summaryrefslogtreecommitdiffstats
path: root/base/tps
Commit message (Collapse)AuthorAgeFilesLines
...
* Remove vestiges of NISAuth pluginFraser Tweedale2016-02-161-1/+0
| | | | Fixes: https://fedorahosted.org/pki/ticket/1674
* Ticket #1007 TPS audit eventsChristina Fu2016-02-1515-108/+631
| | | | | | This patch implements the TPS operation auditing: TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_CERT_STATUS_CHANGE_REQUEST,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_KEY_CHANGEOVER,TOKEN_KEY_CHANGEOVER_FAILURE,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_STATE_CHANGE,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE Administrative auditing (via REST interface) will be covered in a separate ticket
* Fixed token change status operation.Endi S. Dewata2016-02-101-0/+8
| | | | | | | The TokenService has been modified to ignore token change status operation if the status is unchanged. https://fedorahosted.org/pki/ticket/1684
* Fixed token modify operation.Endi S. Dewata2016-02-082-31/+1
| | | | | | | The TPS UI and CLI have been modified to accept only user ID and policy attributes when modifying a token. https://fedorahosted.org/pki/ticket/1687
* Allow cert and key indexes > 9.Jack Magne2016-02-055-149/+380
| | | | | | | | | | | | | | | | | | | | | | | | | Ticket: Ticket #1734 : TPS issue with overflowing PKCS#11 cert index numbers This patch contains the following: 1. Fixes in TPS to allow the server to set and read muscle object ID's that are greater than 9. The id is stored as a single ASCII byte in the object id. Previous libcoolkey patches exist to now support numbers larger than 9, by the following: 0-9 is represented by the ascii chars for 0 through 9,. 10 - 35 represented by the ascii chars for 'A' through 'Z'. 36 - 61 represented by the ascii chars for 'a' through 'z'. Once coolkey is updated it will be able to read these id's. TPS with this patch will be able to both read number 0 - 62 and to set them when creating pkcs#11 objects to be stored on the token. When the proper libcoolkey is installed, the coolkey driver will be able to read certs and keys with id's > 9. Thus, for instance a cert with an id of C6, with keys of k12, and k13, will be supported and viewable in the Firefox cert viewer. Also the certs will be usable for operations. 2. A fix to the routine that finds a free id number to assign to a soon to be recovered cert will now have the ability to find unused slots instead of just inrementing one over the highest currently used index. 3. Made a couple of minor cleanup fixes to externalReg functionality discovered during testing of this feature.
* Added resource bundle for token state labels.Endi S. Dewata2016-02-055-27/+68
| | | | | | | | | | | | | | | The labels for token states and the transitions are now stored in token-states.properties. The default file will be stored in the /usr/share/pki/tps/conf, but it can be overriden by copying and customizing the file into <instance>/tps/conf. When the UI retrieves the token data the labels for the current state and the valid transitions will be loaded from the file and returned to the UI. The UI will show the transition labels in the dropdown list for changing token status. https://fedorahosted.org/pki/ticket/1289 https://fedorahosted.org/pki/ticket/1291
* Fixed token add operation.Endi S. Dewata2016-02-054-33/+54
| | | | | | | | The TPS UI and CLI have been modified to accept only token ID, and optionally user ID and policy attributes when adding a token. https://fedorahosted.org/pki/ticket/1477 https://fedorahosted.org/pki/ticket/1687
* Fixed LDAP error handling in TokenService.Endi S. Dewata2016-02-051-0/+53
| | | | | | | | | | The DBSSession has been modified to attach the LDAPException to the EDBException. The TokenService will catch the EDBException and obtain the orignal LDAPException. This way the TokenService can obtain the LDAP error code and throw the proper exception the client. https://fedorahosted.org/pki/ticket/1646
* Fixed error handling in TokenService.Endi S. Dewata2016-02-031-21/+52
