summaryrefslogtreecommitdiffstats
path: root/pki/base/kra/shared
Commit message (Collapse)AuthorAgeFilesLines
* BZ 802396 - Change location of TOMCAT_LOG to match tomcat6 changesAde Lee2012-03-201-1/+1
| | | | | | | | | | Tomcat6 has changed the changed the location of the TOMCAT_LOG, and it should no longer point to catalina.out. This initially caused dogtag to break because the code to chown TOMCAT_LOG to TOMCAT_USER was removed. Added code to spec file to fix existing instances. Also fixed error in spec file. Incorrect selinux patch was being applied for f17.
* Provide Custom PKI JNDI Realm.Jack Magne2012-03-124-1/+154
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Provide a Realm that provides the following: 1. Allows SSL client certificate authentation upon protected URLs. For now we are protecting the new DRM Rest functions. 2. Allows simple PKI ACL checking like we have in the current server. This is accomplished with the help of a simple file that maps URLs to ACL resourceIDs and operations. 3. DRMRestClient now support SSL Client authentication to test the feature. How to test this: Install new KRA server, after installing build pki-core rpm. Uncomment "PKIJNDIRealm" settings in conf/server.xml Some customization will be needed for instance specific info. See the sample in server.xml. Uncomment the "Security Constraint" and "login-config" settings webapps/kra/WEB-INF/web.xml In running DRMTest.java in eclipse do the following: Change the arguments to support SSL Client auth such as: -h localhost -p 10443 -w secret -d ~/archive-test -s true -c "KRA Administrator of Instance pki-kra's SjcRedhat Domain ID" where the new flags are -s = true for SSL and -c = <client auth cert name> Export the KRA's admin/agent client auth cert from Firefox to a pk12 file. Import this cert into ~/archive-test by using "pk12util" utility. Run the DRMTest.java program in eclipse and observe the results. There should be a prompt for a client cert.
* Fixes to cloning and security domain tables for client auth internaldb userAde Lee2012-03-092-0/+49
| | | | | | | | | | | | | | | | | | | | | The mechanism for getting an ldap connection to the internaldb was incorrect, both in the Security Domain Session Table and the DatabasePanel. As a result, connections to the internaldb failed for accessing the security domain session table and when trying to clone a master which connects to its database using client auth. The thread that handles reading the security domain session table is now only instantiated when running on a configured security domain master. Additionally, needed acls for the client auth certificate ldap user have been moved to manager.ldif. This includes acls to allow creation and management of replication agreements and replication users (now being created under ou=csusers, cn=config) Added logs to show when ldif import errors occur. Also made sure to write and remove master ldap password for use in replication. Ticket #5
* Option to change default algorithmsAndrew Wnuk2012-02-291-0/+1
| | | | | | RSA should be default selection for transport, storage, and audit keys till ECC is fully implemented. Bug #787806.
* Fixed problems shared port.Endi Sukma Dewata2012-02-291-3/+0
| | | | | | | | Some subsystems could not be created using a shared port because it would generate a web.xml with invalid nested comment. The web.xml templates has been fixed to remove the nested comment. Ticket #112
* Removed OS subsystem.Endi Sukma Dewata2012-02-281-0/+1
| | | | | | | | | | The OS subsystem was previously used to get the PID and to handle shutdown signals using the OSUtil. It has been removed because the functionalities can be obtained without using native code. The PID will now be read from an external PID file created by the wrapper script. The shutdown signals will now be handled by shutdown hook. Ticket #90
* KRA changes for archiving and recovering symmetric keys and passphrases.Jack Magne2012-02-132-1/+37
| | | | | | | | | | | | Ticket #66 and #68. Add ability to archive and recover symmetric keys and passphrases using rest interface. Enhanced test client to test out new functionality. Provided support to return recovered data either wrapped by symmetric key or wrapped in PBE password based encryption blob. DRM symmetric key support cleanup changes. Consists of suggested cleanup measures based on review comments.
