| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
The PORT and UNSECURE_PORT variables in RA and TPS has been renamed
into PKI_UNSECURE_PORT to match the Tomcat-based subsystems.
|
|
|
|
|
| |
The SECURE_PORT variable in RA and TPS has been renamed into
PKI_SECURE_PORT to match the Tomcat-based subsystems.
|
|
|
|
|
| |
The CS.cfg.in in RA and TPS has been moved from doc into shared/conf
to match the Tomcat-based subsystems.
|
|
|
|
|
|
| |
This patch provides fixes to various pki-tps flaws.
Bug 966189.
|
|
|
|
|
|
|
| |
Raise an exception on error so that it can be handled by the
caller.
Ticket #562
|
|
|
|
|
|
| |
Recently the JNI_JAR_DIR was moved into /usr/share/pki/etc/pki.conf.
A new upgrade script has been added to remove the unused JNI_JAR_DIR
from /etc/pki/pki.conf.
|
|
|
|
|
|
|
|
|
|
| |
The upgrade framework has been modified to support backup and restore
functionality. A new method backup(filename) has been added to save
a file into a backup folder. The CLI's have been modified to accept
a --revert parameter which will restore the backup files one version
at a time.
Ticket #583
|
|
|
|
|
|
| |
This patch provides an option to generate CRLs with nextUpdate calculated as sum of thisUpdate and an offset.
Ticket #571
|
|
|
|
|
|
| |
This patch provides plug-in randomizing validity
Ticket #607
|
|
|
|
|
|
| |
java.security.NoSuchAlgorithmException" when using NetHSM token
- small patch to remove Eclipse warning
|
|
|
|
|
|
|
|
|
|
| |
The JNI_JAR_DIR is supposed to be architecture-specific but the
pki-base package is architecture-neutral. So, to ensure it has the
correct value, the variable will be set at post installation.
Also, to simplify the upgrade process, the variable has been moved
from /etc/pki/pki.conf into /usr/share/pki/etc/pki.conf. The build,
deployment, startup, and upgrade scripts have been modified
accordingly.
|
|
|
|
|
|
|
|
|
| |
runMain() has been changed to private access in latest junit(),
breaking the 19 build. We should not have been using this class in
the first place. Replaced it with the implementation of runMain()
which uses run(classes).
Ticket 605
|
|
|
|
|
|
|
|
|
|
| |
When setting up clones or non-CA subsystems, pkispawn checks if
the security domain is accessible and if the user can log in.
These calls invoke REST URIs, which are not available on older
subsystems. To support these subsystems, we need to attempt the
older legacy servlets if the REST APIs are not available.
Ticket #604
|
|
|
|
| |
* TRAC Ticket #602 - pkiconsole cannot find 'jss4.jar' on Fedora 19
|
|
|
|
| |
java.security.NoSuchAlgorithmException" when using NetHSM token
|
|
|
|
|
|
| |
The /etc/pki/pki.conf has been restored. The RPM spec file has
been modified such that it will create system upgrade tracker file
(/etc/pki/pki.version) on install and remove it on uninstall.
|
|
|
|
|
| |
The pki.server module has been fixed to include the module name
of the PKIException.
|
|
|
|
|
| |
The pki.server module has been fixed to include the module name
of the BASE_DIR.
|
|
|
|
|
|
|
|
|
|
| |
A new upgrade scriptlet has been added to add JNI_JAR_DIR into
pki.conf. The code to manipulate property files has been refactored
from PKIUpgradeTracker into a separate PropertyFile class to allow
reuse.
The pki-base package has been modified to deliver a default pki.conf
in /usr/share/pki/etc and copy it into /etc/pki if it doesn't exist.
|
|
|
|
|
|
|
|
| |
The PKIServerUpgrader.get_current_version() incorrectly returns None
if there is no instance on the system. It has been modified to return
the target version so that no upgrade operation will occur.
Bugzilla #957690
|
|
|
|
|
|
| |
Update kraconnector-delete call to use -c for database password.
Update get-install-token call to specify instance certdb. Removed
--ignore-untrusted directives on both. Update man page.
|
|
|
|
|
|
|
|
|
| |
Recently the CLI was changed to initialize the default client database
automatically which will create it if it did not exist before. This was
causing a problem since the database was not created with a password.
To create the database properly a separate command is needed. For now
the CLI is reverted to the old behavior where it initializes the database
only if it requires for SSL connection and/or client authentication.
|
|
|
|
|
|
|
|
| |
Previously the -w option is used to specify the password for
either the username/password authentication or client database
password to do client certificate authentication. Since the
passwords now may be used at the same time, a new -c option
has been added for the client database password.
|
|
|
|
|
|
|
|
| |
The code used by pkispawn and pkidestroy has been modified to ignore
certificate validity warnings/errors that happens during installation.
