summaryrefslogtreecommitdiffstats
path: root/base/tps/shared/conf
Commit message (Collapse)AuthorAgeFilesLines
* SCP03 support for g&d sc 7 card.Jack Magne2017-04-121-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This allows the use of the g&d 7 card. This will require the following: 1. An out of band method is needed to generate an AES based master key. We do not as of yet have support with tkstool for this: Ex: /usr/lib64/nss/unsupported-tools/symkeyutil -d . -K -n new_master_aes -t aes -s 16 2. There are some new config params that can be adjusted to support either the 6.0 or 7.0 cards: Ex: tks.defKeySet._005=## tks.prot3 , protocol 3 specific settings tks.defKeySet._006=## divers= emv,visa2 : Values for the master key case, or > version one. tks.defKeySet._007=## diversVer1 = emv,visa2, or none. This is for developer or version one keyset tks.defKeySet._008=## devKeyType = DES3or AES. This is for the key type of developer or version one keys. tks.defKeySet._009=## masterKeyType = DES3 or AES. This is for the type of key for the master key. tks.defKeySet._010=## tks.defKeySet._011=## Only supports two tokens now: G&D Smart Cafe 6 and Smart Cafe 7, use these exact settings tks.defKeySet._013=## Smart Cafe 6 settings: tks.defKeySet._014=## tks.defKeySet.prot3.divers=emv tks.defKeySet._015=## tks.defKeySet.prot3.diversVer1Keys=emv tks.defKeySet._016=## tks.defKeySet.prot3.devKeyType=DES3 tks.defKeySet._017=## tks.defKeySet.prot3.masterKeyType=DES3 tks.defKeySet._018=##Smart Cafe 7 settings: tks.defKeySet._019=## tks.defKeySet.prot3.divers=none tks.defKeySet._020=## tks.defKeySet.prot3.diversVer1Keys=none tks.defKeySet._021=## tks.defKeySet.prot3.devKeyType=AES tks.defKeySet._022=## tks.defKeySet.prot3.masterKeyType=AES tks.defKeySet._023=## tks.defKeySet._024=##
* Added CLIs to access audit log files.Endi S. Dewata2017-04-041-0/+3
| | | | | | | New pki audit commands have been added to list and retrieve audit log files. Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
* Added audit service and CLI to all subsystems.Endi S. Dewata2017-04-041-2/+5
| | | | | | | Previously the audit service and CLI were only available on TPS. Now they have been added to all subsystems. Change-Id: I3b472254641eb887289c5122df390c46ccd97d47
* Added audit logs for SSL/TLS events.Endi S. Dewata2017-03-281-2/+2
| | | | | | | | | | | | | | | The CMSStartServlet has been modified to register an SSL socket listener called PKIServerSocketListener to TomcatJSS. The PKIServerSocketListener will receive the alerts generated by SSL server sockets and generate ACCESS_SESSION_* audit logs. The CS.cfg for all subsystems have been modified to include ACCESS_SESSION_* audit events. https://pagure.io/dogtagpki/issue/2602 Change-Id: If7fb6c1b096ec8c68d1fd08f9132baf099816f11
* Ticket #2569: Token memory not wiped after key deletionJack Magne2017-01-111-19/+19
| | | | | This is the dogtag upstream side of the TPS portion of this ticket. This fix also involves an applet fix, handled in another bug.
