summaryrefslogtreecommitdiffstats
path: root/base/tps
Commit message (Collapse)AuthorAgeFilesLines
* Removed unused WizardServlet.Endi S. Dewata2015-10-233-475/+0
| | | | | | | | | | | The unused configuration wizard servlet has been removed to simplify refactoring other codes. The remaining references in CertUtil and ConfigurationUtils have been removed as well. https://fedorahosted.org/pki/ticket/1120 (cherry picked from commit 60fa66aa04ec61350420d95a554c0cec7834ebbd)
* Ticket 1307 minor fix for - [RFE] Support multiple keySets for different ↵Christina Fu2015-08-241-8/+15
| | | | | | | | | | | cards for ExternalReg - make default keySetMappingResolver work for smart cards out of box The earlier patch works fine for the feature requested. However, the default keySetMappingResolver filter contains keySet extension which would fail smart cards. Although this could be easily worked around, this patch provides the default that would make it easier to play with. (cherry picked from commit ee93ca05ec3a52fcf6239c48c167d8d5566b81cd)
* SC650 format/enroll failsJack Magne2015-08-241-1/+11
| | | | | | Simple fix to correctly identify scp01/gp201 sc650 card. (cherry picked from commit 3158e1279b210d9f409918b24180bf20b0774614)
* Add code to reindex data during cloning without replicationAde Lee2015-07-312-0/+16
| | | | | | | | | | | | | When setting up a clone, indexes are added before the replication agreements are set up and the consumer is initialized. Thus, as data is replicated and added to the clone db, the data is indexed. When cloning is done with the replication agreements already set up and the data replicated, the existing data is not indexed and cannot be accessed in searches. The data needs to be reindexed. Related to ticket 1414
* op.format.externalRegAddToToken.revokeCert parameter missing in TPS CS.cfg.Jack Magne2015-07-281-0/+1
| | | | | | | | | It is true that his setting is not present. The generic code that revokes certs for a format checks this value. No harm in putting this value in the CS.cfg and setting it to false by default for the externalRegAddToToken profile. No harm in giving the user the way to use this feature , even if we decide it is not a good idea to revoke certs associated with the external reg feature.
* Ticket 1307 issue: FilterMappingResolver always returns targetChristina Fu2015-07-282-7/+12
|
* TPS UI: After successful key upgrade during pin reset operation the token db ↵Jack Magne2015-07-281-0/+15
| | | | | | | still shows old key Simple matter of not updating the token record at the end of the pin reset operation. Also, make sure the activity log is correct.
* Added pki-tps-profile man page.Endi S. Dewata2015-07-181-0/+3
| | | | | | | | | A new man page has been added for the pki tps-profile CLI. The CLI has been modified to refer to the new man page. Some other man pages have been cleaned up as well. https://fedorahosted.org/pki/ticket/1271
* TPS add phone home URLs to pkidaemon status message.Jack Magne2015-07-161-258/+0
| | | | | | Ticket # 1466 . Also remove some needless copies of server.xml from the code.
* Fix Pin Reset tokenType resolution.Jack Magne2015-07-012-13/+31
| | | | | | | Ticket #1423 Pin reset operation using tpsclient fails. Recently we had added a new way to resolve the profile. That new method was not used in the PinReset Processor. This fix addresses that and allows the Pin Reset operation to complete.
* Add GP211 applet and latest GP201 applet for RSA.Jack Magne2015-07-015-43/+34
| | | | | | | | | Ticket # 793: Add support for Secure Channel Protocol 02 Properly select the coolkey applet in the "getAppletVersion" routine. For some reason the gp211 applet revealed this issue. Tested to work with both gp211 scp02 card and gp201 scp01 card.
* Cleaned up SystemConfigService.configureClone().Endi S. Dewata2015-07-011-1/+1
| | | | | | The getCloningData() in SystemConfigService has been renamed to configureClone(). Redundant try-catch blocks have been removed. Some exception messages have been modified to include more info.