The instanceCreationMode is now redundant and has been removed from
ClientConfig.
|
|
|
|
|
| |
The default folder for to store user files in the home directory
has been changed from .pki to .dogtag.
|
|
|
|
|
|
|
| |
The CMake script has been fixed to include the commons-io library
when building javadoc.
Ticket #491
|
|
|
|
|
|
|
|
| |
A new method has been added to the PKIClient to download the CA
certificate chain from an alternative location including the admin
interface.
Ticket #491
|
|
|
|
|
|
|
|
| |
The default client database location for CLI has been changed to
~/.dogtag/nssdb. The database will always be initialized regardless
whether it is actually used.
Ticket #491
|
|
|
|
|
|
|
|
| |
The log file is not very useful without the level of logging.
If you have occasion to go to the log file, then you want to
see all the gory details, This of course is valid for pkidestroy too.
Also removed an unneeded import introduced by mistake.
|
|
|
|
|
|
|
| |
Print the stacktrace to the log file if there is an error while
executing pkispawn.
Ticket #592
|
|
|
|
|
|
|
|
|
|
| |
The upgrade framework has been split into base and server upgrade
frameworks since they will be run automatically by different RPM
packages during upgrade. The base upgrade framework will upgrade
the system configuration. The server upgrade framework will upgrade
the instances and subsystems.
Ticket #544
|
|
|
|
|
|
|
| |
A new CLI module has been added to manage certificates in client
security database.
Ticket #491
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code to import CA certificate has been moved from PKIConnection
into PKIClient to allow reuse.
The Client classes have been modified such that it uses a shared
PKIClient object instead of PKIConnection.
The return codes in CertFindCLI has been fixed to be more consistent
with other commands.
Ticket #491
|
|
|
|
|
| |
* Bugzilla Bug #953464 - ipa-server-install crashes due to sslget error
* Bugzilla Bug #859043 - ipa-server-install results in error -5987
|
|
|
|
|
|
| |
This patch improves cloning in regards to configuration of random certificate serial numbers.
Bug: 922121.
|
|
|
|
|
|
|
| |
The pki.conf has been moved into the base/common folder to match
the RPM package.
Ticket #553
|
|
|
|
|
|
| |
This patch corrects JavaScript inability to handle big numbers in key key recovery process.
Bug: 955784.
|
|
|
|
|
|
|
|
|
| |
After configuration is done, the JSON result can have only one system
cert (in case of clone installation). But the code expects a list of
certs rather than a single cert. So when there is only one certificate
it is added to a list and processed.
Ticket #593
|
|
|
|
|
|
|
|
| |
Output the actual result of a revoke/unrevoke operation in CLI. Since
the actual result of the operation can be different from the cert request
status.
Ticket #217
|
|
|
|
|
|
| |
This patch corrects key IDs miscalculated by JavaScript for key search results and key record views.
Bug: 951501.
|
|
|
|
|
|
|
|
| |
New options have been added to the CLI to reject or ignore certain
cert validity statuses such as UNTRUSTED_ISSUER or BAD_CERT_DOMAIN.
The options can also be defined in pki.conf as a system-wide policy.
Ticket #491
|
|
|
|
|
|
|
|
|
| |
The CLI has been modified such that when it connects to an untrusted
server it will ask the user whether to import the CA certificate and
also ask for the location of the CA server from which to download
the CA certificate.
Ticket #491
|
|
|
|
|
|
| |
Do not log the installation information after completion of
installation in pkispawn because, when run in verbose mode,
All the information is printed twice in an unordered way.
|
|
|
|
|
|
|
|
| |
Changed the status check and restart commands to systemctl.
The text $errorString will not be seen when the security domain login panel
is launched for the first time.
Ticket #452
|
|
|
|
|
|
|
|
|
|
| |
D9 instances run on tomcat6, which does not have support for the
autheticator and realm. We are not supporting the REST operations
on D9 style instances. They will need to be migrated.
The migration framework has been modified to process d9 or d10
style instances, and a migration script has been added to add the new
servlet to existing d9 instances.
|
|
|
|
|
|
| |
This patch adds support for random certificate serial numbers.
Bug 912554.
|
|
|
|
|
|
|
| |
The CLI has been modified such that by default it will use FQDN
instead of localhost to avoid SSL certificate warnings.
Ticket #541
|
|
|
|
|
|
|
|
| |
Add a retry mechanism to pkispawn/pkidestroy when they could not
acquire semanage transaction lock while setting/deleting selinux
contexts.
Ticket #470
|
|
|
|
|
|
|
| |
Print the command to get the status of a subsystem and the URL to
access after installation.
Ticket #514
|
|
|
|
|
|
|
| |
Remove the sensitive parameters before archiving the user
configurations in the archive file.
Ticket #566
|