From 621d9e5c413e561293d7484b93882d985b3fe15f Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata Date: Sat, 24 Mar 2012 02:27:47 -0500 Subject: Removed unnecessary pki folder. Previously the source code was located inside a pki folder. This folder was created during svn migration and is no longer needed. This folder has now been removed and the contents have been moved up one level. Ticket #131 --- specs/dogtag-pki-theme.spec | 596 ++++++++++++ specs/dogtag-pki.spec | 228 +++++ specs/ipa-pki-theme.spec | 181 ++++ specs/pki-console.spec | 176 ++++ specs/pki-core.spec | 2174 +++++++++++++++++++++++++++++++++++++++++++ specs/pki-migrate.spec | 156 ++++ specs/pki-ra.spec | 271 ++++++ specs/pki-tps.spec | 466 ++++++++++ 8 files changed, 4248 insertions(+) create mode 100644 specs/dogtag-pki-theme.spec create mode 100644 specs/dogtag-pki.spec create mode 100644 specs/ipa-pki-theme.spec create mode 100644 specs/pki-console.spec create mode 100644 specs/pki-core.spec create mode 100644 specs/pki-migrate.spec create mode 100644 specs/pki-ra.spec create mode 100644 specs/pki-tps.spec (limited to 'specs') diff --git a/specs/dogtag-pki-theme.spec b/specs/dogtag-pki-theme.spec new file mode 100644 index 000000000..abd436af1 --- /dev/null +++ b/specs/dogtag-pki-theme.spec @@ -0,0 +1,596 @@ +# for a pre-release, define the prerel field e.g. .a1 .rc2 - comment out for official release +# also remove the space between % and global - this space is needed because +# fedpkg verrel stupidly ignores comment lines +%global prerel .a1 +# also need the relprefix field for a pre-release e.g. .0 - also comment out for official release +%global relprefix 0. + +Name: dogtag-pki-theme +Version: 10.0.0 +Release: %{?relprefix}1%{?prerel}%{?dist} +Summary: Certificate System - Dogtag PKI Theme Components +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Base + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: java-devel >= 1:1.6.0 +%if 0%{?fedora} >= 16 +BuildRequires: jpackage-utils >= 1.7.5-10 +%else +BuildRequires: jpackage-utils +%endif + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}%{?prerel}.tar.gz + +%if 0%{?rhel} +ExcludeArch: ppc ppc64 s390 s390x +%endif + +%global overview \ +Several PKI packages require a "virtual" theme component. These \ +"virtual" theme components are "Provided" by various theme "flavors" \ +including "dogtag", "redhat", and "ipa". Consequently, \ +all "dogtag", "redhat", and "ipa" theme components MUST be \ +mutually exclusive! \ + \ +On Fedora systems, the "dogtag" theme packages are the ONLY available \ +theme components. \ + \ +Similarly, the "ipa" theme packages are ONLY available on RHEL \ +systems, and represent the default theme components. \ + \ +Alternatively, on RHEL systems, if the "dogtag" theme packages are \ +available as EPEL packages, while they may be used as a transparent \ +replacement for their corresponding "ipa" theme package, they are not \ +intended to be used as a replacement for their corresponding "redhat" \ +theme components. \ + \ +Finally, if available for a RHEL system (e. g. - RHCS subscription), \ +each "redhat" theme package MUST be used as a transparent replacement \ +for its corresponding "ipa" theme package or "dogtag" theme package. \ +%{nil} + +%description %{overview} + + +%package -n dogtag-pki-common-theme +Summary: Certificate System - PKI Common Framework User Interface +Group: System Environment/Base + +%if 0%{?rhel} +# EPEL version of Dogtag "theme" conflicts with all versions of Red Hat "theme" +Conflicts: redhat-pki-common-theme +Conflicts: redhat-pki-common-ui + +# EPEL version of Dogtag "theme" ALWAYS replaces ALL versions of IPA "theme" +Obsoletes: ipa-pki-common-theme <= 9999 +Provides: ipa-pki-common-theme = %{version}-%{release} +%endif + +Obsoletes: dogtag-pki-common-ui <= 9 + +Provides: pki-common-theme = %{version}-%{release} +Provides: pki-common-ui = %{version}-%{release} + +%description -n dogtag-pki-common-theme +This PKI Common Framework User Interface contains +the Dogtag textual and graphical user interface for the PKI Common Framework. + +This package is used by the Dogtag Certificate System. + +%{overview} + + +%package -n dogtag-pki-ca-theme +Summary: Certificate System - Certificate Authority User Interface +Group: System Environment/Base + +Requires: dogtag-pki-common-theme = %{version}-%{release} + +%if 0%{?rhel} +# EPEL version of Dogtag "theme" conflicts with all versions of Red Hat "theme" +Conflicts: redhat-pki-ca-theme +Conflicts: redhat-pki-ca-ui + +# EPEL version of Dogtag "theme" ALWAYS replaces ALL versions of IPA "theme" +Obsoletes: ipa-pki-ca-theme <= 9999 +Provides: ipa-pki-ca-theme = %{version}-%{release} +%endif + +Obsoletes: dogtag-pki-ca-ui <= 9 + +Provides: pki-ca-theme = %{version}-%{release} +Provides: pki-ca-ui = %{version}-%{release} + +%description -n dogtag-pki-ca-theme +This Certificate Authority (CA) User Interface contains +the Dogtag textual and graphical user interface for the CA. + +This package is used by the Dogtag Certificate System. + +%{overview} + + +%package -n dogtag-pki-kra-theme +Summary: Certificate System - Data Recovery Manager User Interface +Group: System Environment/Base + +Requires: dogtag-pki-common-theme = %{version}-%{release} + +%if 0%{?rhel} +# EPEL version of Dogtag "theme" conflicts with all versions of Red Hat "theme" +Conflicts: redhat-pki-kra-theme +Conflicts: redhat-pki-kra-ui +%endif + +Obsoletes: dogtag-pki-kra-ui <= 9 + +Provides: pki-kra-theme = %{version}-%{release} +Provides: pki-kra-ui = %{version}-%{release} + +%description -n dogtag-pki-kra-theme +This Data Recovery Manager (DRM) User Interface contains +the Dogtag textual and graphical user interface for the DRM. + +This package is used by the Dogtag Certificate System. + +%{overview} + + +%package -n dogtag-pki-ocsp-theme +Summary: Certificate System - Online Certificate Status Protocol Manager User Interface +Group: System Environment/Base + +Requires: dogtag-pki-common-theme = %{version}-%{release} + +%if 0%{?rhel} +# EPEL version of Dogtag "theme" conflicts with all versions of Red Hat "theme" +Conflicts: redhat-pki-ocsp-theme +Conflicts: redhat-pki-ocsp-ui +%endif + +Obsoletes: dogtag-pki-ocsp-ui <= 9 + +Provides: pki-ocsp-theme = %{version}-%{release} +Provides: pki-ocsp-ui = %{version}-%{release} + +%description -n dogtag-pki-ocsp-theme +This Online Certificate Status Protocol (OCSP) Manager User Interface contains +the Dogtag textual and graphical user interface for the OCSP Manager. + +This package is used by the Dogtag Certificate System. + +%{overview} + + +%package -n dogtag-pki-ra-theme +Summary: Certificate System - Registration Authority User Interface +Group: System Environment/Base + +%if 0%{?rhel} +# EPEL version of Dogtag "theme" conflicts with all versions of Red Hat "theme" +Conflicts: redhat-pki-ra-theme +Conflicts: redhat-pki-ra-ui +%endif + +Obsoletes: dogtag-pki-ra-ui <= 9 + +Provides: pki-ra-theme = %{version}-%{release} +Provides: pki-ra-ui = %{version}-%{release} + +%description -n dogtag-pki-ra-theme +This Registration Authority (RA) User Interface contains +the Dogtag textual and graphical user interface for the RA. + +This package is used by the Dogtag Certificate System. + +%{overview} + + +%package -n dogtag-pki-tks-theme +Summary: Certificate System - Token Key Service User Interface +Group: System Environment/Base + +Requires: dogtag-pki-common-theme = %{version}-%{release} + +%if 0%{?rhel} +# EPEL version of Dogtag "theme" conflicts with all versions of Red Hat "theme" +Conflicts: redhat-pki-tks-theme +Conflicts: redhat-pki-tks-ui +%endif + +Obsoletes: dogtag-pki-tks-ui <= 9 + +Provides: pki-tks-theme = %{version}-%{release} +Provides: pki-tks-ui = %{version}-%{release} + +%description -n dogtag-pki-tks-theme +This Token Key Service (TKS) User Interface contains +the Dogtag textual and graphical user interface for the TKS. + +This package is used by the Dogtag Certificate System. + +%{overview} + + +%package -n dogtag-pki-tps-theme +Summary: Certificate System - Token Processing System User Interface +Group: System Environment/Base + +%if 0%{?rhel} +# EPEL version of Dogtag "theme" conflicts with all versions of Red Hat "theme" +Conflicts: redhat-pki-tps-theme +Conflicts: redhat-pki-tps-ui +%endif + +Obsoletes: dogtag-pki-tps-ui <= 9 + +Provides: pki-tps-theme = %{version}-%{release} +Provides: pki-tps-ui = %{version}-%{release} + +%description -n dogtag-pki-tps-theme +This Token Processing System (TPS) User Interface contains +the Dogtag textual and graphical user interface for the TPS. + +This package is used by the Dogtag Certificate System. + +%{overview} + + +%package -n dogtag-pki-console-theme +Summary: Certificate System - PKI Console User Interface +Group: System Environment/Base + +Requires: java >= 1:1.6.0 + +%if 0%{?rhel} +# EPEL version of Dogtag "theme" conflicts with all versions of Red Hat "theme" +Conflicts: redhat-pki-console-theme +Conflicts: redhat-pki-console-ui +%endif + +Obsoletes: dogtag-pki-console-ui <= 9 + +Provides: pki-console-theme = %{version}-%{release} +Provides: pki-console-ui = %{version}-%{release} + +%description -n dogtag-pki-console-theme +This PKI Console User Interface contains +the Dogtag textual and graphical user interface for the PKI Console. + +This package is used by the Dogtag Certificate System. + +%{overview} + + +%prep + + +%setup -q -n %{name}-%{version}%{?prerel} + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_DOGTAG_PKI_THEME:BOOL=ON -DJAVA_LIB_INSTALL_DIR=%{_jnidir} .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" + +chmod 755 %{buildroot}%{_datadir}/pki/tps-ui/cgi-bin/sow/cfg.pl + + +# NOTE: Several "theme" packages require ownership of the "/usr/share/pki" +# directory because the PKI subsystems (CA, DRM, OCSP, TKS, RA, TPS) +# which require them may be installed either independently or in +# multiple combinations. +# +# Since CA, DRM, OCSP, and TKS subsystems all require the +# "dogtag-pki-common-theme" as well as their individual "themes", +# only "dogtag-pki-common-theme" needs to require this directory. +# +# However, RA and TPS subsystems still require their own individual +# ownership of this directory. + +%files -n dogtag-pki-common-theme +%defattr(-,root,root,-) +%doc dogtag/common-ui/LICENSE +%dir %{_datadir}/pki +%{_datadir}/pki/common-ui/ + + +%files -n dogtag-pki-ca-theme +%defattr(-,root,root,-) +%doc dogtag/ca-ui/LICENSE +%{_datadir}/pki/ca-ui/ + + +%files -n dogtag-pki-kra-theme +%defattr(-,root,root,-) +%doc dogtag/kra-ui/LICENSE +%{_datadir}/pki/kra-ui/ + + +%files -n dogtag-pki-ocsp-theme +%defattr(-,root,root,-) +%doc dogtag/ocsp-ui/LICENSE +%{_datadir}/pki/ocsp-ui/ + + +%files -n dogtag-pki-ra-theme +%defattr(-,root,root,-) +%doc dogtag/ra-ui/LICENSE +%dir %{_datadir}/pki +%{_datadir}/pki/ra-ui/ + + +%files -n dogtag-pki-tks-theme +%defattr(-,root,root,-) +%doc dogtag/tks-ui/LICENSE +%{_datadir}/pki/tks-ui/ + + +%files -n dogtag-pki-tps-theme +%defattr(-,root,root,-) +%doc dogtag/tps-ui/LICENSE +%dir %{_datadir}/pki +%{_datadir}/pki/tps-ui/ + + +%files -n dogtag-pki-console-theme +%defattr(-,root,root,-) +%doc dogtag/console-ui/LICENSE +%{_javadir}/pki/ + + +%changelog +* Wed Feb 1 2012 Nathan Kinder 10.0.0-0.1.a1 +- Updated package version number + +* Thu Sep 22 2011 Andrew Wnuk 9.0.9-1 +- 'dogtag-pki-ca-theme' +- Bugzilla Bug #737423 - Ability to view migrated policy requests + is very limited. (awnuk) +- 'dogtag-pki-common-theme' +- 'dogtag-pki-console-theme' +- 'dogtag-pki-kra-theme' +- 'dogtag-pki-ocsp-theme' +- 'dogtag-pki-ra-theme' +- 'dogtag-pki-tks-theme' +- 'dogtag-pki-tps-theme' +- Bugzilla Bug #737184 - TPS UI display admin user name as + "undefined TUS Administrator". (awnuk) + +* Mon Sep 12 2011 Matthew Harmsen 9.0.8-1 +- 'dogtag-pki-ca-theme' +- 'dogtag-pki-common-theme' +- 'dogtag-pki-console-theme' +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . +- 'dogtag-pki-kra-theme' +- 'dogtag-pki-ocsp-theme' +- 'dogtag-pki-ra-theme' +- 'dogtag-pki-tks-theme' +- 'dogtag-pki-tps-theme' + +* Tue Aug 23 2011 Ade Lee 9.0.7-1 +- 'dogtag-pki-ca-theme' +- Bugzilla Bug #712931 - CS requires too many ports + to be open in the FW +- 'dogtag-pki-common-theme' +- 'dogtag-pki-console-theme' +- 'dogtag-pki-kra-theme' +- Bugzilla Bug #712931 - CS requires too many ports + to be open in the FW +- 'dogtag-pki-ocsp-theme' +- Bugzilla Bug #712931 - CS requires too many ports + to be open in the FW +- 'dogtag-pki-ra-theme' +- 'dogtag-pki-tks-theme' +- Bugzilla Bug #712931 - CS requires too many ports + to be open in the FW +- 'dogtag-pki-tps-theme' + +* Thu Jul 14 2011 Matthew Harmsen 9.0.6-1 +- 'dogtag-pki-ca-theme' +- Bugzilla Bug #695015 - Serial No. of a revoked certificate is not + populated in the CA signedAudit messages (alee) +- Bugzilla Bug #694143 - CA Agent not returning specified request (awnuk) +- Bugzilla Bug #704351 - remove help buttons in agent and ee UI in all + subsystems (alee) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'dogtag-pki-common-theme' +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'dogtag-pki-console-theme' +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'dogtag-pki-kra-theme' +- Bugzilla Bug #694143 - CA Agent not returning specified request (awnuk) +- Bugzilla Bug #704351 - remove help buttons in agent and ee UI in all + subsystems (alee) +- Bugzilla Bug #714068 - KRA: remove monitor servlet from kra (alee) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'dogtag-pki-ocsp-theme' +- Bugzilla Bug #704351 - remove help buttons in agent and ee UI in all + subsystems (alee) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'dogtag-pki-ra-theme' +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'dogtag-pki-tks-theme' +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'dogtag-pki-tps-theme' +- Bugzilla