summaryrefslogtreecommitdiffstats
path: root/base/tps
Commit message (Collapse)AuthorAgeFilesLines
* Updated TPS UI version number.Endi S. Dewata2016-04-271-1/+1
|
* Fixed activity logs for certificate revocations.Endi S. Dewata2016-04-262-38/+25
| | | | | | | | The TPSTokendb.shouldRevoke() has been modified such that it throws an exception instead of returning boolean. The method has also been renamed to checkShouldRevoke(). The revokeCert() and unrevokeCert() have been modified to catch the exception and log the failed operation.
* Added TPSTokendb.revokeCert() and unrevokeCert().Endi S. Dewata2016-04-261-55/+121
| | | | | | The code in TPSTokendb.revokeCertsByCUID() has been split into revokeCert() and unrevokeCert() to allow handling each operation separately.
* Moved TPSTokendb.tdbGetTokenEntry() invocations.Endi S. Dewata2016-04-261-11/+19
| | | | | The TPSTokendb.tdbGetTokenEntry() invocations in shouldRevoke() have been moved into revokeCertsByCUID().
* Added TPSCertRecord.getSerialNumberInBigInteger().Endi S. Dewata2016-04-262-18/+22
| | | | | The code that parses the token certificate serial number has been refactored into a new method in TPSCertRecord.
* Removed unused TPS user fields and group.Endi S. Dewata2016-04-254-15/+1
| | | | | | | | | The unused user status and type fields and the TPS Officers group have been removed from the TPS UI. https://fedorahosted.org/pki/ticket/2264 https://fedorahosted.org/pki/ticket/2265 https://fedorahosted.org/pki/ticket/2266
* Fixed TPS UI navigation.Endi S. Dewata2016-04-251-7/+14
| | | | | | | | The TPS UI home page and the status menu item been temporarily removed. The home links will now redirect to the tokens page. https://fedorahosted.org/pki/ticket/2261 https://fedorahosted.org/pki/ticket/2262
* Replaced TPS OP_DO_TOKEN activity.Endi S. Dewata2016-04-223-11/+14
| | | | | | | | For clarity the TPS operatons that generate OP_DO_TOKEN activity has been modified to generate OP_TOKEN_MODIFY instead, except for the changeTokenStatus() which will generate OP_TOKEN_STATUS_CHANGE. https://fedorahosted.org/pki/ticket/2268
* Add new usn entry to other subsystemsAde Lee2016-04-151-0/+1
|
* Ticket #2271 TMS- clean up key archival request records in ldapChristina Fu2016-04-133-18/+17
| | | | | | | | | This patch does the following: * it adds in the kra request an extra field called "delayLDAPCommit" * when the request comes in to be processed, it sets this field to "false" * by default, if this field does not exist, the updateRequest() method will just write to ldap, just like before; however, if this field exists and it contains "true" then it will delay the write * once the request is processed and all unwanted fields are cleared from the request record, it will set "delayLDAPCommit" to "false", and call updateRequest(), which will then do the actual write to ldap * In addition, I also screened through both KRA and TPS code and removed debug messages that contain those fields.
* Ticket #1519 token format should delete certs from token recordChristina Fu2016-04-062-0/+13
| | | | This patch removes certs from token record when it is formatted.