* Fixed selftests log message.Endi S. Dewata2015-06-232-32/+49
| | | | | | | | | | | | | The SelfTestSubsystem has been modified to display a 'successful' message only if all tests have passed. If a test fails, it will log a failure, subsequent tests will not be executed, and the subsystem will shutdown immediately. The runSelfTest() in various tests have been cleaned up to throw the original exception to help troubleshooting. The unused RAPresence test has been removed. https://fedorahosted.org/pki/ticket/1249
* Ticket 867 Need to support TPS as a separate tomcat instance.Christina Fu2015-06-011-1/+1
| | | | | This patch addressed the issue that TPS on independent Tomcat is missing symlink to symkey.jar and causes all symkey method reference to fail
* remove extra space in CS.cfg for ↵Christina Fu2015-05-291-1/+1
| | | | op.format.soCleanSOToken.validateCardKeyInfoAgainstTokenDB=true
* Fix typo in CS.cfgAde Lee2015-05-291-1/+1
|
* Ticket 1309 Recovering of a revoked cert erroneously reflects "active" in ↵Christina Fu2015-05-228-18/+214
| | | | the token db cert entry
* Ticket 1307 (part2 keySet mapping) [RFE] Support multiple keySets for ↵Christina Fu2015-05-2110-242/+477
| | | | different cards for ExternalReg This patch adds support to keyset mapping
* Ticket 1307 (part1 refactoring) [RFE] Support multiple keySets for different ↵Christina Fu2015-05-219-242/+245
| | | | cards for ExternalReg This patch is mainly refactoring the names of the Mapping Resolver framework in preparation for ticket 1307 to support keySet mapping in addition to the original purpose of resolving tokenType mapping. The reason to separate out refactoring from the real code is for ease of reviewing. TPS is currently a Tech Preview feature, so upgrade is not of consideration at the moment.
* Fixed authentication data in audit log.Endi S. Dewata2015-05-051-1/+3
| | | | | | | | | | | The REST methods may be executed by different threads even though they are invoked in the same session. A new interceptor has been added to all subsystems to make sure the SessionContext is created properly for each thread. This will fix the authentication data in the audit log. The SessionContext has also been improved to use ThreadLocal instead of a global Hashtable. https://fedorahosted.org/pki/ticket/1054
* Remove duplicate prompt on nuxwdog startupAde Lee2015-04-231-1/+1
|
* Moved color settings to CSS.Endi S. Dewata2015-04-222-2/+2
| | | | | | | The templates have been modified to remove hard-coded background color settings and use the styles defined in a new CSS file. https://fedorahosted.org/pki/ticket/1296
* Parameterized service.template in all subsystems.Endi S. Dewata2015-04-221-106/+0
| | | | https://fedorahosted.org/pki/ticket/1296
* Changes to config files to support nuxwdogAde Lee2015-04-221-0/+1
| | | | Specifically changes to CS.cfg, server.xml and tomcat.conf
* Added support for Tomcat 8.Endi S. Dewata2015-04-215-0/+59
| | | | | | | | | | | | The Dogtag code has been modified to support both Tomcat 7 and 8. All files depending on a specific Tomcat version are now stored in separate folders. The build scripts have been modified to use the proper folder for the target platform. The tomcatjss dependency has been updated as well. The upgrade script will be added in a separate patch. https://fedorahosted.org/pki/ticket/1264
* Added bulk property editor in TPS UI.Endi S. Dewata2015-04-177-2/+213
| | | | | | | | | The TPS UI has been modified to provide an interface to edit raw properties as in the configuration file. This also allows editing multiple properties at once and also copy & pasting the properties. https://fedorahosted.org/pki/ticket/936
* Fixed action menu in TPS UI.Endi S. Dewata2015-04-1720-177/+419
| | | | | | | | | | The TPS UI has been modified to display the appropriate actions menu based on the roles of the user. TPS agent can only enable and disable profiles, and also approve or reject pending requests. TPS admin can only edit disabled profiles, then submit it for approval, or cancel the request. https://fedorahosted.org/pki/ticket/1292
* Fixed TPS REST services.Endi S. Dewata2015-04-176-70/+196
| | | | | | | | The REST services have been modified to support submit and cancel actions. The ACL has been fixed to allow admins and agents to change the status. https://fedorahosted.org/pki/ticket/1292
* Customized TPS UI menu based on user roles.Endi S. Dewata2015-04-1714-49/+92
| | | | | | | | | | | The TPS UI has been modified to customize the navigation menu based on the roles of the user currently logged in. TPS agents do not have access to users, groups, config, authenticators, connectors, profile mappings, audit, and self tests, so the corresponding menu items will be hidden. TPS admins have access to all menu items. https://fedorahosted.org/pki/ticket/1292
* Ticket#1028 phase2: TPS rewrite: provide externalReg functionalityChristina Fu2015-04-148-126/+240
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch is the 2nd phase of the externalReg feature, it makes the following improvements: * added feature: recovery by keyid (v.s. by cert) * fixed some auditing message errors * added some missing ldapStringAttributes needed for delegation to work properly * added missing externalReg required config parameters * made corrections to some externalReg related parameters to allow delegation to work properly * added handle of some error cases * made sure externalReg enrollment does not go half-way (once fails, bails out) tested: * enrollment of the three default TPS profiles (tokenTypes) * format of the tokens enrolled with the three default tps profiles * delegation enrollments * cuid match check next phase: * cert/key retention (allow preserving existing certs/keys on the token) note: * some of the activity log and cert status related issues that are not specifically relating to externalReg will be addressed in other more relevant tickets.