* Removed unused OCSP, TKS, and TPS logging.properties.Endi S. Dewata2016-11-181-70/+0
| | | | | | | The logging.properties files in OCSP, TKS, and TPS folders are never deployed so they have been removed. https://fedorahosted.org/pki/ticket/1897
* Ticket #2498 Token format with external reg fails when ↵Christina Fu2016-10-101-7/+11
| | | | | | op.format.externalRegAddToToken.revokeCert=true This patch adds the missing parameters in the CS.cfg for externalRegAddToToken in regards to format operation. It also changed the non-defined ldap2 and ldap3 and ldap1
* Ticket #2496 Cert/Key recovery is successful when the cert serial number and ↵Christina Fu2016-10-101-1/+17
| | | | | | | | | | | | | | | | | | | | | | | key id on the ldap user mismatches Problem: There are two ways to recover the keys with a. by cert b. by keyId When recovering by cert, KRA checks if cert and key matches before returning; However, in case of recovering by keyId, KRA has no way of checking. TPS also has no way of checking because the recovered private keys are warpped. This patch adds a control parameter externalReg.recovery.byKeyID to determine if TPS should recover keys by keyIDs. By default, it is false, so certs are used to search for key record and recover. Code summary for externalReg key recovery: config default: externalReg.recover.byKeyID=false Recover either by keyID or by cert When recovering by keyid: externalReg.recover.byKeyID=true - keyid in record indicates actual recovery; - missing of which means retention; When recovering by cert: externalReg.recover.byKeyID=false - keyid field needs to be present but the value is not relevant and will be ignored (a "0" would be fine) - missing of keyid still means retention; (In hindsight, recovery by keyid is probably more accident-prone and should be discouraged)
* Add ability to disallow TPS to enroll a single user on multiple tokens.Jack Magne2016-06-301-0/+3
| | | | | | | | | | | | | | | | This patch will install a check during the early portion of the enrollment process check a configurable policy whether or not a user should be allowed to have more that one active token. This check will take place only for brand new tokens not seen before. The check will prevent the enrollment to proceed and will exit before the system has a chance to add this new token to the TPS tokendb. The behavior will be configurable for the the external reg and not external reg scenarios as follows: tokendb.nonExternalReg.allowMultiActiveTokensUser=false tokendb.enroll.externalReg.allowMultiActiveTokensUser=false
* Ticket #1306 config params: Add granularity to token termination in TPSChristina Fu2016-06-301-4/+119
| | | | | | | This patch adds the missing configuration parameters that go with the original bug. The code would take on defaults when these parameters are missing, but putting them in the CS.cfg would make it easier for the administrators.
* Ticket #1308 [RFE] Provide ability to perform off-card key generation for ↵Christina Fu2016-06-281-8/+35
| | | | non-encryption token keys This is the patch to add missing serverKeygen params for non-encryption certs. By default it is disabled.
* UdnPwdDirAuth authentication plugin instance is not working.Jack Magne2016-06-171-1/+0
| | | | | | | | Ticket #1579 : UdnPwdDirAuth authentication plugin instance is not working. Since this class no longer works, we felt it best to just remove it from the server. This patch removes the references and files associated with this auth method.
* Removed unused Tomcat 6 files.Endi S. Dewata2016-06-171-58/+0
| | | | https://fedorahosted.org/pki/ticket/2363
* Updated instructions to customize TPS token lifecycle.Endi S. Dewata2016-06-162-6/+18
| | | | | | | | The TPS's CS.cfg and token-states.properties have been updated to include instructions to customize token state transitions and labels. https://fedorahosted.org/pki/ticket/2300
* Fixed TPS VLV sort orders.Endi S. Dewata2016-06-101-2/+2
| | | | | | | | | | | | | | | The TPS VLVs for tokens and activities has been modified to sort the results by date in reverse order. The DBRegistry.getLDAPAttributes() was modified to support reverse sort order by recognizing the "-" prefix in the list of sort keys and pass it to LDAP. The DBVirtualList.setSortKey() was modified to ignore bubble up the exceptions that happen during LDAP attribute mapping. https://fedorahosted.org/pki/ticket/2263 https://fedorahosted.org/pki/ticket/2269
* Fixed TPS VLV filters.Endi S. Dewata2016-06-101-2/+2
