summaryrefslogtreecommitdiffstats
path: root/base/tps/shared
Commit message (Collapse)AuthorAgeFilesLines
* SCP03 support for g&d sc 7 card.Jack Magne2017-04-121-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This allows the use of the g&d 7 card. This will require the following: 1. An out of band method is needed to generate an AES based master key. We do not as of yet have support with tkstool for this: Ex: /usr/lib64/nss/unsupported-tools/symkeyutil -d . -K -n new_master_aes -t aes -s 16 2. There are some new config params that can be adjusted to support either the 6.0 or 7.0 cards: Ex: tks.defKeySet._005=## tks.prot3 , protocol 3 specific settings tks.defKeySet._006=## divers= emv,visa2 : Values for the master key case, or > version one. tks.defKeySet._007=## diversVer1 = emv,visa2, or none. This is for developer or version one keyset tks.defKeySet._008=## devKeyType = DES3or AES. This is for the key type of developer or version one keys. tks.defKeySet._009=## masterKeyType = DES3 or AES. This is for the type of key for the master key. tks.defKeySet._010=## tks.defKeySet._011=## Only supports two tokens now: G&D Smart Cafe 6 and Smart Cafe 7, use these exact settings tks.defKeySet._013=## Smart Cafe 6 settings: tks.defKeySet._014=## tks.defKeySet.prot3.divers=emv tks.defKeySet._015=## tks.defKeySet.prot3.diversVer1Keys=emv tks.defKeySet._016=## tks.defKeySet.prot3.devKeyType=DES3 tks.defKeySet._017=## tks.defKeySet.prot3.masterKeyType=DES3 tks.defKeySet._018=##Smart Cafe 7 settings: tks.defKeySet._019=## tks.defKeySet.prot3.divers=none tks.defKeySet._020=## tks.defKeySet.prot3.diversVer1Keys=none tks.defKeySet._021=## tks.defKeySet.prot3.devKeyType=AES tks.defKeySet._022=## tks.defKeySet.prot3.masterKeyType=AES tks.defKeySet._023=## tks.defKeySet._024=##
* Added CLIs to access audit log files.Endi S. Dewata2017-04-041-0/+3
| | | | | | | New pki audit commands have been added to list and retrieve audit log files. Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
* Added audit service and CLI to all subsystems.Endi S. Dewata2017-04-041-2/+5
| | | | | | | Previously the audit service and CLI were only available on TPS. Now they have been added to all subsystems. Change-Id: I3b472254641eb887289c5122df390c46ccd97d47
* Added audit logs for SSL/TLS events.Endi S. Dewata2017-03-281-2/+2
| | | | | | | | | | | | | | | The CMSStartServlet has been modified to register an SSL socket listener called PKIServerSocketListener to TomcatJSS. The PKIServerSocketListener will receive the alerts generated by SSL server sockets and generate ACCESS_SESSION_* audit logs. The CS.cfg for all subsystems have been modified to include ACCESS_SESSION_* audit events. https://pagure.io/dogtagpki/issue/2602 Change-Id: If7fb6c1b096ec8c68d1fd08f9132baf099816f11
* Added access banner to TPS UI.Endi S. Dewata2017-02-245-3/+30
| | | | | | | All pages in TPS UI have been modified to retrieve access banner and display it once at the beginning of the SSL connection. https://fedorahosted.org/pki/ticket/2582
* Refactored pki-ui.js.Endi S. Dewata2017-02-201-0/+1
| | | | | For clarity the non-UI code in the pki-ui.js has been moved into pki.js.
* Renamed index.html to index.jsp in TPS UI.Endi S. Dewata2017-02-202-0/+0
| | | | | | | The index.html files in TPS UI have been renamed to index.jsp such that they can be protected by access banner. https://fedorahosted.org/pki/ticket/2582
* Ticket #2569: Token memory not wiped after key deletionJack Magne2017-01-113-20/+20
| | | | | This is the dogtag upstream side of the TPS portion of this ticket. This fix also involves an applet fix, handled in another bug.
* Fixed TPS UI for agent approval.Endi S. Dewata2016-11-223-97/+124
| | | | | | | | | | | | | | | The TPS UI has been updated to support TPS agent approval process for changes in authenticators, connectors, and profile mappings in addition to profiles. The ConfigEntryPage has been updated to display the action links consistently in the above components for all possible role and status combinations. The ProfilePage has been removed since the code has been merged into its super class. https://fedorahosted.org/pki/ticket/2523
* Fixed TPS UI system menu.Endi S. Dewata2016-11-221-6/+50
| | | | | | | | | | | | | The TPS UI has been modified to adjust the system menu based on the list of accessible components obtained during login. The TPSApplication has been modified to use TPSAccountService which returns the list of accessible components based on the following properties in the CS.cfg: * admin: target.configure.list * agent: target.agent_approve.list https://fedorahosted.org/pki/ticket/2523
* Removed unused OCSP, TKS, and TPS logging.properties.Endi S. Dewata2016-11-181-70/+0
| | | | | | | The logging.properties files in OCSP, TKS, and TPS folders are never deployed so they have been removed. https://fedorahosted.org/pki/ticket/1897
* Revert "Fixed TPS UI system menu."Matthew Harmsen2016-11-031-50/+6
| | | | This reverts commit f979c3b436e9a12e8c71ba0abab5c892d375f945.