* Fixed problem deleting newly created TPS profiles.Endi S. Dewata2015-04-084-17/+27
| | | | | | | | | All TPS services have been fixed to set the default status of a new record to Disabled if the client does not provide the initial status. This will ensure a newly created profile to always have a status so it can be deleted normally. https://fedorahosted.org/pki/ticket/1273
* Fixed problem with TPS profile default status.Endi S. Dewata2015-04-087-63/+67
| | | | | | | | | | The base class of ProfileDatabase (i.e. CSCfgDatabase) has been modified to return the correct default value (i.e. Enabled) if the status parameter doesn't exist. The TPSProcessor has been modified to use ProfileDatabase and other TPS codes have also been changed to use constants instead of string literals to ensure consistency. https://fedorahosted.org/pki/ticket/1270
* Fixed incorrect link in TPS UI.Endi S. Dewata2015-04-081-1/+1
| | | | | | | The "Subsystem Connections" link in the home.html has been fixed to point to #connectors. https://fedorahosted.org/pki/ticket/1274
* Added interface to show TPS token certificates.Endi S. Dewata2015-04-087-7/+45
| | | | | | | The TPS REST service, CLI, and UI have been modified to provide an interface to search for certificates belonging to a token. https://fedorahosted.org/pki/ticket/1164
* NISTSP8000 feature.Jack Magne2015-03-178-52/+515
| | | | | | | | | | | | | | | | | | | Implementation of the nistSP800 dervication feature. Works for both supported scp01 cards and scp02 cards. During the various session key and key upgrade functions, the nist dervication code is being called. Review comments addressed Cleanup of some input validation on the TKS. Added some sanity checking on the TPS side for key versions and token cuid's and kdd's. Final review comments. Fixed issue with extracting the kdd from the AppletInfo class. Fixed issue with sending the KDD to the encryptData TKS servlet. Added requested entries to the CS.cfg .
* Allow use of secure LDAPS connectionMatthew Harmsen2015-03-131-1/+1
| | | | - PKI TRAC Ticket #1144 - pkispawn needs option to specify ca cert for ldap
* Ticket: TPS Rewrite: Implement Secure Channel Protocol 02 (#883).Jack Magne2015-02-277-148/+1269
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | First cut of gp211 and scp protocol 02 for tokens. Allow token operations using a GP211 token over secure channel protocol 02. This patch supports the following: 1. Token operations with a GP211 card and SCP02 protocol, implementation 15. 2. Token still supports GP201 cards with SCP01. 3. SCP02 tested with SC650 gp211/scp02 card. Things still to do: 1. Right now the SCP02 support has been tested with the current gp201 applet and enrollment and formatting works just fine. We need to modify and compile the applet against the GP211 spec and retest to see if any further changes are needed. 2. The nistSP800 key derivation stuff is not completed for the SCP02 protocol. Some of the routines are self contained vs similar SCP01 ones. We have another ticket to complete the nistSP800 support from end to end. This work will be done for that ticket. 3. One of the new scp02 deriviation functions can make use of a new NSS derive mechanism. As of now this work is done by simple encryption, this can be done later. 4. The security APDU level of "RMAC" is not supported because the card does not support it. It could have been done to the spec, but it having the card to test is more convenient and there were more crucial issues to this point.
* Add granularity to token termination in TPSAde Lee2015-02-264-35/+160
| | | | | | BZ 1163987. Added revocation checks to optionally revoke expired certs, and handle cases where certs are shared on multiple tokens.