* Ticket #1006 Audit logging for TPS REST operationsChristina Fu2016-03-287-186/+844
| | | | | | | | | | | | | This patch adds audit logging to TPS REST wrote-specific operations. The read-specific operations are already captured by AuditEvent=AUTHZ_* The affected (new or modified) log messages include: LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6 LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8
* Generating TEMP_LOST to UNINITIALIZED/ACTIVE transitions dynamically.Endi S. Dewata2016-03-285-129/+97
| | | | | | | | | | | | | The TPS subsystem has been modified to generate the token state transitions from TEMP_LOST to UNINITIALIZED or ACTIVE dynamically depending on whether the token has certificates. The TEMP_LOST to ACTIVE transition has been removed from the CS.cfg. Duplicate code that loads the allowed transitions list has been merged and moved into TPSSubsystem. https://fedorahosted.org/pki/ticket/1808
* Added TPS token filter dialog.Endi S. Dewata2016-03-173-3/+127
| | | | | | | | | | | The TPS UI Tokens page and the pki tps-token-find CLI have been modified to provide an interface to filter tokens based on their attributes. The TokenService.findTokens() has been modified to accept additional search criteria based on token attributes. https://fedorahosted.org/pki/ticket/1482
* Fixed illegal token state transition via TEMP_LOST.Endi S. Dewata2016-03-174-23/+42
| | | | | | | | | | | | | | | | The TokenService.setTokenStatus() has been modified to restore the temporarily lost token back into either uninitialized or active state based on whether the token has certificates. The TPSTokendb.tdbGetCertRecordsByCUID() has been modified to use only tokenID attribute to search for token certificates more accurately. It also has been simplified to return the certificate records collection object directly. Some constructors were added to the TPSException to allow chaining the exception cause. https://fedorahosted.org/pki/ticket/1808
* Replaced confirmation dialog with HTML dialog.Endi S. Dewata2016-03-173-136/+27
| | | | | | | | | The TPS UI has been modified such that it will use an HTML-based dialog instead of the browser's built-in dialog such that the option to "prevent this page from creating additional dialogs" will no longer appear. https://fedorahosted.org/pki/ticket/1685
* Remove vestiges of NISAuth pluginFraser Tweedale2016-02-161-1/+0
| | | | Fixes: https://fedorahosted.org/pki/ticket/1674
* Ticket #1007 TPS audit eventsChristina Fu2016-02-1515-108/+631
| | | | | | This patch implements the TPS operation auditing: TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_KEY_CHANGEOVER,TOKEN_KEY_CHANGEOVER_FAILURE,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_STATE_CHANGE,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE Administrative auditing (via REST interface) will be covered in a separate ticket
* Fixed token change status operation.Endi S. Dewata2016-02-101-0/+8
| | | | | | | The TokenService has been modified to ignore token change status operation if the status is unchanged. https://fedorahosted.org/pki/ticket/1684
* Fixed token modify operation.Endi S. Dewata2016-02-082-31/+1
| | | | | | | The TPS UI and CLI have been modified to accept only user ID and policy attributes when modifying a token. https://fedorahosted.org/pki/ticket/1687
* Allow cert and key indexes > 9.Jack Magne2016-02-055-149/+380
| | | | | | | | | | | | | | | | | | | | | | | | | Ticket: Ticket #1734 : TPS issue with overflowing PKCS#11 cert index numbers This patch contains the following: 1. Fixes in TPS to allow the server to set and read muscle object ID's that are greater than 9. The id is stored as a single ASCII byte in the object id. Previous libcoolkey patches exist to now support numbers larger than 9, by the following: 0-9 is represented by the ascii chars for 0 through 9,. 10 - 35 represented by the ascii chars for 'A' through 'Z'. 36 - 61 represented by the ascii chars for 'a' through 'z'. Once coolkey is updated it will be able to read these id's. TPS with this patch will be able to both read number 0 - 62 and to set them when creating pkcs#11 objects to be stored on the token. When the proper libcoolkey is installed, the coolkey driver will be able to read certs and keys with id's > 9. Thus, for instance a cert with an id of C6, with keys of k12, and k13, will be supported and viewable in the Firefox cert viewer. Also the certs will be usable for operations. 2. A fix to the routine that finds a free id number to assign to a soon to be recovered cert will now have the ability to find unused slots instead of just inrementing one over the highest currently used index. 3. Made a couple of minor cleanup fixes to externalReg functionality discovered during testing of this feature.
