summaryrefslogtreecommitdiffstats
path: root/base
Commit message (Collapse)AuthorAgeFilesLines
...
* Fixed pylint warning in pkihelper.py.Endi S. Dewata2015-05-141-1/+1
|
* Fixed problem redeploying subsystem.Endi S. Dewata2015-05-141-3/+13
| | | | | | | | The pki-server subsystem-enable CLI has been modified to deploy the subsystem from a custom location if available, or from the default location otherwise. https://fedorahosted.org/pki/ticket/1381
* Added key-show option.Endi S. Dewata2015-05-142-13/+30
| | | | | The key-show CLI has been modified to provide an option to find the active key info using the client key ID.
* modify contents of serverCertNick.confMatthew Harmsen2015-05-133-0/+48
| | | | | - PKI TRAC Ticket #1370 - pkispawn: installation with HSM from external CA should hold off prepending token name in serverCertNick.conf till phase 2
* Ticket 1160 audit logging needed: REST API auth/authz; kra for getKeyInfoChristina Fu2015-05-134-39/+281
| | | | | | - (1) REST API auth/authz - this patch addresses the first part of this ticket where auditing is completely missing for authentication and authorization at the REST interface.
* Refactored upgrade scripts.Endi S. Dewata2015-05-119-186/+35
| | | | | | | The upgrade scripts have been modified to use the uid and gid provided by PKIInstance object. https://fedorahosted.org/pki/ticket/1341
* Added options for internal token and replication passwords.Endi S. Dewata2015-05-116-165/+41
| | | | | | | | The installation code has been modified such that the admin can optionally specify passwords for internal token and replication. Otherwise the code will generate random passwords like before. https://fedorahosted.org/pki/ticket/1354
* Patches to get nuxwdog working with systemdAde Lee2015-05-1019-35/+153
| | | | | | | | | | | | | | | | | | | | | | This patch adds some new unit files and targets for starting instances with nuxwdog, as well as logic within the pki-server nuxwdog module to switch to/from the old and new systemd unit files. It also corrects some issues found in additional testing of the nuxwdog change scripts. To use nuxwdog to start the instance, a user needs to do the following: 1. Create an instance normally. 2. Run: pki-server instance-nuxwdog-enable <instance_name> 3. Start the instance using: systemctl start pki-tomcatd-nuxwdog@<instance_name>.service To revert the instance, simply do the following: 1. Run: pki-server instance-nuxwdog-disable <instance_name> 2. Start the instance using: systemctl start pki-tomcatd@<instance_name>.service
* Fixed installation logs.Endi S. Dewata2015-05-081-6/+13
| | | | | | | | | To help troubleshooting installation failures the pkihelper.py has been modified to display the error code returned by the server before parsing the error message. If there is a parsing error, the unparsed message will now be displayed. The redundant 'raise' and 'return' statements have been removed.
* Get profile ID from DN instead of CN attributeFraser Tweedale2015-05-081-8/+15
|
* Simple fix for this is not requiring the pki_client_database_password to be ↵Jack Magne2015-05-071-1/+3
| | | | | | set when performing a clone operation. Tested with a cloned CA and a couple of other subysstems, such as OCSP.
* Fix #1351 pki securitydomain-get-install-token fails when run with caadmin user.Jack Magne2015-05-075-178/+11
| | | | | | | | | | The short term solution to this problem was to remove the man page information and all references to the command line module reponsible for this issue. The installer already has an alternative method to remove a subsystem from the security domain list. We now assume the alternate method and don't even try to find the token at this point. A user at the command line of the pki command will no longer be able to attempt this as well. Tested this to verify that the man page for the "securtydomain" command no longer mentions or documents the "get-install-token" variant. Tested to verify that this command can't be manually called from the command line using "pki". This attempt results in an "unknown module". Tested by installing and uninstalling a subsytem. The security domain was kept up to date as expected for each install over remove attempted.