Bug #491008 - Security Officer: Format Card, Set Home URL and + Format SO card has 'home phone URL' (jmagne) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) + +* Tue Apr 26 2011 Matthew Harmsen 9.0.5-1 +- 'dogtag-pki-ca-theme' +- Bugzilla Bug #695015 - Serial No. of a revoked certificate is not + populated in the CA signedAudit messages +- Bugzilla Bug #694143 - CA Agent not returning specified request +- 'dogtag-pki-common-theme' +- 'dogtag-pki-console-theme' +- 'dogtag-pki-kra-theme' +- Bugzilla Bug #694143 - CA Agent not returning specified request +- 'dogtag-pki-ocsp-theme' +- 'dogtag-pki-ra-theme' +- 'dogtag-pki-tks-theme' +- 'dogtag-pki-tps-theme' + +* Tue Apr 5 2011 Matthew Harmsen 9.0.4-1 +- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) +- 'dogtag-pki-ca-theme' +- 'dogtag-pki-common-theme' +- 'dogtag-pki-console-theme' +- 'dogtag-pki-kra-theme' +- 'dogtag-pki-ocsp-theme' +- 'dogtag-pki-ra-theme' +- 'dogtag-pki-tks-theme' +- 'dogtag-pki-tps-theme' +- Bugzilla Bug #691447 - TPS UI Admin tab 'Add new token' opens a + page with text 'Agent operations: Add new tokens'. +- Bugzilla Bug #691867 - add ldaps support through perLDAP + +* Fri Mar 25 2011 Matthew Harmsen 9.0.3-1 +- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) +- 'dogtag-pki-ca-theme' +- 'dogtag-pki-common-theme' +- Bugzilla Bug #683581 - CA configuration with ECC(Default + EC curve-nistp521) CA fails with 'signing operation failed' +- 'dogtag-pki-console-theme' +- 'dogtag-pki-kra-theme' +- 'dogtag-pki-ocsp-theme' +- 'dogtag-pki-ra-theme' +- 'dogtag-pki-tks-theme' +- 'dogtag-pki-tps-theme' +- Bugzilla Bug #684259 - wrong group used for tps operators + +* Thu Mar 17 2011 Matthew Harmsen 9.0.2-1 +- Bugzilla Bug #688763 - Rebase updated Dogtag Packages for Fedora 15 (alpha) +- Bugzilla Bug #676421 - CC: Remove unused TPS interface calls and add + audit logging +- Bugzilla Bug #606944 - Convert TPS to use ldap utilities and API from + OpenLDAP instead of the Mozldap +- Bugzilla Bug #678142 - Flakey JAR packaging encountered on Fedora 15 + when using Mock + +* Fri Feb 4 2011 Matthew Harmsen 9.0.1-1 +- Bugzilla Bug #606944 - Convert TPS to use ldap utilities and API from + OpenLDAP instead of the Mozldap + +* Fri Jan 21 2011 Matthew Harmsen 9.0.0-3 +- Bugzilla Bug #671030 - Review Request: dogtag-pki-theme - Certificate + System, Dogtag PKI Theme Components +- Augmented overview description. +- Isolated and corrected EPEL information +- Added comment regarding '/usr/share/pki' file ownership +- 'dogtag-pki-common-theme' +- Bugzilla Bug #671058 - ipa2 - ipa-server-install fails on pkisilent - + xml parsing string -- ? +- 'dogtag-pki-ca-theme' +- Bugzilla Bug #564207 - Searches for completed requests in the agent + interface returns zero entries + +* Thu Jan 20 2011 Matthew Harmsen 9.0.0-2 +- Bugzilla Bug #671030 - Review Request: dogtag-pki-theme - Certificate + System, Dogtag PKI Theme Components +- Added 'java-devel' and 'jpackage' build requirements +- Added 'java' runtime requirement to 'dogtag-pki-console-theme' +- Added file mode change to installation section +- Deleted explicit file mode change from files inventory section + +* Wed Dec 1 2010 Matthew Harmsen 9.0.0-1 +- Updated Dogtag 1.3.x --> Dogtag 2.0.0 --> Dogtag 9.0.0 +- 'dogtag-pki-ca-theme' (formerly 'dogtag-pki-ca-ui') +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port + fowarding for agent services +- Bugzilla Bug #524916 - ECC key constraints plug-ins should be based on + ECC curve names (not on key sizes). +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets + as expected +- 'dogtag-pki-common-theme' (formerly 'dogtag-pki-common-ui') +- Bugzilla Bug #630126 - clone installation wizard basedn for internal + db should not be changeable +- Bugzilla Bug #533529 - rhcs80 web wizard - broken login page when + using valid pin +- Bugzilla Bug #223336 - ECC: unable to clone a ECC CA +- Bugzilla Bug #528249 - rhcs80 - web pages, css -moz-opacity deprecated +- Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection + of signature algorithm; and for ECC curves +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets + as expected +- 'dogtag-pki-console-theme' (formerly 'dogtag-pki-console-ui') +- Bugzilla Bug #607380 - CC: Make sure Java Console can configure all + security relevant config items +- Bugzilla Bug #516632 - RHCS 7.1 - CS Incorrectly Issuing Multiple + Certificates from the Same Request +- Bugzilla Bug #451874 - RFE - Java console - Certificate Wizard missing + e.c. support +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- 'dogtag-pki-kra-theme' (formerly 'dogtag-pki-kra-ui') +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port + fowarding for agent services +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets + as expected +- 'dogtag-pki-ocsp-theme' (formerly 'dogtag-pki-ocsp-ui') +- Bugzilla Bug #630121 - OCSP responder lacking option to delete or + disable a CA that it serves +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port + fowarding for agent services +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets + as expected +- 'dogtag-pki-ra-theme' (formerly 'dogtag-pki-ra-ui') +- Bugzilla Bug #533529 - rhcs80 web wizard - broken login page when + using valid pin +- Bugzilla Bug #528249 - rhcs80 - web pages, css -moz-opacity deprecated +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- 'dogtag-pki-tks-theme' (formerly 'dogtag-pki-tks-ui') +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port + fowarding for agent services +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets + as expected +- 'dogtag-pki-tps-theme' (formerly 'dogtag-pki-tps-ui') +- Bugzilla Bug #607373 - add self test framework to TPS subsytem +- Bugzilla Bug #607374 - add self test to TPS self test framework +- Bugzilla Bug #624847 - Installed TPS cannot be started to be configured. +- Bugzilla Bug #630018 - Delete button missing from Edit Profile page. +- Bugzilla Bug #609331 - Should not be able to manually change the status + on a token marked as permanently lost or destroyed - fix confirmation + page +- Bugzilla Bug #533529 - rhcs80 web wizard - broken login page when + using valid pin +- Bugzilla Bug #642692 - TPS UI Admin tab: Remove 'Submit For Approval' + greyed out button from the subsystem connection edit page. +- Bugzilla Bug #646545 - TPS Agent tab: displays approve list parameter + with last character chopped. +- Bugzilla Bug #528249 - rhcs80 - web pages, css -moz-opacity deprecated +- Bugzilla Bug #532724 - Feature: ESC Security officer work station should + display % of operation complete for format SO card +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface + diff --git a/specs/dogtag-pki.spec b/specs/dogtag-pki.spec new file mode 100644 index 000000000..499334053 --- /dev/null +++ b/specs/dogtag-pki.spec @@ -0,0 +1,228 @@ +# for a pre-release, define