| | | | | | | | | The TokenService has been modified to re-throw the original PKIException. This way on invalid token state transition the client will receive the original BadRequestException. Other types of exception will be wrapped with PKIException. https://fedorahosted.org/pki/ticket/1684
* Fixed TPS token state transitions.Endi S. Dewata2016-02-037-46/+66
| | | | | | | | | | | | | | | | | | | | The TPS service has been modified to provide a list of allowed state transitions based on the current token state. The TPS UI was modified to display only the allowed state transitions when changing the token status. The allowed state transition list has been modified to remove invalid token transitions including: * UNINITIALIZED -> FOUND * UNINITIALIZED -> TEMP_LOST_PERM_LOST The token FOUND state has been renamed to ACTIVE for clarity. The token TEMP_LOST_PERM_LOST state has been merged into PERM_LOST since they are identical in the database. https://fedorahosted.org/pki/ticket/1289 https://fedorahosted.org/pki/ticket/1291 https://fedorahosted.org/pki/ticket/1684
* Fixed TPS UI logout error message.Endi S. Dewata2016-02-021-1/+1
| | | | | | | | The TPS UI has been modified such that if the browser does not support logout operation it will show a message asking the user to clear the Active Logins or close the browser. https://fedorahosted.org/pki/ticket/1344
* Remove obsolete catalina config filesFraser Tweedale2016-01-212-269/+0
|
* Ticket #1007 preparation work - replace auditMsg with logMsgChristina Fu2016-01-205-302/+302
| | | | | | | | For ticket #1007 TPS Audit Events, we need to add audit messages. The existing parameter name "auditMsg" has been used broadly for TPS logging, which could be confused for the actual audit messages. This patch is to replace all the existing "auditMsg" parameters with "logMsg" instead.
* Added interface to run selftest in TPS UI.Endi S. Dewata2016-01-183-10/+197
| | | | | | | The TPS UI has been modified to provide an interface to run the selftests and display the results. https://fedorahosted.org/pki/ticket/1502
* Added table to manage TPS user profiles.Endi S. Dewata2016-01-182-20/+252
| | | | | | | | | | | The TPS UI has been modified to provide a table as an interface to manage the user profiles. When adding a profile, the profile can be selected from a list of available profiles. The UserService and UGSubsystem have been modified to allow adding a user with no assigned profiles. https://fedorahosted.org/pki/ticket/1478
* Fixed TPS UI to display accessible services only.Endi S. Dewata2016-01-183-8/+35
| | | | | | | | | | The TPS UI has been modified to display the accessible services based on the user's roles. A TPS admin has access to all services. A TPS agent has access to tokens, certificates, activities, and profiles. A TPS operator has access to tokens, certificates, and activities only. https://fedorahosted.org/pki/ticket/1476
* Ticket #1375 Provide cert/key retention for externalRegChristina Fu2016-01-153-56/+368
| | | | | | | | | | | | | | | | | | | | | Ticket #1514 TPS: Recovered certs on a token has status expired Ticket #1587 External Registration Recovery only works for 1024 sized keys out of the box This patch provides the cert/key retention feature for externalReg. If the certsToAdd field contains (serial,ca#) instead of the full (serial, ca#, keyId, kra#), then it is expecting the cert/keys to be retained from token without having to do a full retrieval (recovery); If an exisiting cert (and its keys) on the token is not explicitly retained then it is deleted. This patch also fixes the issues reported in #1514 and #1587 as testing of #1375 is easier with those two issues addressed. An issue was found during development where Coolkey puts limits on the cert/key ids on the token and make it impossible to inject cert ID higher than 4, as it would then result in key ids into two digits. Another issue that adds to running into the limit is that the function that gets the next free certid number does not make any attempt to search for "holes" to reuse. The cert/key id assignment/limit issue will be filed as a separte ticket and addressed separately. More complicated testing will be conducted then.
