| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
Tomcat6 has changed the changed the location of the TOMCAT_LOG, and
it should no longer point to catalina.out. This initially caused
dogtag to break because the code to chown TOMCAT_LOG to TOMCAT_USER
was removed. Added code to spec file to fix existing instances.
Also fixed error in spec file. Incorrect selinux patch was being
applied for f17.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Provide a Realm that provides the following:
1. Allows SSL client certificate authentation upon protected URLs.
For now we are protecting the new DRM Rest functions.
2. Allows simple PKI ACL checking like we have in the current server.
This is accomplished with the help of a simple file that maps URLs
to ACL resourceIDs and operations.
3. DRMRestClient now support SSL Client authentication to test the feature.
How to test this:
Install new KRA server, after installing build pki-core rpm.
Uncomment "PKIJNDIRealm" settings in conf/server.xml
Some customization will be needed for instance specific info. See
the sample in server.xml.
Uncomment the "Security Constraint" and "login-config" settings webapps/kra/WEB-INF/web.xml
In running DRMTest.java in eclipse do the following:
Change the arguments to support SSL Client auth such as:
-h localhost -p 10443 -w secret -d ~/archive-test -s true -c "KRA Administrator of Instance pki-kra's SjcRedhat Domain ID"
where the new flags are -s = true for SSL and -c = <client auth cert name>
Export the KRA's admin/agent client auth cert from Firefox to a pk12 file.
Import this cert into ~/archive-test by using "pk12util" utility.
Run the DRMTest.java program in eclipse and observe the results. There should be a prompt
for a client cert.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The mechanism for getting an ldap connection to the internaldb was incorrect,
both in the Security Domain Session Table and the DatabasePanel. As a result,
connections to the internaldb failed for accessing the security domain session
table and when trying to clone a master which connects to its database using
client auth.
The thread that handles reading the security domain session table is now only
instantiated when running on a configured security domain master.
Additionally, needed acls for the client auth certificate ldap user have been
moved to manager.ldif. This includes acls to allow creation and management of
replication agreements and replication users (now being created under
ou=csusers, cn=config)
Added logs to show when ldif import errors occur. Also made sure to write and
remove master ldap password for use in replication.
Ticket #5
|
|
|
|
|
|
| |
RSA should be default selection for transport, storage, and audit keys till ECC is fully implemented.
Bug #787806.
|
|
|
|
|
|
|
|
| |
Some subsystems could not be created using a shared port because it
would generate a web.xml with invalid nested comment. The web.xml
templates has been fixed to remove the nested comment.
Ticket #112
|
|
|
|
|
|
|
|
|
|
| |
The OS subsystem was previously used to get the PID and to handle
shutdown signals using the OSUtil. It has been removed because the
functionalities can be obtained without using native code. The PID
will now be read from an external PID file created by the wrapper
script. The shutdown signals will now be handled by shutdown hook.
Ticket #90
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ticket #66 and #68.
Add ability to archive and recover symmetric keys and passphrases using rest interface.
Enhanced test client to test out new functionality.
Provided support to return recovered data either wrapped by symmetric key or wrapped in PBE password based encryption blob.
DRM symmetric key support cleanup changes.
Consists of suggested cleanup measures based on review comments.
|
|
|
|
|
|
|
| |
Integrated files into current servlet structure.
Allowed exceptions to bubble up to top level.
Move bean initialization logic into DAO objects.
Fixed "keyRequest" path to "keyrequest" in KeyRequestDAO
|
|
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2196 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2180 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2160 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2026 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
| |
modify/add
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2017 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
| |
administrator group.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2001 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
|
| |
Dogtag pki subsystems.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1988 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
|
|
|
|
|
|
| |
Set the TOMCAT_LOG variable in the per instance tomcat
config file otherwise it defaults to the generic tomcat
log file. Note, we set up and configure our log file elsewhere
so the only issue was the initscript was setting the
TOMCAT_USER ownership on TOMCAT_LOG, a file we otherwise do
not use or touch.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1954 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1915 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
| |
fails with 'signing operation failed'
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1912 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1843 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
|
|
| |
of CC interface review
* Additional deletions from various TIP 'web.xml' files
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1794 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1777 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1750 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
| |
longer available through console
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1748 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1744 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
|
|
| |
- adding -P to audit signing certs trust database
- making specific certusage check
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1723 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
| |
in the console
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1706 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1694 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1689 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1674 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1670 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
| |
obsolete 2252 and 2256
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1663 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1624 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
|
| |
- changed defaults in CS.cfg's from SHA1 to SHA2
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1601 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
| |
CS.cfg changes)
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1596 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1587 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During testing with Ade several issues were discovered which needed
fixing, these included:
Remove connectionTimeout on JSS connectors in the server.xml files due
to JSS bug. We will reenable the timeouts when JSS is fixed.
pki_apache_initscript had chmod & chown wrapped in an echo command
which prevented them from executing, an artifact inadverantly left in
the file during a debug session. The role parameter to runcon which
had been added to facilitate test/debug was removed.
The logfile variables shared between pkicommon, pkicreate and
pkiremove were awkward and resulted in warnings about the use of
uninitialized variables in some circumstances. Some functions were
tweaked and some variables removed to enforce better data hiding and
eliminate the warnings with respect to the logfile.
If the pkicreate script aborted before it completed it would fail to
write the installation manifest which made it impossible to remove the
partial installation via pkiremove. A hander was added so it would run
if Perl executed a "die" (e.g. aborted). The handler writes the
manifest before final exit. The subroutine used to write the manifest
was bullet proofed to avoid referencing uninitialized variables in the
case of non-normal exit.
The copy_directory() subroutine failed to preserve symbolic links in
the source, instead it traversed the source link and copied the target
of the link. copy_directory() and it's support routines were enhanced
to preserve symbolic links. A new subrotine copy_symlink() was added.
pkicreate failed to create a symbolic link to the symkey.jar file, it
now creates the link to symkey.jar.
The passwords written into the two password files were not terminated
with a newline character, now they are.
pkiremove would enter an infinate loop if the -force option was
specified, this is now fixed.
The tomcat6.conf file had been inadvertantly omitted from the tks
subsystem.
References to the deprecated apachectl file were expunged.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1577 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1576 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1575 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
|
|
|
| |
pkicreate: index.jsp -> index.html
server.xml: remove ocsp
base/tps/doc/CS.cfg: CIMC_CERT_VERIFICATION
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1531 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
| |
administrator group. Minor config addition.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1528 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
| |
administrator group.
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1526 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1511 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
| |
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1509 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
| |
and complete configuration in DonePanel
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1498 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
|
| |
correctly set up CC environment
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1478 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
| |
do not seem to have CRL checking enabled
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1477 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
| |
signature algorithm; and for ECC curves
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1471 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
| |
certificate using console
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1465 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
|
| |
for agent services
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1356 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|
|
|
|
|
|
| |
functions (JAVA subsystems)
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1350 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
|