* Revert "Fixed TPS UI for agent approval."Matthew Harmsen2016-11-033-124/+97
| | | | This reverts commit 3c4f9c7eb1aa9a71c0f5a943314d355d2fdeebb4.
* Fixed TPS UI for agent approval.Endi S. Dewata2016-10-213-97/+124
| | | | | | | | | | | | | | | The TPS UI has been updated to support TPS agent approval process for changes in authenticators, connectors, and profile mappings in addition to profiles. The ConfigEntryPage has been updated to display the action links consistently in the above components for all possible role and status combinations. The ProfilePage has been removed since the code has been merged into its super class. https://fedorahosted.org/pki/ticket/2523
* Fixed TPS UI system menu.Endi S. Dewata2016-10-211-6/+50
| | | | | | | | | | | | | | | | | The TPS UI has been modified to adjust the system menu based on the list of accessible components obtained during login. The TPSApplication has been modified to use TPSAccountService which returns the list of accessible components based on the following properties in the CS.cfg: * admin: target.configure.list * agent: target.agent_approve.list The AccountInfo has been changed to extend the ResourceMessage such that it can be used to pass the list of accessible components as an attribute. https://fedorahosted.org/pki/ticket/2523
* Ticket #2498 Token format with external reg fails when ↵Christina Fu2016-10-101-7/+11
| | | | | | op.format.externalRegAddToToken.revokeCert=true This patch adds the missing parameters in the CS.cfg for externalRegAddToToken in regards to format operation. It also changed the non-defined ldap2 and ldap3 and ldap1
* Ticket #2496 Cert/Key recovery is successful when the cert serial number and ↵Christina Fu2016-10-101-1/+17
| | | | | | | | | | | | | | | | | | | | | | | key id on the ldap user mismatches Problem: There are two ways to recover the keys with a. by cert b. by keyId When recovering by cert, KRA checks if cert and key matches before returning; However, in case of recovering by keyId, KRA has no way of checking. TPS also has no way of checking because the recovered private keys are warpped. This patch adds a control parameter externalReg.recovery.byKeyID to determine if TPS should recover keys by keyIDs. By default, it is false, so certs are used to search for key record and recover. Code summary for externalReg key recovery: config default: externalReg.recover.byKeyID=false Recover either by keyID or by cert When recovering by keyid: externalReg.recover.byKeyID=true - keyid in record indicates actual recovery; - missing of which means retention; When recovering by cert: externalReg.recover.byKeyID=false - keyid field needs to be present but the value is not relevant and will be ignored (a "0" would be fine) - missing of keyid still means retention; (In hindsight, recovery by keyid is probably more accident-prone and should be discouraged)
* Removed PKCS #7 from add user cert dialog in TPS UI.Endi S. Dewata2016-08-121-1/+1
| | | | | | | | The dialog box for adding user certificate in TPS UI has been modified to no longer mention PKCS #7. The REST service itself still accepts PKCS #7, but it should be cleaned up in the future. https://fedorahosted.org/pki/ticket/2437
* Add ability to disallow TPS to enroll a single user on multiple tokens.Jack Magne2016-06-301-0/+3
| | | | | | | | | | | | | | | | This patch will install a check during the early portion of the enrollment process check a configurable policy whether or not a user should be allowed to have more that one active token. This check will take place only for brand new tokens not seen before. The check will prevent the enrollment to proceed and will exit before the system has a chance to add this new token to the TPS tokendb. The behavior will be configurable for the the external reg and not external reg scenarios as follows: tokendb.nonExternalReg.allowMultiActiveTokensUser=false tokendb.enroll.externalReg.allowMultiActiveTokensUser=false
* Ticket #1306 config params: Add granularity to token termination in TPSChristina Fu2016-06-301-4/+119
| | | | | | | This patch adds the missing configuration parameters that go with the original bug. The code would take on defaults when these parameters are missing, but putting them in the CS.cfg would make it easier for the administrators.
* Ticket #1308 [RFE] Provide ability to perform off-card key generation for ↵Christina Fu2016-06-281-8/+35
| | | | non-encryption token keys This is the patch to add missing serverKeygen params for non-encryption certs. By default it is disabled.
