| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CMS engine is a singleton and it's used by PKI realm to authenticate
users accessing the subsystem. Since a Tomcat instance may contain
multiple subsystems, each having separate realm, the PKI JAR links
need to be moved into WEB-INF/lib so that they will run inside
separate class loaders.
Tomcat also requires that the authenticator and realm classes be
available in common/lib. To address this a new package pki-tomcat.jar
has been added. The package contains the authenticator and a proxy
realm. When the subsystems start running, they will register their
own realms into the proxy realms such that the authentications will
be forwarded to the appropriate subsystems.
Ticket #89
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Previously the WAR files were generated at build time, so it would
include theme files that were installed on the build machine.
The code has been changed such that instead of generating WAR files
pkispawn will copy the webapp files from the theme folders and combine
them with subsystem webapp files at deployment time. This way it will
use the actual theme files installed on the deployment machine.
Ticket #89
|
| |
|
|
|
|
|
|
| |
The pki-console has been modified to depend on pki-base. This way
it's no longer necessary to include duplicate common classes in
pki-console.
Ticket #113
|
| |
|
|
|
|
|
|
|
| |
During subsystem configuration the ConfigurationUtils.importLDIFS()
would generate LDIF files in <instance>/conf folder which may conflict
with files belonging to other subsystems. The code has been modified
to generate the files in <instance>/<subsystem>/conf folder.
Ticket #89
|
| |
|
|
| |
This allow server to come up with DS where anon binds are turned off.
|
| |
|
|
| |
'Terminated' to be formatted and reused.
|
| |
|
|
|
|
|
|
|
| |
The jar() function has been modified to support multiple input dirs
in a single command. This way it's not necessary to define multiple
jar targets for the same jar file. The pki-console build script has
been updated to utilize this functionality.
Ticket #89
|
| |
|
|
|
|
|
|
|
|
| |
The pki-client.jar has been split and merged into pki-certsrv.jar
and pki-tools.jar. The REST client classes are now packaged in
com.netscape.certsrv.<component> packages. The REST CLI classes
are now packaged in com.netscape.cmstools.<component> packages.
The "pki" script has been moved into pki-tools RPM package.
Ticket #215
|
| |
|
|
|
|
|
|
|
| |
The pki-native-tools and pki-java-tools have been merged into
pki-tools and pki-server will depend on it. Since pki-ra and
pki-tps depends on pki-server they automatically depends on
pki-tools as well.
Ticket #295
|
| |
|
|
| |
- symkey PK11_Derive.
|
| |
|
|
|
|
|
| |
* TRAC Ticket #301 - Need to modify init scripts to verify needed
symlinks in an instance
* TRAC Ticket #303 - Dogtag 10: CS.cfg parameters for Dogtag 9 instance
running under Dogtag 10 packages . . .
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The shutdown() methods in several classes have been fixed to allow
more graceful shutdown and clean restart. There are two types of
object attributes that need to be handled differently.
Attributes that are initialized by the constructor should not be
nulled during shutdown because they won't be reinitialized during
restart. If they require a cleanup (e.g. emptying collections,
closing LDAP connections) it's not necessary to check for null
before calling the cleanup method because they're never null.
For attributes that are initialized during init(), it may not be
necessary to do a cleanup or null the attribute since they might
still be used by other threads and they will be reinitialized
during restart so the old objects will be garbage collected. If
they do need a cleanup they should be checked for null because
they might still be null due to init() failure or initialization
conditionals.
If the attributes are initialized conditionally, the logic has been
modified to ensure the attributes are either initialized or set to
null.
Ticket #247
|
| |
|
|
| |
TPS ECC: when TPS server acts as an ECC SSL client to CA, TKS, or DRM, it needs to support ECC ciphers
|
| |
|
|
|
|
|
|
| |
generation
This patch calls with the right flags for each supported HSM to the new
certutil that addressed the following bug:
Bug 820684 - certutil support for EC on HSMs - need to call PK11_GenerateKeyPairWithOpFlags()
|
| |
|
|
|
|
|
|
|
| |
This patch corrects process of attaching OCSP subsystem to CA.
It improves handling of adding subsequent OCSP subsystems to CA.
This patch also prevents DRM connector to be overwritten
by subsequent DRM installations.
Bug 804179.
|
| |
|
|
|
|
|
|
|
|
|
| |
* TRAC Ticket #266 - for non-master CA subsystems, pkidestroy needs to
contact the security domain to update the domain
* Made Fedora 17 rely upon tomcatjss 7.0.0 or later
* Changed Dogtag 10 build-time and runtime requirements for 'pki-deploy'
* Altered PKI Package Dependency Chain (top-to-bottom):
pki-ca, pki-kra, pki-ocsp, pki-tks --> pki-deploy --> pki-common
* Changed TPS to require a build-time dependency of 'httpd-devel >= 2.4.2'
* Clarified RPM build script's usage message
|
| | |
|
| | |
|
| |
|
|
|
| |
The CLI help message has been fixed to show the correct default
port number.
|
| |
|
|
| |
TPS installation wizard: SizePanel needs to support ECC curve selection
|
| |\ |
|
| | |
| |
| |
| |
| |
| | |
Added systemd scripts for RA and TPS. Modified init scripts
and configuration files to use correct directives for httpd 2.4.
TPS and RA subsystems are now installable using pkicreate
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| |
| |
| |
| | |
ECC support for tpsclient
two parameters are added in the config file (see enroll.tps.ec for example): slotnamefile - this points to a file that contains the slot name. The reason why the slot name goes into another file instead of the conf file is because the existing conf file uses spaces for deliminator and I don't want to change the usage (and QE's tests) by changing it to something else. tokpasswod is the tokebn password
This ECC feature requires the up-coming ECC supporting TPS to trigger. Testing of the ECC specific areas requires the availability of such ECC TPS. Without it, one can test with the old RSA method to see if it's broken.
|
| | |
| |
| |
| |
| |
| |
| | |
A new pki-client.jar has been created to package the REST client
and CLI classes.