the prerel field e.g. .a1 .rc2 - comment out for official release +# also remove the space between % and global - this space is needed because +# fedpkg verrel stupidly ignores comment lines +%global prerel .a1 +# also need the relprefix field for a pre-release e.g. .0 - also comment out for official release +%global relprefix 0. + +Summary: Dogtag Public Key Infrastructure (PKI) Suite +Name: dogtag-pki +Version: 10.0.0 +Release: %{?relprefix}1%{?prerel}%{?dist} +# The entire source code is GPLv2 except for 'pki-tps' which is LGPLv2 +License: GPLv2 and LGPLv2 +URL: http://pki.fedoraproject.org/ +Group: System Environment/Daemons +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildArch: noarch + +# Establish MINIMUM package versions based upon platform +%if 0%{?fedora} >= 17 +%define dogtag_pki_theme_version 10.0.0 +%define esc_version 1.1.0 +%define jss_version 4.2.6-21 +%define pki_core_version 10.0.0 +%define pki_kra_version 10.0.0 +%define pki_ocsp_version 10.0.0 +%define pki_ra_version 10.0.0 +%define pki_tks_version 10.0.0 +%define pki_tps_version 10.0.0 +%define pki_console_version 10.0.0 +%define tomcatjss_version 6.0.2 +%else +%if 0%{?fedora} >= 16 +%define dogtag_pki_theme_version 10.0.0 +%define esc_version 1.1.0 +%define jss_version 4.2.6-19.1 +%define pki_core_version 10.0.0 +%define pki_kra_version 10.0.0 +%define pki_ocsp_version 10.0.0 +%define pki_ra_version 10.0.0 +%define pki_tks_version 10.0.0 +%define pki_tps_version 10.0.0 +%define pki_console_version 10.0.0 +%define tomcatjss_version 6.0.2 +%else +%define dogtag_pki_theme_version 10.0.0 +%define esc_version 1.1.0 +%define jss_version 4.2.6-17 +%define pki_core_version 10.0.0 +%define pki_kra_version 10.0.0 +%define pki_ocsp_version 10.0.0 +%define pki_ra_version 10.0.0 +%define pki_tks_version 10.0.0 +%define pki_tps_version 10.0.0 +%define pki_console_version 10.0.0 +%define tomcatjss_version 2.0.0 +%endif +%endif + +Requires: apache-commons-codec + +# Make certain that this 'meta' package requires the latest version(s) +# of ALL top-level Dogtag PKI support packages +Requires: jss >= %{jss_version} +Requires: tomcatjss >= %{tomcatjss_version} + +# Make certain that this 'meta' package requires the latest version(s) +# of ALL top-level Dogtag PKI support javadocs +Requires: jss-javadoc >= %{jss_version} + +# Make certain that this 'meta' package requires the latest version(s) +# of ALL Dogtag PKI theme packages +Requires: dogtag-pki-ca-theme >= %{dogtag_pki_theme_version} +Requires: dogtag-pki-common-theme >= %{dogtag_pki_theme_version} +Requires: dogtag-pki-console-theme >= %{dogtag_pki_theme_version} +Requires: dogtag-pki-kra-theme >= %{dogtag_pki_theme_version} +Requires: dogtag-pki-ocsp-theme >= %{dogtag_pki_theme_version} +Requires: dogtag-pki-ra-theme >= %{dogtag_pki_theme_version} +Requires: dogtag-pki-tks-theme >= %{dogtag_pki_theme_version} +Requires: dogtag-pki-tps-theme >= %{dogtag_pki_theme_version} + +# Make certain that this 'meta' package requires the latest version(s) +# of ALL Dogtag PKI core packages +Requires: pki-ca >= %{pki_core_version} +Requires: pki-common >= %{pki_core_version} +Requires: pki-java-tools >= %{pki_core_version} +Requires: pki-native-tools >= %{pki_core_version} +Requires: pki-selinux >= %{pki_core_version} +Requires: pki-setup >= %{pki_core_version} +Requires: pki-silent >= %{pki_core_version} +Requires: pki-symkey >= %{pki_core_version} +Requires: pki-util >= %{pki_core_version} + +# Make certain that this 'meta' package requires the latest version(s) +# of ALL Dogtag PKI core javadocs +Requires: pki-common-javadoc >= %{pki_core_version} +Requires: pki-java-tools-javadoc >= %{pki_core_version} +Requires: pki-util-javadoc >= %{pki_core_version} + +# Make certain that this 'meta' package requires the latest version(s) +# of ALL other Dogtag PKI subsystems +Requires: pki-kra >= %{pki_kra_version} +Requires: pki-ocsp >= %{pki_ocsp_version} +Requires: pki-ra >= %{pki_ra_version} +Requires: pki-tks >= %{pki_tks_version} +Requires: pki-tps >= %{pki_tps_version} + +# Make certain that this 'meta' package requires the latest version(s) +# of Dogtag PKI console +Requires: pki-console >= %{pki_console_version} + +# Make certain that this 'meta' package requires the latest version(s) +# of ALL Dogtag PKI clients +Requires: esc >= %{esc_version} + +# NOTE: Several PKI packages require a "virtual" theme component. These +# "virtual" theme components are "Provided" by various theme "flavors" +# including "dogtag", "redhat", and "ipa". Consequently, +# all "dogtag", "redhat", and "ipa" theme components MUST be +# mutually exclusive! +# +# On Fedora systems, the "dogtag" theme packages are the ONLY available +# theme components. +# +# Similarly, the "ipa" theme packages are ONLY available on RHEL +# systems, and represent the default theme components. +# +# Alternatively, on RHEL systems, if the "dogtag" theme packages are +# available as EPEL packages, while they may be used as a transparent +# replacement for their corresponding "ipa" theme package, they are not +# intended to be used as a replacement for their corresponding "redhat" +# theme components. +# +# Finally, if available for a RHEL system (e. g. - RHCS subscription), +# each "redhat" theme package MUST be used as a transparent replacement +# for its corresponding "ipa" theme package or "dogtag" theme package. +Obsoletes: ipa-pki +Conflicts: redhat-pki + +%description +The Dogtag Public Key Infrastructure (PKI) Suite is comprised of the following +six subsystems and a client (for use by a Token Management System): + + * Certificate Authority (CA) + * Data Recovery Manager (DRM) + * Online Certificate Status Protocol (OCSP) Manager + * Registration Authority (RA) + * Token Key Service (TKS) + * Token Processing System (TPS) + * Enterprise Security Client (ESC) + +Additionally, it provides a console GUI application used for server and +user/group administration of CA, DRM, OCSP, and TKS, javadocs on portions +of the Dogtag API, as well as various command-line tools used to assist with +a PKI deployment. + +To successfully deploy instances of a CA, DRM, OCSP, or TKS, +a Tomcat Web Server must be up and running locally on this machine. + +To successfully deploy instances of an RA, or TPS, +an Apache Web Server must be up and running locally on this machine. + +To meet the database storage requirements of each CA, DRM, OCSP, TKS, or TPS +instance, a 389 Directory Server must be up and running either locally on +this machine, or remotely over the attached network connection. + +To meet the database storage requirements of an RA, an SQLite database will +be created locally on this machine each time a new RA instance is created. + +After installation of this package, use the 'pkicreate' and 'pkiremove' +utilities to respectively create and remove PKI instances. + +%prep +cat > README < 10.0.0-0.3.a1 +- Removed dependency