* UdnPwdDirAuth authentication plugin instance is not working.Jack Magne2016-06-171-1/+0
| | | | | | | | Ticket #1579 : UdnPwdDirAuth authentication plugin instance is not working. Since this class no longer works, we felt it best to just remove it from the server. This patch removes the references and files associated with this auth method.
* Removed unused Tomcat 6 files.Endi S. Dewata2016-06-171-58/+0
| | | | https://fedorahosted.org/pki/ticket/2363
* Updated instructions to customize TPS token lifecycle.Endi S. Dewata2016-06-162-6/+18
| | | | | | | | The TPS's CS.cfg and token-states.properties have been updated to include instructions to customize token state transitions and labels. https://fedorahosted.org/pki/ticket/2300
* Fixed TPS VLV sort orders.Endi S. Dewata2016-06-101-2/+2
| | | | | | | | | | | | | | | The TPS VLVs for tokens and activities has been modified to sort the results by date in reverse order. The DBRegistry.getLDAPAttributes() was modified to support reverse sort order by recognizing the "-" prefix in the list of sort keys and pass it to LDAP. The DBVirtualList.setSortKey() was modified to ignore bubble up the exceptions that happen during LDAP attribute mapping. https://fedorahosted.org/pki/ticket/2263 https://fedorahosted.org/pki/ticket/2269
* Fixed TPS VLV filters.Endi S. Dewata2016-06-101-2/+2
| | | | | | | | | | | | Previously TPS VLVs for tokens and activities were defined using presence filters of some optional attributes. If the optional attribute is missing the entry will not be included in the search result. The VLVs have now been modified to use object class matching filters to ensure they match all tokens and activities. https://fedorahosted.org/pki/ticket/2354
* Removed selftest interface from TPS UI.Endi S. Dewata2016-06-041-2/+6
| | | | | | | The selftest interface has been removed from TPS UI to avoid confusion due to its limited usefulness. https://fedorahosted.org/pki/ticket/2344
* Fixed truncated token activity message in TPS UI.Endi S. Dewata2016-06-031-1/+3
| | | | | | | | | | | | The TPS UI has been modified to display the token activity message in a textarea to avoid truncation. The UI framework class has been modified to handle textarea. The CSS has been modified to align the field label with the top of textarea. https://fedorahosted.org/pki/ticket/2299
* Fixed invalid TPS VLV indexes.Endi S. Dewata2016-06-021-6/+4
| | | | | | | | The TPS VLV indexes have been fixed to use the correct vlvScope (i.e. one level). The unsupported minus sign in vlvSort and the redundant vlvEnabled have been removed. https://fedorahosted.org/pki/ticket/2342
* Fixed hard-coded database name for TPS VLV indexes.Endi S. Dewata2016-05-272-7/+7
| | | | | | | | | | | | | The vlv.ldif for TPS has been modified to remove the hard-coded database name and to use customizable parameter instead. The token and activity REST services have been modified to search the database using VLV. The existing database can be fixed using the following procedure: http://pki.fedoraproject.org/wiki/Database_Upgrade_for_PKI_10.3.x#Relocating_VLV_indexes https://fedorahosted.org/pki/ticket/2342
* Added TPS UI for managing user certificates.Endi S. Dewata2016-05-244-0/+228
| | | | | | | | | The TPS UI has been modified to provide an interface to manage the user certificates. The UserService has been modified to provide better error messages. https://fedorahosted.org/pki/ticket/1434
* Added TPS UI for managing user roles.Endi S. Dewata2016-05-245-14/+225
| | | | | | | | | | The TPS UI has been modified to provide an interface to manage the user roles. The ErrorDialog was modified to handle both text and JSON error responses. https://fedorahosted.org/pki/ticket/2267
* Ticket #1527 reopened: retrieved wrong ca connector config parameterChristina Fu2016-05-181-1/+11
| | | | | | | | | | | | | | | | | This ticket was reopened due to retrieving wrong ca connector config param for the case when format is done within an enrollment. The following is attempted: op.enroll.userKey.ca.conn while the following is intended: op.format.userKey.ca.conn In addition, this patch also fixes the following issues; a. reason param name is not conforming: "reason" instead of "revokeReason" b. adding default reason to format TPS profiles c. by default mappingResolver.formatProfileMappingResolver resolves to tokenKey, while enroll resolves to userKey. -> now changed the userKey d. if revocation fails during format, it was forgiving. -> now changed so that error is logged in activity log and exception thrown and bail out
* Added warning message for token reuse.Endi S. Dewata2016-05-133-0/+32
| | | | | | | | The TPS UI has been modified to show a warning message about removing the certificates and keys from the token when marking it for reuse. https://fedorahosted.org/pki/ticket/2287
* Added token status UNFORMATTED.Endi S. Dewata2016-05-133-10/+15
