summaryrefslogtreecommitdiffstats
path: root/base/server
Commit message (Collapse)AuthorAgeFilesLines
...
* Get profile ID from DN instead of CN attributeFraser Tweedale2015-05-081-8/+15
|
* Simple fix for this is not requiring the pki_client_database_password to be ↵Jack Magne2015-05-071-1/+3
| | | | | | set when performing a clone operation. Tested with a cloned CA and a couple of other subysstems, such as OCSP.
* Fix #1351 pki securitydomain-get-install-token fails when run with caadmin user.Jack Magne2015-05-072-70/+10
| | | | | | | | | | The short term solution to this problem was to remove the man page information and all references to the command line module reponsible for this issue. The installer already has an alternative method to remove a subsystem from the security domain list. We now assume the alternate method and don't even try to find the token at this point. A user at the command line of the pki command will no longer be able to attempt this as well. Tested this to verify that the man page for the "securtydomain" command no longer mentions or documents the "get-install-token" variant. Tested to verify that this command can't be manually called from the command line using "pki". This attempt results in an "unknown module". Tested by installing and uninstalling a subsytem. The security domain was kept up to date as expected for each install over remove attempted.
* Fixed pylint warnings.Endi S. Dewata2015-05-071-0/+3
| | | | | | | The pki.server Python module has been fixed to remove pylint warnings generated by recent changes. https://fedorahosted.org/pki/ticket/1353
* Fixed migration tool to update Tomcat libraries.Endi S. Dewata2015-05-062-7/+44
| | | | | | | | The migration tool has been fixed to update the links to Tomcat libraries in the instance folder to match the current Tomcat version installed on the system. https://fedorahosted.org/pki/ticket/1353
* Ticket 1295 Upgrade script for - CA: OCSP via GET does not workChristina Fu2015-05-051-0/+79
|
* Fixed authentication data in audit log.Endi S. Dewata2015-05-051-0/+100
| | | | | | | | | | | The REST methods may be executed by different threads even though they are invoked in the same session. A new interceptor has been added to all subsystems to make sure the SessionContext is created properly for each thread. This will fix the authentication data in the audit log. The SessionContext has also been improved to use ThreadLocal instead of a global Hashtable. https://fedorahosted.org/pki/ticket/1054
* Fix interactive install to not reprompt for portsAde Lee2015-04-293-7/+53
| | | | | Ports are already set when deploying into an existing instance. Having a user re-enter these is repetitious and error prone.
* Trac Ticket 1196 - serverCertNick.conf is replaced incorrectlyAde Lee2015-04-291-1/+3
| | | | | When second subsystem is installed, serverCertNick.conf and other top level tomcat config files should not be replaced.
* Code cleanup - simplify pkispawn codeAde Lee2015-04-2910-749/+716
| | | | | All subsystems are now tomcat instances. Conditionals based on whether the subsystem is a tomcat instance or not are no longer required.
* Add nuxwdog to java policyAde Lee2015-04-281-0/+3
| | | | | This allows PKI server to be loaded with nuxwdog library when java security policy is enabled.
* Add ability to pki-server to enable/disable nuxwdog for an instanceAde Lee2015-04-283-2/+447
| | | | | | This adds the ability to either enable or disable an instance using the pki-server utility. Additional documentation and additions to the man pages will be added in a separate patch.
* Fixed problem deploying without theme.Endi S. Dewata2015-04-241-12/+13
| | | | | | | The deployment tool has been modified to deploy the pki.xml only if the theme package is installed. https://fedorahosted.org/pki/ticket/499
* Remove duplicate prompt on nuxwdog startupAde Lee2015-04-231-0/+49
|
* Added direct deployment for theme.Endi S. Dewata2015-04-239-29/+163
| | | | | | | | The deployment tool has been modified to deploy the theme files directly from /usr/share/pki. New deployment descriptors have been added for admin templates and JS library. https://fedorahosted.org/pki/ticket/499
* Enumerate profiles in order of discoveryFraser Tweedale2015-04-233-4/+8
| | | | | | Recent change (d83f688) changed the order of profile enumeration. Track profiles using a LinkedHashMap to restore old behaviour where profiles were enumerated in the order they were discovered.
* Moved color settings to CSS.Endi S. Dewata2015-04-225-5/+5
| | | | | | | The templates have been modified to remove hard-coded background color settings and use the styles defined in a new CSS file. https://fedorahosted.org/pki/ticket/1296
* Moved CSS files to theme package.Endi S. Dewata2015-04-224-9986/+0
| | | | | | | The CSS files have been moved into the theme package to allow more control of the UI appearance. https://fedorahosted.org/pki/ticket/499
* Moved fonts and images to theme package.Endi S. Dewata2015-04-2221-0/+0
| | | | | | | The fonts and images have been moved into the theme package to allow more control of the UI appearance. https://fedorahosted.org/pki/ticket/499
* Added direct deployment for all subsystems.Endi S. Dewata2015-04-224-201/+3
| | | | | | | | The deployment tool has been modified to deploy all subsystems directly from the /usr/share/pki. This will simplify updating the templates in the web applications. https://fedorahosted.org/pki/ticket/499
* Fixed build issues.Endi S. Dewata2015-04-221-1/+0
| | | | | The code has been modified to fix tomcatjss and python-sphinx issues.