* Initial skeleton code for drm resteasy interfaceAde Lee2012-01-131-0/+27
| | | | | | | Integrated files into current servlet structure. Allowed exceptions to bubble up to top level. Move bean initialization logic into DAO objects. Fixed "keyRequest" path to "keyrequest" in KeyRequestDAO
* Bugzilla BZ# 699809 - Convert certificate system to use systemdvakwetu2011-09-093-0/+22
| | | | git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2196 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bugzilla 730146 - SSL handshake picks non-FIPS ciphers in FIPS modecfu2011-08-261-3/+6
| | | | git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2180 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Resolves #712931 - CS requires too many ports to be open in the FWvakwetu2011-08-233-4/+28
| | | | git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2160 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bugzilla BZ 714068 - KRA: remove monitor servlet from kravakwetu2011-06-241-24/+0
| | | | git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2026 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bugzilla BZ 707416 - CC_LAB_EVAL: Security Domain: missing audit msgs for ↵vakwetu2011-06-071-2/+2
| | | | | | modify/add git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2017 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Fix Bugzilla Bug#649910 - Console: an auditor or agent can be added to an ↵jmagne2011-05-181-1/+1
| | | | | | administrator group. git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@2001 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bugzilla Bug #699837 - service command is not fully backwards compatible withmharmsen2011-04-261-0/+4
| | | | | | | Dogtag pki subsystems. git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1988 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bug 693815 - /var/log/tomcat6/catalina.out owned by pkiuserjdennis2011-04-121-0/+3
| | | | | | | | | | | | Set the TOMCAT_LOG variable in the per instance tomcat config file otherwise it defaults to the generic tomcat log file. Note, we set up and configure our log file elsewhere so the only issue was the initscript was setting the TOMCAT_USER ownership on TOMCAT_LOG, a file we otherwise do not use or touch. git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1954 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bugzilla Bug #684381 - CS.cfg specifies incorrect type of comments . . .mharmsen2011-03-231-0/+3
| | | | git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1915 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bugzilla BZ# 683581: CA configuration with ECC(Default EC curve-nistp521) CA ↵vakwetu2011-03-231-1/+2
| | | | | | fails with 'signing operation failed' git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1912 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Fixed bugzilla bug #673638.awnuk2011-02-121-1/+1
| | | | git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1843 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml as partmharmsen2011-01-291-71/+0
| | | | | | | | of CC interface review * Additional deletions from various TIP 'web.xml' files git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1794 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bugzilla BZ 672111; remove unused certServer.usrgrp.administration aclvakwetu2011-01-261-1/+0
| | | | git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1777 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Fixed bugzilla bug #531137.awnuk2011-01-201-1/+1
| | | | git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1750 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bug 662127 - CC doc Error: SignedAuditLog expiration time interface is no ↵cfu2011-01-192-6/+6
| | | | | | longer available through console git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1748 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bug 668100 - DRM storage cert has OCSP signing extended key usagecfu2011-01-181-2/+2
| | | | git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1744 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bugzilla 661142 - Verification should fail when a revoked certificate is addedcfu2011-01-111-0/+5
| | | | | | | | - adding -P to audit signing certs trust database - making specific certusage check git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1723 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Fix Bugzilla Bug 663546 - Disable the functionalities that are not exposed ↵jmagne2011-01-061-0/+6
| | | | | | in the console git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1706 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bugzilla Bug 223346 - Two conflicting ACL list definitions in source repositoryvakwetu2011-01-051-45/+0
| | | | git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1694 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Fixed bugzilla bug #491183.awnuk2011-01-051-1/+1
| | | | git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1689 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Fixed bugzilla bug #491183.awnuk2010-12-241-6/+1
| | | | git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1674 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Schema synchronization for bugzila bug #649343.awnuk2010-12-231-1/+6
| | | | git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1670 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bugzilla Bug 491183 - rhcs rfe - add rfc 4523 support for pkiUser and pkiCA, ↵vakwetu2010-12-221-5/+0
| | | | | | obsolete 2252 and 2256 git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1663 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bugzilla Bug #586073 - Add new 'mod_revocator' runtime dependency to RA and TPSmharmsen2010-12-142-2/+14
| | | | git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1624 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bug 499494 - change CA defaults to SHA2cfu2010-12-031-5/+5