* Ticket #1527 TPS connector always goes to "ca1"Christina Fu2015-10-272-25/+30
|
* Removed unused WizardServlet.Endi S. Dewata2015-10-223-475/+0
| | | | | | | | | | The unused configuration wizard servlet has been removed to simplify refactoring other codes. The remaining references in CertUtil and ConfigurationUtils have been removed as well. https://fedorahosted.org/pki/ticket/1120
* Ticket #1648 [RFE] provide separate cipher lists for CS instances acting as ↵Christina Fu2015-10-201-2/+8
| | | | client and server This patch provides subsystem->subsystem cipher configuration when acting as a client
* Updated TPS UI element IDs.Endi S. Dewata2015-10-1518-43/+43
| | | | | | | | | | | | The TPS UI navigation elements have been updated to add the missing names and to use better names. The checkbox IDs in various pages have also been renamed for consistency. The pki-ui.js has been modified to use the checkbox ID of the template row instead of table name to construct the checkbox ID of the actual rows. https://fedorahosted.org/pki/ticket/1622
* Ticket 1307 - CUID range issue for [RFE] Support multiple keySets for ↵Christina Fu2015-08-263-5/+5
| | | | | | | | | | different cards for ExternalReg The patch fixes an issue that the CUID comes in from the client has a different format than that of the config cuid range strings. With the right conversion, the cuid range would then be evaluated correctly. The issue may only be discovered with certain cuid data, as it was not reproduceable in the dev environment.
* Ticket 1307 minor fix for - [RFE] Support multiple keySets for different ↵Christina Fu2015-08-241-8/+15
| | | | | | | | | cards for ExternalReg - make default keySetMappingResolver work for smart cards out of box The earlier patch works fine for the feature requested. However, the default keySetMappingResolver filter contains keySet extension which would fail smart cards. Although this could be easily worked around, this patch provides the default that would make it easier to play with.
* SC650 format/enroll failsJack Magne2015-08-241-1/+11
| | | | Simple fix to correctly identify scp01/gp201 sc650 card.
* Reverse previous merge commit.Jack Magne2015-08-241-11/+1
|
* SC650 format/enroll failsJack Magne2015-08-241-1/+11
| | | | Simple fix to correctly identify scp01/gp201 sc650 card.
* Add code to reindex data during cloning without replicationAde Lee2015-07-312-0/+16
| | | | | | | | | | | | | When setting up a clone, indexes are added before the replication agreements are set up and the consumer is initialized. Thus, as data is replicated and added to the clone db, the data is indexed. When cloning is done with the replication agreements already set up and the data replicated, the existing data is not indexed and cannot be accessed in searches. The data needs to be reindexed. Related to ticket 1414
* op.format.externalRegAddToToken.revokeCert parameter missing in TPS CS.cfg.Jack Magne2015-07-281-0/+1
| | | | | | | | | It is true that his setting is not present. The generic code that revokes certs for a format checks this value. No harm in putting this value in the CS.cfg and setting it to false by default for the externalRegAddToToken profile. No harm in giving the user the way to use this feature , even if we decide it is not a good idea to revoke certs associated with the external reg feature.
* Ticket 1307 issue: FilterMappingResolver always returns targetChristina Fu2015-07-282-7/+12
|
* TPS UI: After successful key upgrade during pin reset operation the token db ↵Jack Magne2015-07-281-0/+15
| | | | | | | still shows old key Simple matter of not updating the token record at the end of the pin reset operation. Also, make sure the activity log is correct.
* Added pki-tps-profile man page.Endi S. Dewata2015-07-181-0/+3
| | | | | | | | | A new man page has been added for the pki tps-profile CLI. The CLI has been modified to refer to the new man page. Some other man pages have been cleaned up as well. https://fedorahosted.org/pki/ticket/1271
* TPS add phone home URLs to pkidaemon status message.Jack Magne2015-07-161-258/+0
| | | | | | Ticket # 1466 . Also remove some needless copies of server.xml from the code.
* Fix Pin Reset tokenType resolution.Jack Magne2015-07-012-13/+31
| | | | | | | Ticket #1423 Pin reset operation using tpsclient fails. Recently we had added a new way to resolve the profile. That new method was not used in the PinReset Processor. This fix addresses that and allows the Pin Reset operation to complete.
* Add GP211 applet and latest GP201 applet for RSA.Jack Magne2015-07-015-43/+34
| | | | | | | | | Ticket # 793: Add support for Secure Channel Protocol 02 Properly select the coolkey applet in the "getAppletVersion" routine. For some reason the gp211 applet revealed this issue. Tested to work with both gp211 scp02 card and gp201 scp01 card.
* Cleaned up SystemConfigService.configureClone().Endi S. Dewata2015-07-011-1/+1
| | | | | | The getCloningData() in SystemConfigService has been renamed to configureClone(). Redundant try-catch blocks have been removed. Some exception messages have been modified to include more info.