Ticket #215
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
The ConfigurationResponse previously has a method that uses a class
that exists on the server only, creating a dependency issue since
the ConfigurationResponse will be used by the client as well. The
method now has been moved into a separate factory class.
Ticket #259
|
| | |
| |
| |
| |
| |
| |
| | |
The common classes used by REST client and services have been moved
into the com.netscape.certsrv.<component> packages.
Ticket #215
|
| | |
| |
| |
| |
| |
| |
| | |
The factory and DAO classes used by REST services have been moved
into the com.netscape.cms.servlet.<component> packages.
Ticket #215
|
| | |
| |
| |
| |
| |
| |
| | |
The REST client classes have been moved into the
com.netscape.cms.client.<component> packages.
Ticket #215
|
| | |
| |
| |
| |
| |
| |
| | |
The REST common classes have been renamed for better clarity
and consistency.
Ticket #259
|
| | |
| |
| |
| |
| |
| |
| | |
The REST server classes have been renamed for better clarity
and consistency.
Ticket #259
|
| | |
| |
| |
| |
| |
| |
| | |
The REST client classes have been renamed for better clarity
and consistency.
Ticket #259
|
| | |
| |
| |
| |
| |
| |
| | |
The remaining build scripts have been updated to automatically
find the source codes.
Ticket #62
|
| |/
|
|
|
|
|
|
| |
The build scripts for test, util test, and common test
components have been updated to automatically find the
source codes and not create unnecessary test jar files.
Ticket #62
|
| |
|
|
|
|
|
| |
* TRAC Ticket #184 - Dogtag 10: Update PKI Deployment to handle
cloning CA/KRA/OCSP/TKS . . .
* TRAC Ticket #285 - Dogtag 10: Fix installation issues for
KRA, OCSP, and TKS
|
| |
|
|
|
|
|
|
|
| |
Search function call supporting various already present.
Changes the ds call from searchCertificates to CertificateRepository.findCertRecords().
Added pagination using start and size options . provided in command line.
Conflicts:
base/common/src/com/netscape/cms/client/cert/CertRestClient.java
|
| |
|
|
|
|
|
|
|
| |
pki-cert-find <filename> [OPTIONS]
Available search options
pki-cert-find - lists all the certificates.
pki-cert-find --input <filename> - reads the search criteria from the file (Unmarshalled CertSearchData object)
pki-cert-find [Options] - custom build of search criteria
pki-cert-find --help - shows all the available options.
|
| | |
|
| |
|
|
|
|
| |
The API changed between httpd 2.2 and 2.4. We now need to pass
the module index to ap_log_error() when calling it. The remote_ip
member of the connection struct also was renamed to client_ip.
|
| |
|
|
|
|
|
| |
In the new selinux policy, pki_ca_t etc. are all replaced by
pki_tomcat_t. To allow old instances to work under dogtag 10, the
context in the run scripts needs to change.
Also added a rule needed by selinux policy.
|
| |
|
|
|
|
|
| |
Reverted previous fix to pkidaemon and operations. Now, as
expected, systemctl start/stop pki-tomcatd@foo.service will stop
instance foo, whereas pki-tomcatd.target will affect all tomcatd
instances.
|
| |
|
|
|
|
| |
'tomcat7jss.jar' in Fedora 18 tomcatjss package
* Requires tomcatjss 7.0.0-3 as links for instances created by 'pkispawn' will
now point to 'tomcat7jss.jar'
|
| |
|
|
|
|
|
|
|
|
|
| |
The SSL connection has been configured with clientAuth="want" so
users can choose whether to provide a client certificate or username
and password. The authentication and authorization will be handled
by the SSL authenticator with fallback and PKI realm. New access
control rules have been added for users, groups, and certs REST
services.
Ticket #107
|
| |
|
|
|
|
|
|
|
|
|
| |
To support different access control configurations the REST
services have been separated by roles. Services that don't
need authentication will be available under /rest. Services
that require agent rights will be available under /rest/agent.
Services that require admin rights will be available under
/rest/admin.
Ticket #107
|
| |
|
|
|
|
| |
This patch adds ECC directory enrollment profile.
Bug: 748514.
|
| |
|
|
|
|
|
|
|
| |
* PKI TRAC Ticket #279 - Dogtag 10: Fix remaining 'cloning' issues in
'pkispawn' . . .
* PKI TRAC Ticket #280 - Dogtag 10: Fix remaining issues in 'pkidestroy'
related to deletion of more than one instance . . .
* PKI TRAC Ticket #281 - Dogtag 10: Fix 'pkidaemon'/'operations' issue to
handle individual instance . . .
|
| |
|
|
|
|
|
|
| |
On Tomcat 7 it's no longer necessary to have a separate package
for the authenticator and realm classes. They are now packaged
in pki-cmscore.jar which is deployed in Tomcat's common/lib.
Ticket #126
|
| |
|
|
|
|
|
|
|
| |
The PKI JNDI realm has been modified to utilize the authentication
and authorization subsystems in PKI engine directly. It's no longer
necessary to define the LDAP connection settings in Tomcat's
configuration files.
Ticket #126
|
| |
|
|
|
|
|
|
| |
A custom Tomcat authenticator has been added to authenticate users
using client certificate if provided, otherwise it will fallback to
BASIC/FORM authentication.
Ticket #107
|
| |
|
|
|
|
|
| |
Selinux policy has been changed to use standard tomcat ports. Corresponding
changes have been made in the pki-deploy scripts.
Minor change in config script for password check.
|