| | | | | | | - changed defaults in CS.cfg's from SHA1 to SHA2 git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1601 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bug 642357 - CC Feature- Self-Test plugins only check for validity (missing ↵cfu2010-12-011-1/+10
| | | | | | CS.cfg changes) git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1596 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bugzilla BZ 653576 - tomcat5 does not always run filters on servlets as expectedvakwetu2010-11-241-23/+6
| | | | git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1587 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Fix issues discovered during testingjdennis2010-11-191-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | During testing with Ade several issues were discovered which needed fixing, these included: Remove connectionTimeout on JSS connectors in the server.xml files due to JSS bug. We will reenable the timeouts when JSS is fixed. pki_apache_initscript had chmod & chown wrapped in an echo command which prevented them from executing, an artifact inadverantly left in the file during a debug session. The role parameter to runcon which had been added to facilitate test/debug was removed. The logfile variables shared between pkicommon, pkicreate and pkiremove were awkward and resulted in warnings about the use of uninitialized variables in some circumstances. Some functions were tweaked and some variables removed to enforce better data hiding and eliminate the warnings with respect to the logfile. If the pkicreate script aborted before it completed it would fail to write the installation manifest which made it impossible to remove the partial installation via pkiremove. A hander was added so it would run if Perl executed a "die" (e.g. aborted). The handler writes the manifest before final exit. The subroutine used to write the manifest was bullet proofed to avoid referencing uninitialized variables in the case of non-normal exit. The copy_directory() subroutine failed to preserve symbolic links in the source, instead it traversed the source link and copied the target of the link. copy_directory() and it's support routines were enhanced to preserve symbolic links. A new subrotine copy_symlink() was added. pkicreate failed to create a symbolic link to the symkey.jar file, it now creates the link to symkey.jar. The passwords written into the two password files were not terminated with a newline character, now they are. pkiremove would enter an infinate loop if the -force option was specified, this is now fixed. The tomcat6.conf file had been inadvertantly omitted from the tks subsystem. References to the deprecated apachectl file were expunged. git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1577 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Undo the pre_merge_adjustmentjdennis2010-11-191-1/+32
| | | | git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1576 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Merge CA changes into KRA,OCSP & TKSjdennis2010-11-1910-2808/+451
| | | | git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1575 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Adjust current files so patches merge, will adjust after merge completejdennis2010-11-191-32/+1
| | | | | | | | | pkicreate: index.jsp -> index.html server.xml: remove ocsp base/tps/doc/CS.cfg: CIMC_CERT_VERIFICATION git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1531 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Fix Bugzilla Bug 649910 - Console: an auditor or agent can be added to an ↵jmagne2010-11-191-0/+5
| | | | | | administrator group. Minor config addition. git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1528 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Fix Bugzilla Bug 649910 - Console: an auditor or agent can be added to an ↵jmagne2010-11-191-0/+1
| | | | | | administrator group. git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1526 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bug 489385 - references to rhpkicfu2010-11-161-1/+1
| | | | git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1511 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bug 651977 - turn off ssl2 for java servers (server.xml)cfu2010-11-161-3/+3
| | | | git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1509 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bugzilla Bug 651916 - kra and ocsp are using incorrect ports to talk to CA ↵vakwetu2010-11-151-0/+12
| | | | | | and complete configuration in DonePanel git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1498 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bugzilla Bug #609641 - CC: need procedure (and possibly tools) to helpmharmsen2010-11-061-0/+10
| | | | | | | correctly set up CC environment git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1478 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bug 529945 - (Instructions and sample only) CS 8,0 GA release -- DRM and TKS ↵cfu2010-11-051-1/+32
| | | | | | do not seem to have CRL checking enabled git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1477 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bugzilla Bug 638242 - Installation Wizard: at SizePanel, fix selection of ↵vakwetu2010-11-041-0/+8
| | | | | | signature algorithm; and for ECC curves git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1471 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bugzilla BZ# 631179 - Administrator is not allowed to remove ocsp signing ↵vakwetu2010-11-021-1/+1
| | | | | | certificate using console git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1465 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port fowarding mharmsen2010-10-152-29/+96
| | | | | | | for agent services git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1356 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
* Bug 637330 - CC feature: Key Management - provide signature verification ↵cfu2010-10-131-2/+2
| | | | | | functions (JAVA subsystems) git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1350 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
generated by cgit (git 2.34.1) at 2024-09-27 20:14:51 +0000