* Fixed pylint warnings.Endi S. Dewata2015-05-071-0/+3
| | | | | | | The pki.server Python module has been fixed to remove pylint warnings generated by recent changes. https://fedorahosted.org/pki/ticket/1353
* Ticket #572 - CRL scheduler adds extra CRL generation at midnight for daily ↵Jack Magne2015-05-061-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | schedules. Addresses the complaint of this ticket. Tested to work in a few basic cases. The minor code change was designed to only affect the specific scenario when we have a daily scedule that spans only one day. More Info: How to duplicate and test: Perform a manual crl generate from the agent interface because the code to be tested relies heavily upon the "lastUpdate" which will appear in the logs. Do this to have a nice launching off point. Go to the ca's pkiconsole and select : Certificate Manager -> CRL Issuing Points -> MasterCRL. Check "updateCRL at: " and give a schedule such as : 15:03, 15:10 .. This gives us a chance to watch the two regularly scheduled updates happen. When the first event triggers, have a look at the CA's "debug" log and note the following or similar entry: [CRLIssuingPoint-MasterCRL]: findNextUpdate: Wed May 06 15:10:00 PDT 2015 delay: 86301873 Wait for the 15:00 even to happen. When that triggers at the end of that cycle, we should see one more similar entry. [CRLIssuingPoint-MasterCRL]: findNextUpdate: Wed May 06 15:03 PDT 2015 delay: 86301873 That is the correct behavior after the fix. We want the next update to be at the first entry of the daily schedule , but tomorrow. The current bug would print out this value as something like: Wed May 06 00:00:00 or similar to indicate midnight. This is not what we want.
* Fixed migration tool to update Tomcat libraries.Endi S. Dewata2015-05-062-7/+44
| | | | | | | | The migration tool has been fixed to update the links to Tomcat libraries in the instance folder to match the current Tomcat version installed on the system. https://fedorahosted.org/pki/ticket/1353
* Ticket 1295 Upgrade script for - CA: OCSP via GET does not workChristina Fu2015-05-052-0/+79
|
* Fixed authentication data in audit log.Endi S. Dewata2015-05-057-38/+124
| | | | | | | | | | | The REST methods may be executed by different threads even though they are invoked in the same session. A new interceptor has been added to all subsystems to make sure the SessionContext is created properly for each thread. This will fix the authentication data in the audit log. The SessionContext has also been improved to use ThreadLocal instead of a global Hashtable. https://fedorahosted.org/pki/ticket/1054
* OCSP and CA minor cloning fixesJack Magne2015-05-012-20/+80
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Tickets #1294, #1058 The patch does the following: 1. Allows an OCSP clone to actually install and operate. It also sets a param appropriate for an OCSP clone. Ticket #1058 The controversial part of this one is the fact that I have disabled having OCSP clones register themselves to the CA as publishing target. The master is already getting the updates and we rely upon replication to keep the clones updated. The current downside is the master is on an island with respect to updates and could be considered a single point of failure. Thus my proposal for this simple patch is to get the OCSP clone working as in existing functionality. Then we come back and propose a ticket to allow the installer OCSP clones to set up the publishers in such a way that all clones and master are registered, but when it is actually time to publish, the CRL publisher has the smarts to know that members of a clone cluster are in a group and the first successfull publish should end the processing of that group. 2. Allows the CA clone to set some params to disable certain things that a clone should not do. This was listed as a set of misc post install tasks that we are trying to automate. Code tested to work. 1. OCSP clones can be installed and the CRL were checked to be in sync when an update occured to the master. 2. The CA clone has been seen to have the required params and it looks to come up just fine. Final review minor changes to tickets, 1294, and 1058.
* Fix interactive install to not reprompt for portsAde Lee2015-04-293-7/+53
| | | | | Ports are already set when deploying into an existing instance. Having a user re-enter these is repetitious and error prone.
* Trac Ticket 1196 - serverCertNick.conf is replaced incorrectlyAde Lee2015-04-291-1/+3
| | | | | When second subsystem is installed, serverCertNick.conf and other top level tomcat config files should not be replaced.
* Code cleanup - simplify pkispawn codeAde Lee2015-04-2910-749/+716
| | | | | All subsystems are now tomcat instances. Conditionals based on whether the subsystem is a tomcat instance or not are no longer required.
* Ticket #1295 CA: OCSP via GET does not workChristina Fu2015-04-281-0/+5
|
* Add nuxwdog to java policyAde Lee2015-04-281-0/+3
| | | | | This allows PKI server to be loaded with nuxwdog library when java security policy is enabled.
* Add ability to pki-server to enable/disable nuxwdog for an instanceAde Lee2015-04-283-2/+447
| | | | | | This adds the ability to either enable or disable an instance using the pki-server utility. Additional documentation and additions to the man pages will be added in a separate patch.
