summaryrefslogtreecommitdiffstats
path: root/base/tps/shared
Commit message (Collapse)AuthorAgeFilesLines
* Removed unused TPS user fields and group.Endi S. Dewata2016-04-254-15/+1
| | | | | | | | | The unused user status and type fields and the TPS Officers group have been removed from the TPS UI. https://fedorahosted.org/pki/ticket/2264 https://fedorahosted.org/pki/ticket/2265 https://fedorahosted.org/pki/ticket/2266
* Fixed TPS UI navigation.Endi S. Dewata2016-04-251-7/+14
| | | | | | | | The TPS UI home page and the status menu item been temporarily removed. The home links will now redirect to the tokens page. https://fedorahosted.org/pki/ticket/2261 https://fedorahosted.org/pki/ticket/2262
* Add new usn entry to other subsystemsAde Lee2016-04-151-0/+1
|
* Ticket #1006 Audit logging for TPS REST operationsChristina Fu2016-03-281-2/+2
| | | | | | | | | | | | | This patch adds audit logging to TPS REST wrote-specific operations. The read-specific operations are already captured by AuditEvent=AUTHZ_* The affected (new or modified) log messages include: LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6 LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8
* Generating TEMP_LOST to UNINITIALIZED/ACTIVE transitions dynamically.Endi S. Dewata2016-03-282-1/+2
| | | | | | | | | | | | | The TPS subsystem has been modified to generate the token state transitions from TEMP_LOST to UNINITIALIZED or ACTIVE dynamically depending on whether the token has certificates. The TEMP_LOST to ACTIVE transition has been removed from the CS.cfg. Duplicate code that loads the allowed transitions list has been merged and moved into TPSSubsystem. https://fedorahosted.org/pki/ticket/1808
* Added TPS token filter dialog.Endi S. Dewata2016-03-172-1/+100
| | | | | | | | | | | The TPS UI Tokens page and the pki tps-token-find CLI have been modified to provide an interface to filter tokens based on their attributes. The TokenService.findTokens() has been modified to accept additional search criteria based on token attributes. https://fedorahosted.org/pki/ticket/1482
* Replaced confirmation dialog with HTML dialog.Endi S. Dewata2016-03-173-136/+27
| | | | | | | | | The TPS UI has been modified such that it will use an HTML-based dialog instead of the browser's built-in dialog such that the option to "prevent this page from creating additional dialogs" will no longer appear. https://fedorahosted.org/pki/ticket/1685
* Remove vestiges of NISAuth pluginFraser Tweedale2016-02-161-1/+0
| | | | Fixes: https://fedorahosted.org/pki/ticket/1674
* Ticket #1007 TPS audit eventsChristina Fu2016-02-151-2/+2
| | | | | | This patch implements the TPS operation auditing: TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_KEY_CHANGEOVER,TOKEN_KEY_CHANGEOVER_FAILURE,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_STATE_CHANGE,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE Administrative auditing (via REST interface) will be covered in a separate ticket
* Fixed token modify operation.Endi S. Dewata2016-02-081-1/+1
| | | | | | | The TPS UI and CLI have been modified to accept only user ID and policy attributes when modifying a token. https://fedorahosted.org/pki/ticket/1687
* Added resource bundle for token state labels.Endi S. Dewata2016-02-054-23/+45
| | | | | | | | | | | | | | | The labels for token states and the transitions are now stored in token-states.properties. The default file will be stored in the /usr/share/pki/tps/conf, but it can be overriden by copying and customizing the file into <instance>/tps/conf. When the UI retrieves the token data the labels for the current state and the valid transitions will be loaded from the file and returned to the UI. The UI will show the transition labels in the dropdown list for changing token status. https://fedorahosted.org/pki/ticket/1289 https://fedorahosted.org/pki/ticket/1291
* Fixed token add operation.Endi S. Dewata2016-02-053-14/+39
| | | | | | | | The TPS UI and CLI have been modified to accept only token ID, and optionally user ID and policy attributes when adding a token. https://fedorahosted.org/pki/ticket/1477 https://fedorahosted.org/pki/ticket/1687
* Fixed TPS token state transitions.Endi S. Dewata2016-02-034-30/+50
| | | | | | | | | | | | | | | | | | | | The TPS service has been modified to provide a list of allowed state transitions based on the current token state. The TPS UI was modified to display only the allowed state transitions when changing the token status. The allowed state transition list has been modified to remove invalid token transitions including: * UNINITIALIZED -> FOUND * UNINITIALIZED -> TEMP_LOST_PERM_LOST The token FOUND state has been renamed to ACTIVE for clarity. The token TEMP_LOST_PERM_LOST state has been merged into PERM_LOST since they are identical in the database. https://fedorahosted.org/pki/ticket/1289 https://fedorahosted.org/pki/ticket/1291 https://fedorahosted.org/pki/ticket/1684