on OSUtil. + +* Wed Feb 22 2012 Endi S. Dewata 10.0.0-0.2.a1 +- Added dependency on Apache Commons Codec. + +* Wed Feb 1 2012 Nathan Kinder 10.0.0-0.1.a1 +- Updated package version number + +* Fri Oct 28 2011 Matthew Harmsen 9.0.8-1 +- Bugzilla Bug #749927 - Java class conflicts using Java 7 in Fedora 17 + (rawhide) . . . +- Bugzilla Bug #749945 - Installation error reported during CA, DRM, + OCSP, and TKS package installation . . . + +* Thu Sep 22 2011 Matthew Harmsen 9.0.7-1 +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . (mharmsen) +- Bugzilla Bug #699809 - Convert CS to use systemd (alee) + +* Mon Sep 12 2011 Matthew Harmsen 9.0.0-6 +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . +- Established MINIMUM package versions based upon platform + +* Thu Jul 14 2011 Matthew Harmsen 9.0.0-5 +- Bugzilla Bug #669226 - Remove Legacy Build System +- Updated release of 'tomcatjss' for Fedora 15 + +* Wed Jul 13 2011 Matthew Harmsen 9.0.0-4 +- Updated release of 'osutil' for Fedora 15 +- Updated release of 'jss' and 'jss-javadoc' + +* Tue Apr 5 2011 Matthew Harmsen 9.0.0-3 +- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) +- Bugzilla Bug #693327 - Missing requires: tomcatjss + +* Fri Mar 25 2011 Matthew Harmsen 9.0.0-2 +- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) +- Require "tomcatjss >= 2.1.1" as a build and runtime requirement + for Fedora 15 and later platforms + +* Wed Mar 23 2011 Matthew Harmsen 9.0.0-1 +- Updated Dogtag 1.3.x --> Dogtag 2.0.0 --> Dogtag 9.0.0. diff --git a/specs/ipa-pki-theme.spec b/specs/ipa-pki-theme.spec new file mode 100644 index 000000000..1b9ef9eba --- /dev/null +++ b/specs/ipa-pki-theme.spec @@ -0,0 +1,181 @@ +# for a pre-release, define the prerel field e.g. .a1 .rc2 - comment out for official release +# also remove the space between % and global - this space is needed because +# fedpkg verrel stupidly ignores comment lines +%global prerel .a1 +# also need the relprefix field for a pre-release e.g. .0 - also comment out for official release +%global relprefix 0. + +Name: ipa-pki-theme +Version: 10.0.0 +Release: %{?relprefix}1%{?prerel}%{?dist} +Summary: Certificate System - IPA PKI Theme Components +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Base + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}%{?prerel}.tar.gz + +%if 0%{?rhel} +ExcludeArch: ppc ppc64 s390 s390x +%endif + +%global overview \ +Several PKI packages require a "virtual" theme component. These \ +"virtual" theme components are "Provided" by various theme "flavors" \ +including "dogtag", "redhat", and "ipa". Consequently, \ +all "dogtag", "redhat", and "ipa" theme components MUST be \ +mutually exclusive! \ + \ +On Fedora systems, the "dogtag" theme packages are the ONLY available \ +theme components. \ + \ +Similarly, the "ipa" theme packages are ONLY available on RHEL \ +systems, and represent the default theme components. \ + \ +Alternatively, on RHEL systems, if the "dogtag" theme packages are \ +available as EPEL packages, while they may be used as a transparent \ +replacement for their corresponding "ipa" theme package, they are not \ +intended to be used as a replacement for their corresponding "redhat" \ +theme components. \ + \ +Finally, if available for a RHEL system (e. g. - RHCS subscription), \ +each "redhat" theme package MUST be used as a transparent replacement \ +for its corresponding "ipa" theme package or "dogtag" theme package. \ +%{nil} + +%description %{overview} + + +%package -n ipa-pki-common-theme +Summary: Certificate System - PKI Common Framework User Interface +Group: System Environment/Base + +Conflicts: dogtag-pki-common-theme +Conflicts: dogtag-pki-common-ui +Conflicts: redhat-pki-common-theme +Conflicts: redhat-pki-common-ui + +Provides: pki-common-theme = %{version}-%{release} +Provides: pki-common-ui = %{version}-%{release} + +%description -n ipa-pki-common-theme +This PKI Common Framework User Interface contains +NO textual or graphical user interface for the PKI Common Framework. + +This package is used by the Certificate System utilized by IPA. + +%{overview} + + +%package -n ipa-pki-ca-theme +Summary: Certificate System - Certificate Authority User Interface +Group: System Environment/Base + +Requires: ipa-pki-common-theme = %{version}-%{release} + +Conflicts: dogtag-pki-ca-theme +Conflicts: dogtag-pki-ca-ui +Conflicts: redhat-pki-ca-theme +Conflicts: redhat-pki-ca-ui + +Provides: pki-ca-theme = %{version}-%{release} +Provides: pki-ca-ui = %{version}-%{release} + +%description -n ipa-pki-ca-theme +This Certificate Authority (CA) User Interface contains +NO textual or graphical user interface for the CA. + +This package is used by the Certificate System utilized by IPA. + +%{overview} + + +%prep + + +%setup -q -n %{name}-%{version}%{?prerel} + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DBUILD_IPA_PKI_THEME:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" + + +%files -n ipa-pki-common-theme +%defattr(-,root,root,-) +%doc dogtag/common-ui/LICENSE +%dir %{_datadir}/pki +%{_datadir}/pki/common-ui/ + + +%files -n ipa-pki-ca-theme +%defattr(-,root,root,-) +%doc dogtag/ca-ui/LICENSE +%{_datadir}/pki/ca-ui/ + + +%changelog +* Wed Feb 1 2012 Nathan Kinder 10.0.0-0.1.a1 +- Updated package version number + +* Tue Aug 23 2011 Matthew Harmsen 9.0.5-1 +- 'ipa-pki-ca-theme' +- Bugzilla Bug #695015 - Serial No. of a revoked certificate is not + populated in the CA signedAudit messages (alee) +- Bugzilla Bug #694143 - CA Agent not returning specified request (awnuk) +- Bugzilla Bug #704351 - remove help buttons in agent and ee UI in all + subsystems (alee) +- Bugzilla Bug #712931 - CS requires too many ports + to be open in the FW (alee) +- 'ipa-pki-common-theme' + +* Thu Jul 14 2011 Matthew Harmsen 9.0.4-1 +- 'ipa-pki-ca-theme' +- Bugzilla Bug #669226 - Remove Legacy Build System +- 'ipa-pki-common-theme' +- Bugzilla Bug #669226 - Remove Legacy Build System + +* Thu Jan 20 2011 Matthew Harmsen 9.0.3-1 +- Augmented overview description. +- 'ipa-pki-ca-theme' +- Bugzilla Bug #564207 - Searches for completed requests in the agent + interface returns zero entries + +* Thu Jan 20 2011 Matthew Harmsen 9.0.2-1 +- 'ipa-pki-common-theme' +- Bugzilla Bug #671058 - ipa2 - ipa-server-install fails on pkisilent - + xml parsing string -- ? + +* Tue Jan 18 2011 Matthew Harmsen 9.0.1-1 +- Made 'ipa-pki-common-theme' a runtime dependency of 'ipa-pki-ca-theme' +- https://pkgdb.lab.eng.bos.redhat.com/pkg/packages/srpm/5936/ +- Package Wrangler: applied GPLv2 license header to 'xml.vm' + +* Thu Jan 13 2011 Matthew Harmsen 9.0.0-2 +- Bugzilla Bug #668836 - Review Request: ipa-pki-theme +- Modified overview to pertain more to these packages +- Removed "Obsoletes:" lines (only pertinent to internal deployments) +- Modified installation section to preserve timestamps +- Removed sectional comments + +* Wed Dec 1 2010 Matthew Harmsen 