* Add conditional to disable doclint for javadocs on java >= 1.8Ade Lee2015-04-241-0/+6
|
* Fixed problem deploying without theme.Endi S. Dewata2015-04-241-12/+13
| | | | | | | The deployment tool has been modified to deploy the pki.xml only if the theme package is installed. https://fedorahosted.org/pki/ticket/499
* Fix some javadoc errors that prevent F23 buildAde Lee2015-04-249-18/+3
|
* Remove duplicate prompt on nuxwdog startupAde Lee2015-04-236-5/+54
|
* Added direct deployment for theme.Endi S. Dewata2015-04-239-29/+163
| | | | | | | | The deployment tool has been modified to deploy the theme files directly from /usr/share/pki. New deployment descriptors have been added for admin templates and JS library. https://fedorahosted.org/pki/ticket/499
* Added missing "logo" theme properties to OCSP and TKS "ports.template".Matthew Harmsen2015-04-222-2/+2
|
* Parameterized CA templates.Endi S. Dewata2015-04-226-31/+157
| | | | https://fedorahosted.org/pki/ticket/1296
* Enumerate profiles in order of discoveryFraser Tweedale2015-04-233-4/+8
| | | | | | Recent change (d83f688) changed the order of profile enumeration. Track profiles using a LinkedHashMap to restore old behaviour where profiles were enumerated in the order they were discovered.
* OCSP Parameterized.Jack Magne2015-04-225-28/+128
|
* Moved color settings to CSS.Endi S. Dewata2015-04-2279-80/+127
| | | | | | | The templates have been modified to remove hard-coded background color settings and use the styles defined in a new CSS file. https://fedorahosted.org/pki/ticket/1296
* Moved CSS files to theme package.Endi S. Dewata2015-04-224-9986/+0
| | | | | | | The CSS files have been moved into the theme package to allow more control of the UI appearance. https://fedorahosted.org/pki/ticket/499
* Moved fonts and images to theme package.Endi S. Dewata2015-04-2221-0/+0
| | | | | | | The fonts and images have been moved into the theme package to allow more control of the UI appearance. https://fedorahosted.org/pki/ticket/499
* Added direct deployment for all subsystems.Endi S. Dewata2015-04-2217-214/+16
| | | | | | | | The deployment tool has been modified to deploy all subsystems directly from the /usr/share/pki. This will simplify updating the templates in the web applications. https://fedorahosted.org/pki/ticket/499
* TKS Parameterized (revised, again)Christina Fu2015-04-225-27/+122
|
* Fixed build issues.Endi S. Dewata2015-04-222-2/+1
| | | | | The code has been modified to fix tomcatjss and python-sphinx issues.
* Fixed typos.Matthew Harmsen2015-04-222-2/+2
|
* Parameterized KRAMatthew Harmsen2015-04-225-28/+122
| | | | - PKI TRAC Ticket #1296 - RHCS 9.0 theme
* Parameterized /ca/agent/header.Endi S. Dewata2015-04-221-2/+23
| | | | https://fedorahosted.org/pki/ticket/1296
* Parameterized /ca/ee/ca/index.html.Endi S. Dewata2015-04-221-6/+24
| | | | https://fedorahosted.org/pki/ticket/1296
* Parameterized ROOT's index.jsp.Endi S. Dewata2015-04-221-2/+27
| | | | https://fedorahosted.org/pki/ticket/1296
* Parameterized service.template in all subsystems.Endi S. Dewata2015-04-224-112/+84
| | | | https://fedorahosted.org/pki/ticket/1296
* Parameterized CA's services.template.Endi S. Dewata2015-04-221-2/+28
| | | | https://fedorahosted.org/pki/ticket/1296
* Add back the getPassword(tag) code to handle old tomcatjss interfaceAde Lee2015-04-221-0/+5
|
* Added pki-server-nuxwdog tool to create config file for nuxwdogAde Lee2015-04-221-0/+43
| | | | | This config file can be used in starting up the instance in a standalone fashion.
* Changes to config files to support nuxwdogAde Lee2015-04-229-1/+20
| | | | Specifically changes to CS.cfg, server.xml and tomcat.conf
* Add nuxwdog functionality to DogtagAde Lee2015-04-2222-48/+606
| | | | | | | | | | | | This is the first of several commits. This adds a LifecycleListener to call init() on the nuxwdog client before any connectors or webapps start up, and call sendEndInit() once initialization completes. Code is also added to prompt for and test required passwords on startup. All that is required to use nuxwdog is to start the server using nuxwdog. An environment variable will be set that will trigger creation of the NuxwdogPasswordStore. We expect tags for the required passwords to be in cms.passwordList
generated by cgit (git 2.34.1) at 2025-10-01 23:14:19 +0000