* Parameterized ROOT's index.jsp.Endi S. Dewata2015-04-221-2/+27
| | | | https://fedorahosted.org/pki/ticket/1296
* Add back the getPassword(tag) code to handle old tomcatjss interfaceAde Lee2015-04-221-0/+5
|
* Added pki-server-nuxwdog tool to create config file for nuxwdogAde Lee2015-04-221-0/+43
| | | | | This config file can be used in starting up the instance in a standalone fashion.
* Changes to config files to support nuxwdogAde Lee2015-04-225-1/+16
| | | | Specifically changes to CS.cfg, server.xml and tomcat.conf
* Add nuxwdog functionality to DogtagAde Lee2015-04-2214-38/+489
| | | | | | | | | | | | This is the first of several commits. This adds a LifecycleListener to call init() on the nuxwdog client before any connectors or webapps start up, and call sendEndInit() once initialization completes. Code is also added to prompt for and test required passwords on startup. All that is required to use nuxwdog is to start the server using nuxwdog. An environment variable will be set that will trigger creation of the NuxwdogPasswordStore. We expect tags for the required passwords to be in cms.passwordList
* Only read pki_profiles_in_ldap when spawning CA instanceFraser Tweedale2015-04-221-5/+4
|
* Ticket 1316 Allow adding SAN to server cert during the install processChristina Fu2015-04-217-10/+135
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Usage: * under /usr/share/pki/ca/conf, you will find a new file called serverCert.profile.exampleWithSANpattern * copy existing serverCert.profile away and replace with serverCert.profile.exampleWithSANpattern * edit serverCert.profile.exampleWithSANpattern - follow the instruction right above 8.default. - save and quit * cd /usr/share/pki/ca/profiles/ca , edit caInternalAuthServerCert.cfg - follow the instruction right above policyset.serverCertSet.9 - save and quit * save away and edit the ca config file for pkispawn: (note: you can add multiple SAN's delimited by ',' for pki_san_server_cert - add the following lines, e.g. pki_san_inject=True pki_san_server_cert=host1.Example.com - do the same pkispawn cfg changes for kra or any other instances that you plan on creating * create your instance(s) check the sl sever cert, it should contain something like the following: Identifier: Subject Alternative Name - 2.5.29.17 Critical: no Value: DNSName: host1.Example.com
* Added server migration command.Endi S. Dewata2015-04-214-5/+536
| | | | | | | | | | | | New pki-server CLI commands have been added to migrate the server configuration from Tomcat 7 to Tomcat 8 and vice versa. These commands can be used later during system upgrade to migrate existing instances from Tomcat 7 in F22 to Tomcat 8 in F23. The Python CLI framework has been refactored to provide a way to find other CLI modules by the command names. https://fedorahosted.org/pki/ticket/1264
* Added support for Tomcat 8.Endi S. Dewata2015-04-2119-30/+866
| | | | | | | | | | | | The Dogtag code has been modified to support both Tomcat 7 and 8. All files depending on a specific Tomcat version are now stored in separate folders. The build scripts have been modified to use the proper folder for the target platform. The tomcatjss dependency has been updated as well. The upgrade script will be added in a separate patch. https://fedorahosted.org/pki/ticket/1264
* Add HSM passwords to pkispawnMatthew Harmsen2015-04-213-4/+66
| | | | - PKI TRAC Ticket #1200 - make sure pkispawn works with hsm (passwords)
* Fixed action menu in TPS UI.Endi S. Dewata2015-04-172-10/+34
| | | | | | | | | | The TPS UI has been modified to display the appropriate actions menu based on the roles of the user. TPS agent can only enable and disable profiles, and also approve or reject pending requests. TPS admin can only edit disabled profiles, then submit it for approval, or cancel the request. https://fedorahosted.org/pki/ticket/1292
* Customized TPS UI menu based on user roles.Endi S. Dewata2015-04-172-9/+16
| | | | | | | | | | | The TPS UI has been modified to customize the navigation menu based on the roles of the user currently logged in. TPS agents do not have access to users, groups, config, authenticators, connectors, profile mappings, audit, and self tests, so the corresponding menu items will be hidden. TPS admins have access to all menu items. https://fedorahosted.org/pki/ticket/1292
* Remove unneeded class EnrollProfileContextFraser Tweedale2015-04-162-35/+2
|
* Fix incorrect class name in debug messageFraser Tweedale2015-04-161-1/+1
|
* Remove duplicate getRequestQueue codeFraser Tweedale2015-04-161-2/+1
|
* Remove unused RequestSubsystem constructorFraser Tweedale2015-04-161-6/+0
|
* Ticket 1339 doRevoke error string doesn't clear after failure.Christina Fu2015-04-161-0/+2
| | | | porting from Bugzilla 1150142
* Add HSM options to pkispawnMatthew Harmsen2015-04-146-0/+108
| | | | - PKI TRAC Ticket #1346 - pkispawn should have an HSM library option
* Ticket#1028 phase2: TPS rewrite: provide externalReg functionalityChristina Fu2015-04-142-10/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch is the 2nd phase of the externalReg feature, it makes the following improvements: * added feature: recovery by keyid (v.s. by cert) * fixed some auditing message errors * added some missing ldapStringAttributes needed for delegation to work properly * added missing externalReg required config parameters * made corrections to some externalReg related parameters to allow delegation to work properly * added handle of some error cases * made sure externalReg enrollment does not go half-way (once fails, bails out) tested: * enrollment of the three default TPS profiles (tokenTypes) * format of the tokens enrolled with the three default tps profiles * delegation enrollments * cuid match check next phase: * cert/key retention (allow preserving existing certs/keys on the token) note: * some of the activity log and cert status related issues that are not specifically relating to externalReg will be addressed in other more relevant tickets.