* Refactored LDAPDatabase.createFilter().Endi S. Dewata2015-02-113-20/+42
| | | | | | | | | | The createFilter() method in LDAPDatabase has been changed to construct an LDAP filter based on a keyword and a set of attributes with their values. This will allow searching the database based on specific attribute values. The subclasses of LDAPDatabase have been updated accordingly. https://fedorahosted.org/pki/ticket/1164
* Ticket#1028 Phase1:TPS rewrite: provide externalReg functionalityChristina Fu2015-02-1010-159/+1579
|
* Fix-for-Bug-1170867-TPS-Installation-FailedJack Magne2014-12-164-116/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix now includes last review comments where we decided to consolidate 3 of the ldif files: schema.ldif,database.ldif, and manager.ldif. Each one of these 3 files contains the data needed for any subsystem for that file. The subsystem specific files for these 3 go away in the source tree. The first iteration of this fix was copying these 3 files into an undesirable directory. This is no longer the case. Extra code in the python installer allows one to establish a "file exclusion" callback to keep a set of desired files from being copied when the installer does a directory copy. All subsystems have been tested, including TPS with a brand new DS (which was the original reason for this fix), and they appear to work fine. Addressed further review comments: 1. Removed trailing whitespace instances from schema.ldif which had some. 2. Used pycharm to remove the few PEP violations I had previously added to the Python code. 3. Changed the format of the schema.ldif file to make all the entries use the same style. Previously the TPS entries was using an all in one syntax. No more since now each entry is separate. 4. Changed the name of an argument in one of the new Python methods to get rid of a camelCase instance. 5. Tested everything to work as before, including basic TPS operations such as Format. Fixed a method comment string and fixed some typos.
* Provide standalone Pin Reset Processor.Jack Magne2014-09-234-202/+295
| | | | | | | Now an enrolled token can have its pin changed with esc without doing another enrollment. Actually call authentication for this pin reset operation now. Review fix.
* Ticket #882 - remove all certs belong to a token in tokendb before addChristina Fu2014-09-051-0/+9
|
* Ticket #1146 Tomcat TPS: missing "keyType" for renewed certs in the cert recordsChristina Fu2014-09-041-5/+2
|
* Ticket #882 - delete certs associated to a token when token is removedChristina Fu2014-09-042-0/+30
|
* Revert "Enabled certificate revocation checking by default."Endi S. Dewata2014-09-041-4/+0
| | | | | | | This reverts commit 223d15539b7bcc0df025025036af2935726e52e3. The patch does not work for subsystems installed on separate instance since it will require additional OCSP setup.
* Rename pki-tps-tomcat to pki-tpsMatthew Harmsen2014-09-03177-0/+29919
| | | | * PKI TRAC Ticket #1017 - Rename pki-tps-tomcat to pki-tps
* Misc TPS packaging tasks:Jack Magne2014-08-22520-124678/+0
| | | | | | | | | | | | | 1. Make sure the new TPS packages all the applet files, like the old TPS has done. 2. Create a small new package called "pki-tps-client", which will hold ONLY the command line utility "tpsclient" and all of its supporting libraries. 3. Move the directory pki/base/tps to pki/base/tps-client We will do this until we can rewrite "tpclien" on the new Java TPS system. Add package pki-tps-client.
* Change LDAP Attributes to allow for tr_TR localeMatthew Harmsen2014-05-201-3/+3
| | | | | * PKI TRAC Ticket #946 - Installation of IPA hangs up when LANG is set to tr_TR.UTF8
* Further progress Format operation.Jack Magne2014-04-141-0/+9
| | | | | | | | | | | | 1. Read applet into memory to prepare to write to token. 2. With tpsclient create secure channel by implementing Initialize Update and ExternalAuthenticate messages. 3. Support for MAC and encryption for messages going on after secure channel has been created. 4. Implemented method to remove an aid file or instance from the token. 5. Added some symkey methods to allow TPS to manipulate session keys. 6. Performed some cfu feedback fixes such as changing al the names of APDU classes to have APDU in the name. Have not tried this with real token as of yet. The tpsclient does verify of the MAC coming from the server and decrypts encrypted messages. Decrypted messages have to be correct for the MAC verification to work. Next step will be to add the phone home servlet to the TPS and give it a try with a real token and esc.
generated by cgit (git 2.34.1) at 2024-06-02 19:54:57 +0000