* Fixed TPS UI logout error message.Endi S. Dewata2016-02-021-1/+1
| | | | | | | | The TPS UI has been modified such that if the browser does not support logout operation it will show a message asking the user to clear the Active Logins or close the browser. https://fedorahosted.org/pki/ticket/1344
* Remove obsolete catalina config filesFraser Tweedale2016-01-212-269/+0
|
* Added interface to run selftest in TPS UI.Endi S. Dewata2016-01-183-10/+197
| | | | | | | The TPS UI has been modified to provide an interface to run the selftests and display the results. https://fedorahosted.org/pki/ticket/1502
* Added table to manage TPS user profiles.Endi S. Dewata2016-01-182-20/+252
| | | | | | | | | | | The TPS UI has been modified to provide a table as an interface to manage the user profiles. When adding a profile, the profile can be selected from a list of available profiles. The UserService and UGSubsystem have been modified to allow adding a user with no assigned profiles. https://fedorahosted.org/pki/ticket/1478
* Fixed TPS UI to display accessible services only.Endi S. Dewata2016-01-183-8/+35
| | | | | | | | | | The TPS UI has been modified to display the accessible services based on the user's roles. A TPS admin has access to all services. A TPS agent has access to tokens, certificates, activities, and profiles. A TPS operator has access to tokens, certificates, and activities only. https://fedorahosted.org/pki/ticket/1476
* Updated TPS UI element IDs.Endi S. Dewata2015-10-1518-43/+43
| | | | | | | | | | | | The TPS UI navigation elements have been updated to add the missing names and to use better names. The checkbox IDs in various pages have also been renamed for consistency. The pki-ui.js has been modified to use the checkbox ID of the template row instead of table name to construct the checkbox ID of the actual rows. https://fedorahosted.org/pki/ticket/1622
* Ticket 1307 minor fix for - [RFE] Support multiple keySets for different ↵Christina Fu2015-08-241-8/+15
| | | | | | | | | cards for ExternalReg - make default keySetMappingResolver work for smart cards out of box The earlier patch works fine for the feature requested. However, the default keySetMappingResolver filter contains keySet extension which would fail smart cards. Although this could be easily worked around, this patch provides the default that would make it easier to play with.
* Add code to reindex data during cloning without replicationAde Lee2015-07-312-0/+16
| | | | | | | | | | | | | When setting up a clone, indexes are added before the replication agreements are set up and the consumer is initialized. Thus, as data is replicated and added to the clone db, the data is indexed. When cloning is done with the replication agreements already set up and the data replicated, the existing data is not indexed and cannot be accessed in searches. The data needs to be reindexed. Related to ticket 1414
* op.format.externalRegAddToToken.revokeCert parameter missing in TPS CS.cfg.Jack Magne2015-07-281-0/+1
| | | | | | | | | It is true that his setting is not present. The generic code that revokes certs for a format checks this value. No harm in putting this value in the CS.cfg and setting it to false by default for the externalRegAddToToken profile. No harm in giving the user the way to use this feature , even if we decide it is not a good idea to revoke certs associated with the external reg feature.
* TPS add phone home URLs to pkidaemon status message.Jack Magne2015-07-161-258/+0
| | | | | | Ticket # 1466 . Also remove some needless copies of server.xml from the code.
* Fix Pin Reset tokenType resolution.Jack Magne2015-07-011-1/+1
| | | | | | | Ticket #1423 Pin reset operation using tpsclient fails. Recently we had added a new way to resolve the profile. That new method was not used in the PinReset Processor. This fix addresses that and allows the Pin Reset operation to complete.
* Add GP211 applet and latest GP201 applet for RSA.Jack Magne2015-07-014-43/+32
| | | | | | | | | Ticket # 793: Add support for Secure Channel Protocol 02 Properly select the coolkey applet in the "getAppletVersion" routine. For some reason the gp211 applet revealed this issue. Tested to work with both gp211 scp02 card and gp201 scp01 card.