9.0.0-1 +- Initial revision. (kwright@redhat.com & mharmsen@redhat.com) + diff --git a/specs/pki-console.spec b/specs/pki-console.spec new file mode 100644 index 000000000..987fd7e45 --- /dev/null +++ b/specs/pki-console.spec @@ -0,0 +1,176 @@ +# for a pre-release, define the prerel field e.g. .a1 .rc2 - comment out for official release +# also remove the space between % and global - this space is needed because +# fedpkg verrel stupidly ignores comment lines +%global prerel .a1 +# also need the relprefix field for a pre-release e.g. .0 - also comment out for official release +%global relprefix 0. + +Name: pki-console +Version: 10.0.0 +Release: %{?relprefix}3%{?prerel}%{?dist} +Summary: Certificate System - PKI Console +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Base + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: idm-console-framework +BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: ldapjdk +BuildRequires: nspr-devel +BuildRequires: nss-devel +%if 0%{?fedora} >= 17 +BuildRequires: junit +%else +BuildRequires: junit4 +%endif +%if 0%{?fedora} >= 16 +BuildRequires: jpackage-utils >= 1.7.5-10 +BuildRequires: jss >= 4.2.6-19.1 +BuildRequires: pki-util >= 9.0.15 +%else +BuildRequires: jpackage-utils +BuildRequires: jss >= 4.2.6-17 +BuildRequires: pki-util +%endif + +Requires: idm-console-framework +Requires: java >= 1:1.6.0 +Requires: ldapjdk +Requires: pki-console-theme >= 9.0.0 +%if 0%{?fedora} >= 16 +Requires: jpackage-utils >= 1.7.5-10 +Requires: jss >= 4.2.6-19.1 +%else +Requires: jpackage-utils +Requires: jss >= 4.2.6-17 +%endif + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}%{?prerel}.tar.gz + +%description +Certificate System (CS) is an enterprise software system designed +to manage enterprise Public Key Infrastructure (PKI) deployments. + +The PKI Console is a java application used to administer CS. + +For deployment purposes, a PKI Console requires ONE AND ONLY ONE of the +following "Mutually-Exclusive" PKI Theme packages: + + * dogtag-pki-theme (Dogtag Certificate System deployments) + * redhat-pki-theme (Red Hat Certificate System deployments) + + +%prep + + +%setup -q -n %{name}-%{version}%{?prerel} + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_CONSOLE:BOOL=ON -DJAVA_LIB_INSTALL_DIR=%{_jnidir} .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" + + +%files +%defattr(-,root,root,-) +%doc base/console/LICENSE +%{_bindir}/pkiconsole +%{_javadir}/pki/ + + +%changelog +* Wed Mar 14 2012 Matthew Harmsen 10.0.0-0.3.a1 +- Corrected 'junit' dependency check + +* Wed Feb 22 2012 Matthew Harmsen 10.0.0-0.2.a1 +- Bugzilla Bug #788787 - added 'junit'/'junit4' build-time requirements + +* Wed Feb 1 2012 Nathan Kinder 10.0.0-0.1.a1 +- Updated package version number + +* Thu Sep 22 2011 Matthew Harmsen 9.0.5-1 +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . (mharmsen) +- Bugzilla Bug #699809 - Convert CS to use systemd (alee) + +* Wed Aug 31 2011 Matthew Harmsen 9.0.4-1 +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . + +* Thu Jul 14 2011 Matthew Harmsen 9.0.3-1 +- Bugzilla Bug #700462 - No action on clicking "Help" button of + pkiconsole's right pane (alee) +- Bugzilla Bug #697939 - DRM signed audit log message - operation should + be read instead of modify (jmagne) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- Updated release of 'jss' + +* Fri Mar 25 2011 Matthew Harmsen 9.0.2-1 +- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) +- Require "jss >= 4.2.6-15" as a build and runtime requirement + +* Thu Mar 17 2011 Matthew Harmsen 9.0.1-1 +- Bugzilla Bug #688763 - Rebase updated Dogtag Packages for Fedora 15 (alpha) +- Bugzilla Bug #676682 - REGRESSION: Restore missing 'gif' files + to console . . . + +* Wed Dec 1 2010 Matthew Harmsen 9.0.0-1 +- Updated Dogtag 1.3.x --> Dogtag 2.0.0 --> Dogtag 9.0.0 +- Bugzilla Bug #607380 - CC: Make sure Java Console can configure + all security relevant config items +- Bugzilla Bug #539781 - rhcs 71 - CRLs Partitioned + by Reason Code - onlySomeReasons ? +- Bugzilla Bug #518241 - pkiconsole does not launch when CA is configured + with ECC +- Bugzilla Bug #516632 - RHCS 7.1 - CS Incorrectly Issuing Multiple + Certificates from the Same Request +- Bugzilla Bug #451874 - RFE - Java console - Certificate Wizard missing + e.c. support +- Bugzilla Bug #638377 - Generate PKI UI components which exclude + a GUI interface +- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) +- Bugzilla Bug #512496 - RFE rhcs80 - crl updates and scheduling feature +- Bugzilla Bug #662201 - Console: View button for log messages + is not functional. +- Bugzilla Bug #649343 - Publishing queue should recover from CA crash. +- Bugzilla Bug #663546 - Disable the functionalities that are not exposed + in the console +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- Bugzilla Bug #642741 - CS build uses deprecated functions + +* Wed Apr 21 2010 Andrew Wnuk 1.3.2-1 +- Bugzilla Bug #493765 - console renewal fix for ca, ocsp, and ssl certificates + +* Mon Feb 08 2010 Matthew Harmsen 1.3.1-1 +- Bugzilla Bug #562986 - Supply convenience symlink(s) for backwards + compatibility (rename jar files as appropriate) + +* Fri Jan 15 2010 Kevin Wright 1.3.0-4 +- removed BuildRequires dogtag-pki-console-ui + +* Wed Jan 06 2010 Matthew Harmsen 1.3.0-3 +- Bugzilla Bug #553487 - Review Request: pki-console +- The Dogtag PKI Console +- Take ownership of directories + +* Mon Dec 14 2009 Kevin Wright 1.3.0-2 +- Removed 'with exceptions' from License + +* Thu Oct 15 2009 Ade Lee 1.3.0-1 +- Bugzilla Bug #X - Packaging for Fedora Dogtag + diff --git a/specs/pki-core.spec b/specs/pki-core.spec new file mode 100644 index 000000000..2c1906fc5 --- /dev/null +++ b/specs/pki-core.spec @@ -0,0 +1,2174 @@ +# for a pre-release, define the prerel field e.g. .a1 .rc2 - comment out for official release +# also remove the space between % and global - this space is needed because +# fedpkg verrel stupidly ignores comment lines +%global prerel .a1 +# also need the relprefix field for a pre-release e.g. .0 - also comment out for official release +%global relprefix 0. + +%if ! (0%{?fedora} > 12 || 0%{?rhel} > 5) +%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from +distutils.sysconfig import get_python_lib; print(get_python_lib())")} +%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from +distutils.sysconfig import get_python_lib; print(get_python_lib(1))")} +%endif + +Name: pki-core +Version: 10.0.0 +Release: %{?relprefix}11%{?prerel}%{?dist} +Summary: Certificate System - PKI Core Components +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Daemons + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +# specify '_unitdir' macro for platforms that don't use 'systemd' +%if 0%{?rhel} || 0%{?fedora} < 16 +%define _unitdir /lib/systemd/system +%endif + +# tomcatjss requires versioning since version 2.0.0 requires tomcat6 +BuildRequires: cmake +BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: ldapjdk +BuildRequires: apache-commons-codec +BuildRequires: nspr-devel +BuildRequires: nss-devel +BuildRequires: openldap-devel +BuildRequires: pkgconfig +BuildRequires: policycoreutils +BuildRequires: selinux-policy-devel +BuildRequires: velocity +BuildRequires: xalan-j2 +BuildRequires: xerces-j2 +BuildRequires: candlepin-deps >= 0.0.21-1 +%if 0%{?fedora} >= 17 +BuildRequires: junit +%else +BuildRequires: junit4 +%endif +%if 0%{?fedora} >= 16 +BuildRequires: jpackage-utils >= 0:1.7.5-10 +BuildRequires: jss >= 4.2.6-19.1 +BuildRequires: systemd-units +BuildRequires: tomcatjss >= 6.0.2 +%else +%if 0%{?fedora} >= 15 +BuildRequires: jpackage-utils +BuildRequires: jss >= 4.2.6-17 +BuildRequires: tomcatjss >= 6.0.0 +%else +BuildRequires: jpackage-utils +BuildRequires: jss >= 4.2.6-17 +BuildRequires: tomcatjss >= 2.0.0 +%endif +%endif + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}%{?prerel}.tar.gz + +Patch0: %{name}-selinux-f16.patch +Patch1: %{name}-selinux-f17.patch + +%if 0%{?rhel} +ExcludeArch: ppc ppc64 s390 s390x +%endif + +%global saveFileContext() \ +if [ -s /etc/selinux/config ]; then \ + . %{_sysconfdir}/selinux/config; \ + FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ + if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \ + cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}; \ + fi \ +fi; + +%global relabel() \ +. %{_sysconfdir}/selinux/config; \ +FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \ +selinuxenabled; \ +if [ $? == 0 -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.%{name} ]; then \ + fixfiles -C ${FILE_CONTEXT}.%{name} restore; \ + rm -f ${FILE_CONTEXT}.%name; \ +fi; + +%global overview \ +================================== \ +|| ABOUT "CERTIFICATE SYSTEM" || \ +================================== \ + \ +Certificate System (CS) is an enterprise software system designed \ +to manage enterprise Public Key Infrastructure (PKI) deployments. \ + \ +PKI Core contains ALL top-level java-based Tomcat PKI components: \ + \ + * pki-deploy \ + * pki-setup \ + * pki-symkey \ + * pki-native-tools \ + * pki-util \ + * pki-util-javadoc \ + * pki-java-tools \ + * pki-java-tools-javadoc \ + * pki-common \ + * pki-common-javadoc \ + * pki-selinux \ + * pki-ca \ + * pki-kra \ + * pki-ocsp \ + * pki-tks \ + \ +which comprise the following corresponding PKI subsystems: \ + \ + * Certificate Authority (CA) \ + * Data Recovery Manager (DRM) \ + * Online Certificate Status Protocol (OCSP) Manager \ + * Token Key Service (TKS) \ + \ +For deployment purposes, PKI Core contains fundamental packages \ +required by BOTH native-based Apache AND java-based Tomcat \ +Certificate System instances consisting of the following components: \ + \ + * pki-native-tools \ + * pki-selinux \ + * pki-setup \ + * pki-silent (required for IPA deployments; optional otherwise) \ + \ +Additionally, PKI Core contains the following fundamental packages \ +required ONLY by ALL java-based Tomcat Certificate System instances: \ + \ + * pki-common \ + * pki-java-tools \ + * pki-symkey (ONLY required for TKS subsystems) \ + * pki-util \ + \ +PKI Core also includes the following components: \ + \ + * pki-common-javadoc \ + * pki-java-tools-javadoc \ + * pki-util-javadoc \ + \ +Finally, for deployment purposes, Certificate System requires ONE AND \ +ONLY ONE of the following "Mutually-Exclusive" PKI Theme packages: \ + \ + * dogtag-pki-theme (Dogtag Certificate System deployments) \ + * ipa-pki-theme (IPA deployments) \ + * redhat-pki-theme (Red Hat Certificate System deployments) \ + \ +%{nil} + +%description %{overview} + + +%package -n pki-deploy +Summary: Certificate System - PKI Instance Deployment Scripts +Group: System Environment/Base + +BuildArch: noarch + +%description -n pki-deploy +PKI deployment scripts are used to create and remove instances from PKI deployments. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-setup +Summary: Certificate System - PKI Instance Creation & Removal Scripts +Group: System Environment/Base + +BuildArch: noarch + +Requires: perl(File::Slurp) +Requires: perl(XML::LibXML) +Requires: perl-Crypt-SSLeay +Requires: policycoreutils +Requires: openldap-clients + +%description -n pki-setup +PKI setup scripts are used to create and remove instances from PKI deployments. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-symkey +Summary: Symmetric Key JNI Package +Group: System Environment/Libraries + +Requires: java >= 1:1.6.0 +Requires: nss +%if 0%{?fedora} >= 16 +Requires: jpackage-utils >= 0:1.7.5-10 +Requires: jss >= 4.2.6-19.1 +%else +Requires: jpackage-utils +Requires: jss >= 4.2.6-17 +%endif + +Provides: symkey = %{version}-%{release} + +Obsoletes: symkey < %{version}-%{release} + +%description -n pki-symkey +The Symmetric Key Java Native Interface (JNI) package supplies various native +symmetric key operations to Java programs. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-native-tools +Summary: Certificate System - Native Tools +Group: System Environment/Base + +Requires: openldap-clients +Requires: nss +Requires: nss-tools + +%description -n pki-native-tools +These platform-dependent PKI executables are used to help make +Certificate System into a more complete and robust PKI solution. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-util +Summary: Certificate System - PKI Utility Framework +Group: System Environment/Base + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: ldapjdk +Requires: apache-commons-codec +%if 0%{?fedora} >= 16 +Requires: jpackage-utils >= 0:1.7.5-10 +Requires: jss >= 4.2.6-19.1 +%else +%if 0%{?fedora} >= 15 +Requires: jpackage-utils +Requires: jss >= 4.2.6-17 +%else +Requires: jpackage-utils +Requires: jss >= 4.2.6-17 +%endif +%endif + +%description -n pki-util +The PKI Utility Framework is required by the following four PKI subsystems: + + the Certificate Authority (CA), + the Data Recovery Manager (DRM), + the Online Certificate Status Protocol (OCSP) Manager, and + the Token Key Service (TKS). + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-util-javadoc +Summary: Certificate System - PKI Utility Framework Javadocs +Group: Documentation + +BuildArch: noarch + +Requires: pki-util = %{version}-%{release} + +%description -n pki-util-javadoc +This documentation pertains exclusively to version %{version} of +the PKI Utility Framework. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-java-tools +Summary: Certificate System - PKI Java-Based Tools +Group: System Environment/Base + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: pki-native-tools = %{version}-%{release} +Requires: pki-util = %{version}-%{release} +%if 0%{?fedora} >= 16 +Requires: jpackage-utils >= 0:1.7.5-10 +%else +Requires: jpackage-utils +%endif + +%description -n pki-java-tools +These platform-independent PKI executables are used to help make +Certificate System into a more complete and robust PKI solution. