| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
* TRAC Ticket #350 - Dogtag 10: Remove version numbers from PKI jar files . . .
|
| |
|
|
|
|
|
|
| |
The web.xml in KRA has been modified to enable the authentication
for key and key request services. Some tools have been added to
access the services via command-line.
Ticket #376
|
| |
|
|
|
|
|
|
| |
Some synchronized methods in CertificateRepository may block
modifyCeritifcateRecord() too long, so they have been moved
into CRLIssuingPoint and CertStatusUpdateThread.
Ticket #313
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The tomcat.conf and the template deployment configuration have been
modified to enable the security manager. The operations script has
been modified to generate a new catalina.policy from the standard
Tomcat policy, the standard PKI policy and the custom policy every
time the instance is started.
The current catalina.policy has been changed to store a header for
the dynamically generated catalina.policy. A new pki.policy has been
added to store the default PKI security policy. An empty
custom.policy has been added to store policy customization.
Ticket #223
|
| |
|
|
|
|
|
| |
The GetDomainXML servlet has been refactored to use the new
SecurityDomainProcessor.
Ticket #309
|
| |
|
|
|
|
|
|
| |
The REST interface for security domain has been updated to provide
a method to get the domain info. A CLI has been provided to access
this method.
Ticket #309
|
| |
|
|
|
|
|
| |
The REST account service has been added to TKS and OCSP to enable
authentication.
Ticket #375
|
| |
|
|
| |
Ticket 369
|
| | |
|
| |
|
|
|
|
|
|
| |
The CertificateAuthorityApplication has been modified to deploy
the REST service for security domain only if the server has been
configured with a new security domain.
Ticket #309
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The RetrieveModificationsTask has been modified such that it can
recover from errors while still allowing graceful shutdown.
The task is scheduled to run once. When it's done it will schecule
another one depending on the situation. If the search is abandoned
or the connection is closed it will wait one minute before
reconnecting. If the system is being shutdown it will not
schedule any more task.
Ticket #365
|
| |
|
|
|
| |
The security configuration, JAXB mappings, and test script for KRA
have been updated to run properly.
|
| |
|
|
|
|
|
|
|
| |
The realm authentication on certificate request REST services has
been enabled. Since now in the CLI the authentication is done using
a separate login operation, it is now possible to POST the approval
data without the problem related to chunked message.
Ticket #300
|
| |
|
|
|
|
|
|
|
| |
A REST account service has been added to allow client to login
to establish a session and to logout to destroy the session. This
way multiple operations can be executed using the same session
without having to re-authenticate.
Ticket #357
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously in PKIRealm the authentication token was stored in a thread
local variable. This does not work for multiple operations executed
using the same session because each operation may be handled by
different threads. A new PKIPrincipal has been added to store the
authentication token so that the threads can get the correct token
for the session.
Ticket #357
|
| |
|
|
|
|
|
|
|
| |
The code in PKIClient has been refactored into PKIConnection
such that a single connection object can be used by several
REST clients. The PKIClient will remain the base class for
all REST clients.
Ticket #357
|
| |
|
|
|
|
|
|
| |
1. Reorder http.conf to actually read worker config
2. Change functions so that the TPS would restart. Before restarts
would fail because the tus link already exists
3. Modify system verification test to return correctly when tests
are successful
|
| |
|
|
|
|
|
| |
The GetCookie servlet has been refactored to use the new
SecurityDomainProcessor.
Ticket #309
|
| |
|
|
|
|
|
|
| |
The REST interface for security domain has been refactored and
configured such that it requires authentication. A CLI has been
added to get an installation token.
Ticket #309
|
| |
|
|
|
| |
This is a workaround until we can get the new interface working on IPA
clones.
|
| | |
|
| | |
|
| |
|
|
|
| |
This is so runcon in pkicontrol will continue to work for d9 style
instances.
|
| | |
|
| |
|
|
|
| |
Added permissions to certmonger to access the certdb. Also added
some missing selinux permissions for pki_tomcat_t
|
| | |
|
| | |
|
| |
|
|
|
|
| |
The pki-silent package has been merged into pki-server package.
Ticket #354
|
| |
|
|
|
|
|
| |
The "shared" folder in /usr/share/pki has been renamed
to "server" since it contains only server files.
Ticket #353
|
| |
|
|
|
| |
Added required selinux versions to spec file. Also added
additional rule needed for F17
|
| |
|
|
|
| |
remove runcon from operations, add rules for spawn/destroy,
add mgrepl changes to policy
|
| | |
|
| | |
|
| |
|
|
| |
Ticket 356
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The RPM spec files have been modified to pass the full RPM version
number to CMake. The version number contains the product version
number, release number, milestone, and platform. The CMake scritps
will parse and use this version number to generate Java manifest
files. The product version number will be used as the specification
version and full version number will be used as the implementation
version.
Ticket #339
|
| |
|
|
|
|
|
| |
The pkispawn has been modified such that it will check whether
the package for the subsystem being created has been installed.
Ticket #332
|
| | |
|
| |
|
|
| |
recovering, wrapping unwrapping keys should be done in the token
|
| |
|
|
|
|
|
| |
The GetStatus servlet has been modified to include the server version
number.
Ticket #339
|
| |
|
|
|
|
|
|
|
|
|
| |
The CMake scripts have been modified to store the version number
in /usr/share/pki/VERSION and in JAR manifest files. These files
can be read by PKI applications to obtain the version number
without having to query the RPM database.
Fixed warnings in Java.cmake file.
Ticket #339
|
| | |
|
| |
|
|
|
|
|
| |
The escapeDN() has been renamed into escapeRDNValue() for better
clarity.
Ticket #193
|
| |
|
|
| |
client-side and server-side key generation, and key archival)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* TRAC Ticket #338 - Dogtag 10: pkihelper.py directory.set_mode()
does not resolve symlinks correctly
This patch fixes the problem that although top-level symlinks
are correctly identified as symbolic links, symlinks which
exist under a subdirectory are incorrectly identified as files,
and thus the 'chown' and 'chmod' commands are applied to the
symlink which in turn actually get applied to the target file
instead.
|
| |
|
|
| |
Ticket 314
|
| |
|
|
|
| |
* TRAC Ticket #333 - Increase audit cert renewal range to 2 years
* Bugzilla Bug #843979 - Increase audit cert renewal range to 2 years
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We create a user that can be used to connect to the database using the
subsystem cert for client auth. We identified this user, using the seeAlso
attribute and provided certmap rules to this effect.
For this user, we used to reuse the uid = user CA-hostname-port, which is already
created for inter-system communication. But this is problematic if more than one
dbuser exists, as the directory server may bind as the incorrect user. In any
replication topology, there must be only one dbuser using the subsystem cert.
To simplify things, we create a new user specifically for this purpose
(pkidbuser), and we remove the seeAlso attribute from the older dbusers.
A script is needed to convert existing dogtag 9 istances to use the new user,
and set the relevant acls. This will be done in a separate commit.
|
| | |
|