* Added resource bundle for token state labels.Endi S. Dewata2016-02-055-27/+68
| | | | | | | | | | | | | | | The labels for token states and the transitions are now stored in token-states.properties. The default file will be stored in the /usr/share/pki/tps/conf, but it can be overriden by copying and customizing the file into <instance>/tps/conf. When the UI retrieves the token data the labels for the current state and the valid transitions will be loaded from the file and returned to the UI. The UI will show the transition labels in the dropdown list for changing token status. https://fedorahosted.org/pki/ticket/1289 https://fedorahosted.org/pki/ticket/1291
* Fixed token add operation.Endi S. Dewata2016-02-054-33/+54
| | | | | | | | The TPS UI and CLI have been modified to accept only token ID, and optionally user ID and policy attributes when adding a token. https://fedorahosted.org/pki/ticket/1477 https://fedorahosted.org/pki/ticket/1687
* Fixed LDAP error handling in TokenService.Endi S. Dewata2016-02-051-0/+53
| | | | | | | | | | The DBSSession has been modified to attach the LDAPException to the EDBException. The TokenService will catch the EDBException and obtain the orignal LDAPException. This way the TokenService can obtain the LDAP error code and throw the proper exception the client. https://fedorahosted.org/pki/ticket/1646
* Fixed error handling in TokenService.Endi S. Dewata2016-02-031-21/+52
| | | | | | | | | The TokenService has been modified to re-throw the original PKIException. This way on invalid token state transition the client will receive the original BadRequestException. Other types of exception will be wrapped with PKIException. https://fedorahosted.org/pki/ticket/1684
* Fixed TPS token state transitions.Endi S. Dewata2016-02-037-46/+66
| | | | | | | | | | | | | | | | | | | | The TPS service has been modified to provide a list of allowed state transitions based on the current token state. The TPS UI was modified to display only the allowed state transitions when changing the token status. The allowed state transition list has been modified to remove invalid token transitions including: * UNINITIALIZED -> FOUND * UNINITIALIZED -> TEMP_LOST_PERM_LOST The token FOUND state has been renamed to ACTIVE for clarity. The token TEMP_LOST_PERM_LOST state has been merged into PERM_LOST since they are identical in the database. https://fedorahosted.org/pki/ticket/1289 https://fedorahosted.org/pki/ticket/1291 https://fedorahosted.org/pki/ticket/1684
* Fixed TPS UI logout error message.Endi S. Dewata2016-02-021-1/+1
| | | | | | | | The TPS UI has been modified such that if the browser does not support logout operation it will show a message asking the user to clear the Active Logins or close the browser. https://fedorahosted.org/pki/ticket/1344
* Remove obsolete catalina config filesFraser Tweedale2016-01-212-269/+0
|
* Ticket #1007 preparation work - replace auditMsg with logMsgChristina Fu2016-01-205-302/+302
| | | | | | | | For ticket #1007 TPS Audit Events, we need to add audit messages. The existing parameter name "auditMsg" has been used broadly for TPS logging, which could be confused for the actual audit messages. This patch is to replace all the existing "auditMsg" parameters with "logMsg" instead.
* Added interface to run selftest in TPS UI.Endi S. Dewata2016-01-183-10/+197
| | | | | | | The TPS UI has been modified to provide an interface to run the selftests and display the results. https://fedorahosted.org/pki/ticket/1502
* Added table to manage TPS user profiles.Endi S. Dewata2016-01-182-20/+252
| | | | | | | | | | | The TPS UI has been modified to provide a table as an interface to manage the user profiles. When adding a profile, the profile can be selected from a list of available profiles. The UserService and UGSubsystem have been modified to allow adding a user with no assigned profiles. https://fedorahosted.org/pki/ticket/1478
* Fixed TPS UI to display accessible services only.Endi S. Dewata2016-01-183-8/+35
| | | | | | | | | | The TPS UI has been modified to display the accessible services based on the user's roles. A TPS admin has access to all services. A TPS agent has access to tokens, certificates, activities, and profiles. A TPS operator has access to tokens, certificates, and activities only. https://fedorahosted.org/pki/ticket/1476
* Ticket #1375 Provide cert/key retention for externalRegChristina Fu2016-01-153-56/+368
| | | | | | | | | | | | | | | | | | | | | Ticket #1514 TPS: Recovered certs on a token has status expired Ticket #1587 External Registration Recovery only works for 1024 sized keys out of the box This patch provides the cert/key retention feature for externalReg. If the certsToAdd field contains (serial,ca#) instead of the full (serial, ca#, keyId, kra#), then it is expecting the cert/keys to be retained from token without having to do a full retrieval (recovery); If an exisiting cert (and its keys) on the token is not explicitly retained then it is deleted. This patch also fixes the issues reported in #1514 and #1587 as testing of #1375 is easier with those two issues addressed. An issue was found during development where Coolkey puts limits on the cert/key ids on the token and make it impossible to inject cert ID higher than 4, as it would then result in key ids into two digits. Another issue that adds to running into the limit is that the function that gets the next free certid number does not make any attempt to search for "holes" to reuse. The cert/key id assignment/limit issue will be filed as a separte ticket and addressed separately. More complicated testing will be conducted then.