| | | | | | | | | | | | Previously TPS VLVs for tokens and activities were defined using presence filters of some optional attributes. If the optional attribute is missing the entry will not be included in the search result. The VLVs have now been modified to use object class matching filters to ensure they match all tokens and activities. https://fedorahosted.org/pki/ticket/2354
* Fixed invalid TPS VLV indexes.Endi S. Dewata2016-06-021-6/+4
| | | | | | | | The TPS VLV indexes have been fixed to use the correct vlvScope (i.e. one level). The unsupported minus sign in vlvSort and the redundant vlvEnabled have been removed. https://fedorahosted.org/pki/ticket/2342
* Fixed hard-coded database name for TPS VLV indexes.Endi S. Dewata2016-05-272-7/+7
| | | | | | | | | | | | | The vlv.ldif for TPS has been modified to remove the hard-coded database name and to use customizable parameter instead. The token and activity REST services have been modified to search the database using VLV. The existing database can be fixed using the following procedure: http://pki.fedoraproject.org/wiki/Database_Upgrade_for_PKI_10.3.x#Relocating_VLV_indexes https://fedorahosted.org/pki/ticket/2342
* Ticket #1527 reopened: retrieved wrong ca connector config parameterChristina Fu2016-05-181-1/+11
| | | | | | | | | | | | | | | | | This ticket was reopened due to retrieving wrong ca connector config param for the case when format is done within an enrollment. The following is attempted: op.enroll.userKey.ca.conn while the following is intended: op.format.userKey.ca.conn In addition, this patch also fixes the following issues; a. reason param name is not conforming: "reason" instead of "revokeReason" b. adding default reason to format TPS profiles c. by default mappingResolver.formatProfileMappingResolver resolves to tokenKey, while enroll resolves to userKey. -> now changed the userKey d. if revocation fails during format, it was forgiving. -> now changed so that error is logged in activity log and exception thrown and bail out
* Added token status UNFORMATTED.Endi S. Dewata2016-05-132-10/+14
| | | | | | | A new token status UNFORMATTED has been added for new tokens added via UI/CLI and for TERMINATED tokens that are to be reused. https://fedorahosted.org/pki/ticket/2287
* Renamed token status READY to FORMATTED.Endi S. Dewata2016-05-132-13/+13
| | | | | | The token status READY has been renamed to FORMATTED for clarity. https://fedorahosted.org/pki/ticket/2288
* Renamed CS.cfg.in to CS.cfg.Endi S. Dewata2016-05-092-1/+1
| | | | | | | | The CS.cfg.in have been renamed to CS.cfg to clean up the CMake scripts and for consistency. This change does not affect the actual files shipped in the RPM packages. https://fedorahosted.org/pki/ticket/2278
* Updated default TPS token state transitions.Endi S. Dewata2016-05-061-13/+10
| | | | | | | | | | | | The tps.operations.allowedTransitions property has been updated to include 4:4 transition by default. The inline documentation for tokendb.allowedTransitions and tps.operations.allowedTransitions has been updated to remove unsupported states and to add a note about adding/removing transitions. https://fedorahosted.org/pki/ticket/1290
* Renamed token status UNINITIALIZED to READY.Endi S. Dewata2016-05-032-8/+8
| | | | | | | | | | | The token status UNINITIALIZED has been renamed to READY for clarity. To simplify the transition, the CLIs and the REST API will continue to accept UNINITIALIZED but it will be converted internally into READY and a deprecation warning will be generated. https://fedorahosted.org/pki/ticket/2288
* Renamed token status TEMP_LOST to SUSPENDED.Endi S. Dewata2016-05-032-9/+9
| | | | | | | | | | | The token status TEMP_LOST has been renamed to SUSPENDED such that it can be used more general contexts. To simplify the transition, the CLIs and the REST API will continue to accept TEMP_LOST but it will be converted internally into SUSPENDED and a deprecation warning will be generated. https://fedorahosted.org/pki/ticket/2286
* Removed unused TPS user fields and group.Endi S. Dewata2016-04-252-7/+1
| | | | | | | | | The unused user status and type fields and the TPS Officers group have been removed from the TPS UI. https://fedorahosted.org/pki/ticket/2264 https://fedorahosted.org/pki/ticket/2265 https://fedorahosted.org/pki/ticket/2266
* Add new usn entry to other subsystemsAde Lee2016-04-151-0/+1
|
* Ticket #1006 Audit logging for TPS REST operationsChristina Fu2016-03-281-2/+2