* Consolidate profile persistent search try/catch blocksFraser Tweedale2015-04-131-15/+15
|
* Remove unneeded collection from profile subsystemsFraser Tweedale2015-04-133-11/+1
| | | | | | Caveat: This changes the order in which profiles are listed, but the previous order doesn't seem very logical and there doesn't appear to be any contract for a particular order.
* pki-tomcatd fails to start on system bootMatthew Harmsen2015-04-1310-34/+162
| | | | | - PKI TRAC Ticket #1315 - pki-tomcatd fails to start on system boot - PKI TRAC Ticket #1340 - pkidestroy should not remove /var/lib/pki
* Add pkispawn config option for ldap profilesFraser Tweedale2015-04-133-0/+8
| | | | | | Add the `pki_profiles_in_ldap' pkispawn config to control whether profiles are stored on the filesystem (old behaviour) or LDAP (new behaviour). The default is file-based profiles.
* Monitor database for changes to LDAP profiles.Fraser Tweedale2015-04-132-78/+178
| | | | | | | | Use a persistent query to monitor the database for changes to LDAP profiles, and update the contents of the ProfileSubsystem according to the changes (Add/Modify/Delete) that occur. The monitoring occurs within its own thread.
* Added upgrade script to fix instance work folder ownership.Endi S. Dewata2015-04-081-0/+57
| | | | | | | | The <instance>/work/Catalina/localhost/pki folder was owned by root in Dogtag 10.0.x but now should be owned by pkiuser. An upgrade script has been added to fix the ownership. https://fedorahosted.org/pki/ticket/802
* Fixed problem with TPS profile default status.Endi S. Dewata2015-04-081-1/+2
| | | | | | | | | | The base class of ProfileDatabase (i.e. CSCfgDatabase) has been modified to return the correct default value (i.e. Enabled) if the status parameter doesn't exist. The TPSProcessor has been modified to use ProfileDatabase and other TPS codes have also been changed to use constants instead of string literals to ensure consistency. https://fedorahosted.org/pki/ticket/1270
* Add ability to enable/disable dynamic subsystemsFraser Tweedale2015-04-072-17/+52
| | | | | | | | | | | | | | | | | The CA installation process requires starting with the profile subsystem disabled, then enabling it once profiles have been loaded into the database. Accordingly, to avoid hacks with hardcoded offsets, add the "enabled" CS.cfg configuration parameter along with methods to enable or disable a subsystem based on the subsystem ID. A disabled subsystem does not have its `init` method called, but it is still instantiated and added to the registry so that other code can look up a subsystem by name and find out its class. Subsystems are enabled by default. This commit also removes an assumption that the subsystem config sub-store names are sequential numbers beginning at `0`.
* Add LDAPProfileSubsystem to store profiles in LDAPFraser Tweedale2015-04-076-170/+426
| | | | | | | | | | | | Add the LDAPProfileSubsystem as another IProfileSubsystem implementation that can be used instead of ProfileSubsystem (which stores profiles on the file system) to store files in LDAP so that changes can be replicated. Extract common behaviour in to new AbstractProfileSubsystem superclass. Also address the minor issue #1220.
* Add LDAPConfigStore classFraser Tweedale2015-04-071-0/+195
| | | | | The LDAPConfigStore class is an IConfigStore that reads and writes its configuration to a given attribute and DN in an LDAP database.
generated by cgit (git 2.34.1) at 2025-09-29 07:11:19 +0000