| | | | | | | A new token status UNFORMATTED has been added for new tokens added via UI/CLI and for TERMINATED tokens that are to be reused. https://fedorahosted.org/pki/ticket/2287
* Renamed token status READY to FORMATTED.Endi S. Dewata2016-05-133-15/+15
| | | | | | The token status READY has been renamed to FORMATTED for clarity. https://fedorahosted.org/pki/ticket/2288
* Renamed CS.cfg.in to CS.cfg.Endi S. Dewata2016-05-092-1/+1
| | | | | | | | The CS.cfg.in have been renamed to CS.cfg to clean up the CMake scripts and for consistency. This change does not affect the actual files shipped in the RPM packages. https://fedorahosted.org/pki/ticket/2278
* Updated default TPS token state transitions.Endi S. Dewata2016-05-061-13/+10
| | | | | | | | | | | | The tps.operations.allowedTransitions property has been updated to include 4:4 transition by default. The inline documentation for tokendb.allowedTransitions and tps.operations.allowedTransitions has been updated to remove unsupported states and to add a note about adding/removing transitions. https://fedorahosted.org/pki/ticket/1290
* Renamed token status UNINITIALIZED to READY.Endi S. Dewata2016-05-033-9/+9
| | | | | | | | | | | The token status UNINITIALIZED has been renamed to READY for clarity. To simplify the transition, the CLIs and the REST API will continue to accept UNINITIALIZED but it will be converted internally into READY and a deprecation warning will be generated. https://fedorahosted.org/pki/ticket/2288
* Renamed token status TEMP_LOST to SUSPENDED.Endi S. Dewata2016-05-033-10/+10
| | | | | | | | | | | The token status TEMP_LOST has been renamed to SUSPENDED such that it can be used more general contexts. To simplify the transition, the CLIs and the REST API will continue to accept TEMP_LOST but it will be converted internally into SUSPENDED and a deprecation warning will be generated. https://fedorahosted.org/pki/ticket/2286
* Updated TPS UI version number.Endi S. Dewata2016-04-271-1/+1
|
* Removed unused TPS user fields and group.Endi S. Dewata2016-04-254-15/+1
| | | | | | | | | The unused user status and type fields and the TPS Officers group have been removed from the TPS UI. https://fedorahosted.org/pki/ticket/2264 https://fedorahosted.org/pki/ticket/2265 https://fedorahosted.org/pki/ticket/2266
* Fixed TPS UI navigation.Endi S. Dewata2016-04-251-7/+14
| | | | | | | | The TPS UI home page and the status menu item been temporarily removed. The home links will now redirect to the tokens page. https://fedorahosted.org/pki/ticket/2261 https://fedorahosted.org/pki/ticket/2262
* Add new usn entry to other subsystemsAde Lee2016-04-151-0/+1
|
* Ticket #1006 Audit logging for TPS REST operationsChristina Fu2016-03-281-2/+2
| | | | | | | | | | | | | This patch adds audit logging to TPS REST wrote-specific operations. The read-specific operations are already captured by AuditEvent=AUTHZ_* The affected (new or modified) log messages include: LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6 LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8
* Generating TEMP_LOST to UNINITIALIZED/ACTIVE transitions dynamically.Endi S. Dewata2016-03-282-1/+2
| | | | | | | | | | | | | The TPS subsystem has been modified to generate the token state transitions from TEMP_LOST to UNINITIALIZED or ACTIVE dynamically depending on whether the token has certificates. The TEMP_LOST to ACTIVE transition has been removed from the CS.cfg. Duplicate code that loads the allowed transitions list has been merged and moved into TPSSubsystem. https://fedorahosted.org/pki/ticket/1808
* Added TPS token filter dialog.Endi S. Dewata2016-03-172-1/+100
| | | | | | | | | | | The TPS UI Tokens page and the pki tps-token-find CLI have been modified to provide an interface to filter tokens based on their attributes. The TokenService.findTokens() has been modified to accept additional search criteria based on token attributes. https://fedorahosted.org/pki/ticket/1482
* Replaced confirmation dialog with HTML dialog.Endi S. Dewata2016-03-173-136/+27
| | | | | | | | | The TPS UI has been modified such that it will use an HTML-based dialog instead of the browser's built-in dialog such that the option to "prevent this page from creating additional dialogs" will no longer appear. https://fedorahosted.org/pki/ticket/1685
* Remove vestiges of NISAuth pluginFraser Tweedale2016-02-161-1/+0
| | | | Fixes: https://fedorahosted.org/pki/ticket/1674
* Ticket #1007 TPS audit eventsChristina Fu2016-02-151-2/+2
| | | | | | This patch implements the TPS operation auditing: TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_KEY_CHANGEOVER,TOKEN_KEY_CHANGEOVER_FAILURE,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_STATE_CHANGE,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE Administrative auditing (via REST interface) will be covered in a separate ticket
generated by cgit (git 2.34.1) at 2025-09-26 10:46:09 +0000