| | | | | | | | | | | | | This patch adds audit logging to TPS REST wrote-specific operations. The read-specific operations are already captured by AuditEvent=AUTHZ_* The affected (new or modified) log messages include: LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6 LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8
* Generating TEMP_LOST to UNINITIALIZED/ACTIVE transitions dynamically.Endi S. Dewata2016-03-282-1/+2
| | | | | | | | | | | | | The TPS subsystem has been modified to generate the token state transitions from TEMP_LOST to UNINITIALIZED or ACTIVE dynamically depending on whether the token has certificates. The TEMP_LOST to ACTIVE transition has been removed from the CS.cfg. Duplicate code that loads the allowed transitions list has been merged and moved into TPSSubsystem. https://fedorahosted.org/pki/ticket/1808
* Remove vestiges of NISAuth pluginFraser Tweedale2016-02-161-1/+0
| | | | Fixes: https://fedorahosted.org/pki/ticket/1674
* Ticket #1007 TPS audit eventsChristina Fu2016-02-151-2/+2
| | | | | | This patch implements the TPS operation auditing: TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_KEY_CHANGEOVER,TOKEN_KEY_CHANGEOVER_FAILURE,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_STATE_CHANGE,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE Administrative auditing (via REST interface) will be covered in a separate ticket
* Added resource bundle for token state labels.Endi S. Dewata2016-02-051-0/+21
| | | | | | | | | | | | | | | The labels for token states and the transitions are now stored in token-states.properties. The default file will be stored in the /usr/share/pki/tps/conf, but it can be overriden by copying and customizing the file into <instance>/tps/conf. When the UI retrieves the token data the labels for the current state and the valid transitions will be loaded from the file and returned to the UI. The UI will show the transition labels in the dropdown list for changing token status. https://fedorahosted.org/pki/ticket/1289 https://fedorahosted.org/pki/ticket/1291
* Fixed TPS token state transitions.Endi S. Dewata2016-02-031-16/+16
| | | | | | | | | | | | | | | | | | | | The TPS service has been modified to provide a list of allowed state transitions based on the current token state. The TPS UI was modified to display only the allowed state transitions when changing the token status. The allowed state transition list has been modified to remove invalid token transitions including: * UNINITIALIZED -> FOUND * UNINITIALIZED -> TEMP_LOST_PERM_LOST The token FOUND state has been renamed to ACTIVE for clarity. The token TEMP_LOST_PERM_LOST state has been merged into PERM_LOST since they are identical in the database. https://fedorahosted.org/pki/ticket/1289 https://fedorahosted.org/pki/ticket/1291 https://fedorahosted.org/pki/ticket/1684
* Remove obsolete catalina config filesFraser Tweedale2016-01-212-269/+0
|
* Ticket 1307 minor fix for - [RFE] Support multiple keySets for different ↵Christina Fu2015-08-241-8/+15
| | | | | | | | | cards for ExternalReg - make default keySetMappingResolver work for smart cards out of box The earlier patch works fine for the feature requested. However, the default keySetMappingResolver filter contains keySet extension which would fail smart cards. Although this could be easily worked around, this patch provides the default that would make it easier to play with.
* Add code to reindex data during cloning without replicationAde Lee2015-07-312-0/+16
| | | | | | | | | | | | | When setting up a clone, indexes are added before the replication agreements are set up and the consumer is initialized. Thus, as data is replicated and added to the clone db, the data is indexed. When cloning is done with the replication agreements already set up and the data replicated, the existing data is not indexed and cannot be accessed in searches. The data needs to be reindexed. Related to ticket 1414
* op.format.externalRegAddToToken.revokeCert parameter missing in TPS CS.cfg.Jack Magne2015-07-281-0/+1
| | | | | | | | | It is true that his setting is not present. The generic code that revokes certs for a format checks this value. No harm in putting this value in the CS.cfg and setting it to false by default for the externalRegAddToToken profile. No harm in giving the user the way to use this feature , even if we decide it is not a good idea to revoke certs associated with the external reg feature.
* TPS add phone home URLs to pkidaemon status message.Jack Magne2015-07-161-258/+0
| | | | | | Ticket # 1466 . Also remove some needless copies of server.xml from the code.