* Ticket #1527 TPS connector always goes to "ca1"Christina Fu2015-10-272-25/+30
|
* Removed unused WizardServlet.Endi S. Dewata2015-10-223-475/+0
| | | | | | | | | | The unused configuration wizard servlet has been removed to simplify refactoring other codes. The remaining references in CertUtil and ConfigurationUtils have been removed as well. https://fedorahosted.org/pki/ticket/1120
* Ticket #1648 [RFE] provide separate cipher lists for CS instances acting as ↵Christina Fu2015-10-201-2/+8
| | | | client and server This patch provides subsystem->subsystem cipher configuration when acting as a client
* Updated TPS UI element IDs.Endi S. Dewata2015-10-1518-43/+43
| | | | | | | | | | | | The TPS UI navigation elements have been updated to add the missing names and to use better names. The checkbox IDs in various pages have also been renamed for consistency. The pki-ui.js has been modified to use the checkbox ID of the template row instead of table name to construct the checkbox ID of the actual rows. https://fedorahosted.org/pki/ticket/1622
* Ticket 1307 - CUID range issue for [RFE] Support multiple keySets for ↵Christina Fu2015-08-263-5/+5
| | | | | | | | | | different cards for ExternalReg The patch fixes an issue that the CUID comes in from the client has a different format than that of the config cuid range strings. With the right conversion, the cuid range would then be evaluated correctly. The issue may only be discovered with certain cuid data, as it was not reproduceable in the dev environment.
* Ticket 1307 minor fix for - [RFE] Support multiple keySets for different ↵Christina Fu2015-08-241-8/+15
| | | | | | | | | cards for ExternalReg - make default keySetMappingResolver work for smart cards out of box The earlier patch works fine for the feature requested. However, the default keySetMappingResolver filter contains keySet extension which would fail smart cards. Although this could be easily worked around, this patch provides the default that would make it easier to play with.
* SC650 format/enroll failsJack Magne2015-08-241-1/+11
| | | | Simple fix to correctly identify scp01/gp201 sc650 card.
* Reverse previous merge commit.Jack Magne2015-08-241-11/+1
|
* SC650 format/enroll failsJack Magne2015-08-241-1/+11
| | | | Simple fix to correctly identify scp01/gp201 sc650 card.
* Add code to reindex data during cloning without replicationAde Lee2015-07-312-0/+16
| | | | | | | | | | | | | When setting up a clone, indexes are added before the replication agreements are set up and the consumer is initialized. Thus, as data is replicated and added to the clone db, the data is indexed. When cloning is done with the replication agreements already set up and the data replicated, the existing data is not indexed and cannot be accessed in searches. The data needs to be reindexed. Related to ticket 1414
* op.format.externalRegAddToToken.revokeCert parameter missing in TPS CS.cfg.Jack Magne2015-07-281-0/+1
| | | | | | | | | It is true that his setting is not present. The generic code that revokes certs for a format checks this value. No harm in putting this value in the CS.cfg and setting it to false by default for the externalRegAddToToken profile. No harm in giving the user the way to use this feature , even if we decide it is not a good idea to revoke certs associated with the external reg feature.
* Ticket 1307 issue: FilterMappingResolver always returns targetChristina Fu2015-07-282-7/+12
|
* TPS UI: After successful key upgrade during pin reset operation the token db ↵Jack Magne2015-07-281-0/+15
| | | | | | | still shows old key Simple matter of not updating the token record at the end of the pin reset operation. Also, make sure the activity log is correct.
* Added pki-tps-profile man page.Endi S. Dewata2015-07-181-0/+3
| | | | | | | | | A new man page has been added for the pki tps-profile CLI. The CLI has been modified to refer to the new man page. Some other man pages have been cleaned up as well. https://fedorahosted.org/pki/ticket/1271
* TPS add phone home URLs to pkidaemon status message.Jack Magne2015-07-161-258/+0
| | | | | | Ticket # 1466 . Also remove some needless copies of server.xml from the code.
* Fix Pin Reset tokenType resolution.Jack Magne2015-07-012-13/+31
| | | | | | | Ticket #1423 Pin reset operation using tpsclient fails. Recently we had added a new way to resolve the profile. That new method was not used in the PinReset Processor. This fix addresses that and allows the Pin Reset operation to complete.
* Add GP211 applet and latest GP201 applet for RSA.Jack Magne2015-07-015-43/+34
| | | | | | | | | Ticket # 793: Add support for Secure Channel Protocol 02 Properly select the coolkey applet in the "getAppletVersion" routine. For some reason the gp211 applet revealed this issue. Tested to work with both gp211 scp02 card and gp201 scp01 card.
generated by cgit (git 2.34.1) at 2024-05-31 13:18:54 +0000