* remove extra space in CS.cfg for ↵Christina Fu2015-05-291-1/+1
| | | | op.format.soCleanSOToken.validateCardKeyInfoAgainstTokenDB=true
* Fix typo in CS.cfgAde Lee2015-05-291-1/+1
|
* Ticket 1309 Recovering of a revoked cert erroneously reflects "active" in ↵Christina Fu2015-05-221-15/+18
| | | | the token db cert entry
* Ticket 1307 (part2 keySet mapping) [RFE] Support multiple keySets for ↵Christina Fu2015-05-211-131/+184
| | | | different cards for ExternalReg This patch adds support to keyset mapping
* Ticket 1307 (part1 refactoring) [RFE] Support multiple keySets for different ↵Christina Fu2015-05-212-92/+92
| | | | cards for ExternalReg This patch is mainly refactoring the names of the Mapping Resolver framework in preparation for ticket 1307 to support keySet mapping in addition to the original purpose of resolving tokenType mapping. The reason to separate out refactoring from the real code is for ease of reviewing. TPS is currently a Tech Preview feature, so upgrade is not of consideration at the moment.
* Remove duplicate prompt on nuxwdog startupAde Lee2015-04-231-1/+1
|
* Moved color settings to CSS.Endi S. Dewata2015-04-222-2/+2
| | | | | | | The templates have been modified to remove hard-coded background color settings and use the styles defined in a new CSS file. https://fedorahosted.org/pki/ticket/1296
* Parameterized service.template in all subsystems.Endi S. Dewata2015-04-221-106/+0
| | | | https://fedorahosted.org/pki/ticket/1296
* Changes to config files to support nuxwdogAde Lee2015-04-221-0/+1
| | | | Specifically changes to CS.cfg, server.xml and tomcat.conf
* Added support for Tomcat 8.Endi S. Dewata2015-04-211-37/+0
| | | | | | | | | | | | The Dogtag code has been modified to support both Tomcat 7 and 8. All files depending on a specific Tomcat version are now stored in separate folders. The build scripts have been modified to use the proper folder for the target platform. The tomcatjss dependency has been updated as well. The upgrade script will be added in a separate patch. https://fedorahosted.org/pki/ticket/1264
* Added bulk property editor in TPS UI.Endi S. Dewata2015-04-177-2/+213
| | | | | | | | | The TPS UI has been modified to provide an interface to edit raw properties as in the configuration file. This also allows editing multiple properties at once and also copy & pasting the properties. https://fedorahosted.org/pki/ticket/936
* Fixed action menu in TPS UI.Endi S. Dewata2015-04-1720-177/+419
| | | | | | | | | | The TPS UI has been modified to display the appropriate actions menu based on the roles of the user. TPS agent can only enable and disable profiles, and also approve or reject pending requests. TPS admin can only edit disabled profiles, then submit it for approval, or cancel the request. https://fedorahosted.org/pki/ticket/1292
* Fixed TPS REST services.Endi S. Dewata2015-04-172-5/+5
| | | | | | | | The REST services have been modified to support submit and cancel actions. The ACL has been fixed to allow admins and agents to change the status. https://fedorahosted.org/pki/ticket/1292
* Customized TPS UI menu based on user roles.Endi S. Dewata2015-04-1714-49/+92
| | | | | | | | | | | The TPS UI has been modified to customize the navigation menu based on the roles of the user currently logged in. TPS agents do not have access to users, groups, config, authenticators, connectors, profile mappings, audit, and self tests, so the corresponding menu items will be hidden. TPS admins have access to all menu items. https://fedorahosted.org/pki/ticket/1292
* Ticket#1028 phase2: TPS rewrite: provide externalReg functionalityChristina Fu2015-04-141-6/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch is the 2nd phase of the externalReg feature, it makes the following improvements: * added feature: recovery by keyid (v.s. by cert) * fixed some auditing message errors * added some missing ldapStringAttributes needed for delegation to work properly * added missing externalReg required config parameters * made corrections to some externalReg related parameters to allow delegation to work properly * added handle of some error cases * made sure externalReg enrollment does not go half-way (once fails, bails out) tested: * enrollment of the three default TPS profiles (tokenTypes) * format of the tokens enrolled with the three default tps profiles * delegation enrollments * cuid match check next phase: * cert/key retention (allow preserving existing certs/keys on the token) note: * some of the activity log and cert status related issues that are not specifically relating to externalReg will be addressed in other more relevant tickets.
