VLV_indexes https://fedorahosted.org/pki/ticket/2342
* Add parameters to purge old published filesAde Lee2016-05-262-10/+150
| | | | Ticket 2254
* Ticket 1665 - Cert Revocation Reasons not being updated when on-holdChristina Fu2016-05-255-14/+74
| | | | | | | | | | | | | | This patch fixes the following areas: * In the CA, when revokeCert is called, make it possible to move from on_hold to revoke. * In the servlet that handles TPS revoke (DoRevokeTPS), make sure it allows the on_hold cert to be put in the bucket to be revoked. * there are a few minor fixes such as typos and one have to do with the populate method in SubjectDNInput.java needs better handling of subject in case it's null. Note: This patch does not make attempt to allow agents to revoke certs that are on_hold from agent interface. The search filter needs to be modified to allow that.
* Fixed support for generic CSR extensions.Endi S. Dewata2016-05-254-32/+90
| | | | | | | | The deployment tool has been modified to support adding Subordinate CA extension into the CSR for Microsoft CA, and also adding generic extensions to any system certificate. https://fedorahosted.org/pki/ticket/2312
* Fixed cert enrollment problem with empty rangeUnit in profile.Endi S. Dewata2016-05-243-9/+9
| | | | | | | | | | | | Previously cert enrollment might fail after editing the profile using the console. This is because the console added an empty rangeUnit parameter, but the server rejected the empty value. The convertRangeUnit() methods in several classes have been modified to accept the empty value and convert it into the default value (i.e. day). https://fedorahosted.org/pki/ticket/2308
generated by cgit (git 2.34.1) at 2025-09-27 09:13:25 +0000