* Add GP211 applet and latest GP201 applet for RSA.Jack Magne2015-07-011-21/+24
| | | | | | | | | Ticket # 793: Add support for Secure Channel Protocol 02 Properly select the coolkey applet in the "getAppletVersion" routine. For some reason the gp211 applet revealed this issue. Tested to work with both gp211 scp02 card and gp201 scp01 card.
* remove extra space in CS.cfg for ↵Christina Fu2015-05-291-1/+1
| | | | op.format.soCleanSOToken.validateCardKeyInfoAgainstTokenDB=true
* Fix typo in CS.cfgAde Lee2015-05-291-1/+1
|
* Ticket 1309 Recovering of a revoked cert erroneously reflects "active" in ↵Christina Fu2015-05-221-15/+18
| | | | the token db cert entry
* Ticket 1307 (part2 keySet mapping) [RFE] Support multiple keySets for ↵Christina Fu2015-05-211-131/+184
| | | | different cards for ExternalReg This patch adds support to keyset mapping
* Ticket 1307 (part1 refactoring) [RFE] Support multiple keySets for different ↵Christina Fu2015-05-212-92/+92
| | | | cards for ExternalReg This patch is mainly refactoring the names of the Mapping Resolver framework in preparation for ticket 1307 to support keySet mapping in addition to the original purpose of resolving tokenType mapping. The reason to separate out refactoring from the real code is for ease of reviewing. TPS is currently a Tech Preview feature, so upgrade is not of consideration at the moment.
* Remove duplicate prompt on nuxwdog startupAde Lee2015-04-231-1/+1
|
* Changes to config files to support nuxwdogAde Lee2015-04-221-0/+1
| | | | Specifically changes to CS.cfg, server.xml and tomcat.conf
* Added support for Tomcat 8.Endi S. Dewata2015-04-211-37/+0
| | | | | | | | | | | | The Dogtag code has been modified to support both Tomcat 7 and 8. All files depending on a specific Tomcat version are now stored in separate folders. The build scripts have been modified to use the proper folder for the target platform. The tomcatjss dependency has been updated as well. The upgrade script will be added in a separate patch. https://fedorahosted.org/pki/ticket/1264
* Fixed TPS REST services.Endi S. Dewata2015-04-172-5/+5
| | | | | | | | The REST services have been modified to support submit and cancel actions. The ACL has been fixed to allow admins and agents to change the status. https://fedorahosted.org/pki/ticket/1292
* Ticket#1028 phase2: TPS rewrite: provide externalReg functionalityChristina Fu2015-04-141-6/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch is the 2nd phase of the externalReg feature, it makes the following improvements: * added feature: recovery by keyid (v.s. by cert) * fixed some auditing message errors * added some missing ldapStringAttributes needed for delegation to work properly * added missing externalReg required config parameters * made corrections to some externalReg related parameters to allow delegation to work properly * added handle of some error cases * made sure externalReg enrollment does not go half-way (once fails, bails out) tested: * enrollment of the three default TPS profiles (tokenTypes) * format of the tokens enrolled with the three default tps profiles * delegation enrollments * cuid match check next phase: * cert/key retention (allow preserving existing certs/keys on the token) note: * some of the activity log and cert status related issues that are not specifically relating to externalReg will be addressed in other more relevant tickets.
* NISTSP8000 feature.Jack Magne2015-03-171-0/+102
| | | | | | | | | | | | | | | | | | | Implementation of the nistSP800 dervication feature. Works for both supported scp01 cards and scp02 cards. During the various session key and key upgrade functions, the nist dervication code is being called. Review comments addressed Cleanup of some input validation on the TKS. Added some sanity checking on the TPS side for key versions and token cuid's and kdd's. Final review comments. Fixed issue with extracting the kdd from the AppletInfo class. Fixed issue with sending the KDD to the encryptData TKS servlet. Added requested entries to the CS.cfg .
generated by cgit (git 2.34.1) at 2026-01-05 21:38:19 +0000