* Fixed selftests log message.Endi S. Dewata2015-06-232-32/+49
| | | | | | | | | | | | | The SelfTestSubsystem has been modified to display a 'successful' message only if all tests have passed. If a test fails, it will log a failure, subsequent tests will not be executed, and the subsystem will shutdown immediately. The runSelfTest() in various tests have been cleaned up to throw the original exception to help troubleshooting. The unused RAPresence test has been removed. https://fedorahosted.org/pki/ticket/1249
* Ticket 867 Need to support TPS as a separate tomcat instance.Christina Fu2015-06-011-1/+1
| | | | | This patch addressed the issue that TPS on independent Tomcat is missing symlink to symkey.jar and causes all symkey method reference to fail
* remove extra space in CS.cfg for ↵Christina Fu2015-05-291-1/+1
| | | | op.format.soCleanSOToken.validateCardKeyInfoAgainstTokenDB=true
* Fix typo in CS.cfgAde Lee2015-05-291-1/+1
|
* Ticket 1309 Recovering of a revoked cert erroneously reflects "active" in ↵Christina Fu2015-05-228-18/+214
| | | | the token db cert entry
* Ticket 1307 (part2 keySet mapping) [RFE] Support multiple keySets for ↵Christina Fu2015-05-2110-242/+477
| | | | different cards for ExternalReg This patch adds support to keyset mapping
* Ticket 1307 (part1 refactoring) [RFE] Support multiple keySets for different ↵Christina Fu2015-05-219-242/+245
| | | | cards for ExternalReg This patch is mainly refactoring the names of the Mapping Resolver framework in preparation for ticket 1307 to support keySet mapping in addition to the original purpose of resolving tokenType mapping. The reason to separate out refactoring from the real code is for ease of reviewing. TPS is currently a Tech Preview feature, so upgrade is not of consideration at the moment.
* Fixed authentication data in audit log.Endi S. Dewata2015-05-051-1/+3
| | | | | | | | | | | The REST methods may be executed by different threads even though they are invoked in the same session. A new interceptor has been added to all subsystems to make sure the SessionContext is created properly for each thread. This will fix the authentication data in the audit log. The SessionContext has also been improved to use ThreadLocal instead of a global Hashtable. https://fedorahosted.org/pki/ticket/1054
* Remove duplicate prompt on nuxwdog startupAde Lee2015-04-231-1/+1
|
* Moved color settings to CSS.Endi S. Dewata2015-04-222-2/+2
| | | | | | | The templates have been modified to remove hard-coded background color settings and use the styles defined in a new CSS file. https://fedorahosted.org/pki/ticket/1296
* Parameterized service.template in all subsystems.Endi S. Dewata2015-04-221-106/+0
| | | | https://fedorahosted.org/pki/ticket/1296
* Changes to config files to support nuxwdogAde Lee2015-04-221-0/+1
| | | | Specifically changes to CS.cfg, server.xml and tomcat.conf
* Added support for Tomcat 8.Endi S. Dewata2015-04-215-0/+59
| | | | | | | | | | | | The Dogtag code has been modified to support both Tomcat 7 and 8. All files depending on a specific Tomcat version are now stored in separate folders. The build scripts have been modified to use the proper folder for the target platform. The tomcatjss dependency has been updated as well. The upgrade script will be added in a separate patch. https://fedorahosted.org/pki/ticket/1264
* Added bulk property editor in TPS UI.Endi S. Dewata2015-04-177-2/+213
| | | | | | | | | The TPS UI has been modified to provide an interface to edit raw properties as in the configuration file. This also allows editing multiple properties at once and also copy & pasting the properties. https://fedorahosted.org/pki/ticket/936
* Fixed action menu in TPS UI.Endi S. Dewata2015-04-1720-177/+419
| | | | | | | | | | The TPS UI has been modified to display the appropriate actions menu based on the roles of the user. TPS agent can only enable and disable profiles, and also approve or reject pending requests. TPS admin can only edit disabled profiles, then submit it for approval, or cancel the request. https://fedorahosted.org/pki/ticket/1292
generated by cgit (git 2.34.1) at 2024-11-15 19:19:06 +0000