* Fixed incorrect link in TPS UI.Endi S. Dewata2015-04-081-1/+1
| | | | | | | The "Subsystem Connections" link in the home.html has been fixed to point to #connectors. https://fedorahosted.org/pki/ticket/1274
* Added interface to show TPS token certificates.Endi S. Dewata2015-04-086-2/+33
| | | | | | | The TPS REST service, CLI, and UI have been modified to provide an interface to search for certificates belonging to a token. https://fedorahosted.org/pki/ticket/1164
* NISTSP8000 feature.Jack Magne2015-03-171-0/+102
| | | | | | | | | | | | | | | | | | | Implementation of the nistSP800 dervication feature. Works for both supported scp01 cards and scp02 cards. During the various session key and key upgrade functions, the nist dervication code is being called. Review comments addressed Cleanup of some input validation on the TKS. Added some sanity checking on the TPS side for key versions and token cuid's and kdd's. Final review comments. Fixed issue with extracting the kdd from the AppletInfo class. Fixed issue with sending the KDD to the encryptData TKS servlet. Added requested entries to the CS.cfg .
* Allow use of secure LDAPS connectionMatthew Harmsen2015-03-131-1/+1
| | | | - PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap
* Ticket: TPS Rewrite: Implement Secure Channel Protocol 02 (#883).Jack Magne2015-02-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | First cut of gp211 and scp protocol 02 for tokens. Allow token operations using a GP211 token over secure channel protocol 02. This patch supports the following: 1. Token operations with a GP211 card and SCP02 protocol, implementation 15. 2. Token still supports GP201 cards with SCP01. 3. SCP02 tested with SC650 gp211/scp02 card. Things still to do: 1. Right now the SCP02 support has been tested with the current gp201 applet and enrollment and formatting works just fine. We need to modify and compile the applet against the GP211 spec and retest to see if any further changes are needed. 2. The nistSP800 key derivation stuff is not completed for the SCP02 protocol. Some of the routines are self contained vs similar SCP01 ones. We have another ticket to complete the nistSP800 support from end to end. This work will be done for that ticket. 3. One of the new scp02 deriviation functions can make use of a new NSS derive mechanism. As of now this work is done by simple encryption, this can be done later. 4. The security APDU level of "RMAC" is not supported because the card does not support it. It could have been done to the spec, but it having the card to test is more convenient and there were more crucial issues to this point.
* Ticket#1028 Phase1:TPS rewrite: provide externalReg functionalityChristina Fu2015-02-101-0/+475
|
* Fix-for-Bug-1170867-TPS-Installation-FailedJack Magne2014-12-164-116/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix now includes last review comments where we decided to consolidate 3 of the ldif files: schema.ldif,database.ldif, and manager.ldif. Each one of these 3 files contains the data needed for any subsystem for that file. The subsystem specific files for these 3 go away in the source tree. The first iteration of this fix was copying these 3 files into an undesirable directory. This is no longer the case. Extra code in the python installer allows one to establish a "file exclusion" callback to keep a set of desired files from being copied when the installer does a directory copy. All subsystems have been tested, including TPS with a brand new DS (which was the original reason for this fix), and they appear to work fine. Addressed further review comments: 1. Removed trailing whitespace instances from schema.ldif which had some. 2. Used pycharm to remove the few PEP violations I had previously added to the Python code. 3. Changed the format of the schema.ldif file to make all the entries use the same style. Previously the TPS entries was using an all in one syntax. No more since now each entry is separate. 4. Changed the name of an argument in one of the new Python methods to get rid of a camelCase instance. 5. Tested everything to work as before, including basic TPS operations such as Format. Fixed a method comment string and fixed some typos.
* Revert "Enabled certificate revocation checking by default."Endi S. Dewata2014-09-041-4/+0
| | | | | | | This reverts commit 223d15539b7bcc0df025025036af2935726e52e3. The patch does not work for subsystems installed on separate instance since it will require additional OCSP setup.
* Rename pki-tps-tomcat to pki-tpsMatthew Harmsen2014-09-0396-0/+9490
| | | | * PKI TRAC Ticket #1017 - Rename pki-tps-tomcat to pki-tps
* Moved Tomcat-based TPS to separate folder.Endi S. Dewata2013-08-1543-5178/+0
| | | | | | | | | | | The source files for the new Tomcat-based TPS has been moved from base/tps to base/tps-tomcat. The new TPS will now be build in pki-core and packaged in pki-tps-tomcat RPM. The old TPS and RA have been restored to the previous state before adding the new TPS. Once the new TPS is complete, the old TPS can be removed, the new TPS can be moved back to base/tps and the package can be renamed back to pki-tps. Ticket #702
generated by cgit (git 2.34.1) at 2024-06-20 23:48:56 +0000