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-java-tools-javadoc +Summary: Certificate System - PKI Java-Based Tools Javadocs +Group: Documentation + +BuildArch: noarch + +Requires: pki-java-tools = %{version}-%{release} + +%description -n pki-java-tools-javadoc +This documentation pertains exclusively to version %{version} of +the PKI Java-Based Tools. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-common +Summary: Certificate System - PKI Common Framework +Group: System Environment/Base + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: candlepin-deps >= 0.0.21-1 +Requires: javassist +Requires: jettison +Requires: pki-common-theme >= 9.0.0 +Requires: pki-java-tools = %{version}-%{release} +Requires: pki-deploy = %{version}-%{release} +Requires: pki-setup = %{version}-%{release} +Requires: %{_javadir}/ldapjdk.jar +Requires: %{_javadir}/velocity.jar +Requires: %{_javadir}/xalan-j2.jar +Requires: %{_javadir}/xalan-j2-serializer.jar +Requires: %{_javadir}/xerces-j2.jar +Requires: %{_javadir}/xml-commons-apis.jar +Requires: %{_javadir}/xml-commons-resolver.jar +Requires: velocity +%if 0%{?fedora} >= 16 +Requires: apache-commons-lang +Requires: apache-commons-logging +Requires: jss >= 4.2.6-19.1 +Requires: tomcatjss >= 6.0.2 +%else +%if 0%{?fedora} >= 15 +Requires: apache-commons-lang +Requires: apache-commons-logging +Requires: jss >= 4.2.6-17 +Requires: tomcatjss >= 6.0.0 +%else +%if 0%{?fedora} >= 14 +Requires: apache-commons-lang +Requires: apache-commons-logging +Requires: jss >= 4.2.6-17 +Requires: tomcatjss >= 2.0.0 +%else +Requires: jakarta-commons-lang +Requires: jakarta-commons-logging +Requires: jss >= 4.2.6-17 +Requires: tomcatjss >= 2.0.0 +%endif +%endif +%endif + +%description -n pki-common +The PKI Common Framework is required by the following four PKI subsystems: + + the Certificate Authority (CA), + the Data Recovery Manager (DRM), + the Online Certificate Status Protocol (OCSP) Manager, and + the Token Key Service (TKS). + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-common-javadoc +Summary: Certificate System - PKI Common Framework Javadocs +Group: Documentation + +BuildArch: noarch + +Requires: pki-common = %{version}-%{release} + +%description -n pki-common-javadoc +This documentation pertains exclusively to version %{version} of +the PKI Common Framework. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-selinux +Summary: Certificate System - PKI Selinux Policies +Group: System Environment/Base + +BuildArch: noarch + +Requires: policycoreutils +Requires: selinux-policy-targeted + +%description -n pki-selinux +Selinux policies for the PKI components. + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-ca +Summary: Certificate System - Certificate Authority +Group: System Environment/Daemons + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: pki-ca-theme >= 9.0.0 +Requires: pki-common = %{version}-%{release} +Requires: pki-selinux = %{version}-%{release} +%if 0%{?fedora} >= 16 +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +%else +%if 0%{?fedora} >= 15 +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +Requires: initscripts +%else +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +%endif +%endif + +%description -n pki-ca +The Certificate Authority (CA) is a required PKI subsystem which issues, +renews, revokes, and publishes certificates as well as compiling and +publishing Certificate Revocation Lists (CRLs). + +The Certificate Authority can be configured as a self-signing Certificate +Authority, where it is the root CA, or it can act as a subordinate CA, +where it obtains its own signing certificate from a public CA. + +This package is one of the top-level java-based Tomcat PKI subsystems +provided by the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-kra +Summary: Certificate System - Data Recovery Manager +Group: System Environment/Daemons + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: pki-kra-theme >= 9.0.0 +Requires: pki-common = %{version}-%{release} +Requires: pki-selinux = %{version}-%{release} +%if 0%{?fedora} >= 16 +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +%else +%if 0%{?fedora} >= 15 +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +Requires: initscripts +%else +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +%endif +%endif + +%description -n pki-kra +The Data Recovery Manager (DRM) is an optional PKI subsystem that can act +as a Key Recovery Authority (KRA). When configured in conjunction with the +Certificate Authority (CA), the DRM stores private encryption keys as part of +the certificate enrollment process. The key archival mechanism is triggered +when a user enrolls in the PKI and creates the certificate request. Using the +Certificate Request Message Format (CRMF) request format, a request is +generated for the user's private encryption key. This key is then stored in +the DRM which is configured to store keys in an encrypted format that can only +be decrypted by several agents requesting the key at one time, providing for +protection of the public encryption keys for the users in the PKI deployment. + +Note that the DRM archives encryption keys; it does NOT archive signing keys, +since such archival would undermine non-repudiation properties of signing keys. + +This package is one of the top-level java-based Tomcat PKI subsystems +provided by the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-ocsp +Summary: Certificate System - Online Certificate Status Protocol Manager +Group: System Environment/Daemons + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: pki-ocsp-theme >= 9.0.0 +Requires: pki-common = %{version}-%{release} +Requires: pki-selinux = %{version}-%{release} +%if 0%{?fedora} >= 16 +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +%else +%if 0%{?fedora} >= 15 +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +Requires: initscripts +%else +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +%endif +%endif + +%description -n pki-ocsp +The Online Certificate Status Protocol (OCSP) Manager is an optional PKI +subsystem that can act as a stand-alone OCSP service. The OCSP Manager +performs the task of an online certificate validation authority by enabling +OCSP-compliant clients to do real-time verification of certificates. Note +that an online certificate-validation authority is often referred to as an +OCSP Responder. + +Although the Certificate Authority (CA) is already configured with an +internal OCSP service. An external OCSP Responder is offered as a separate +subsystem in case the user wants the OCSP service provided outside of a +firewall while the CA resides inside of a firewall, or to take the load of +requests off of the CA. + +The OCSP Manager can receive Certificate Revocation Lists (CRLs) from +multiple CA servers, and clients can query the OCSP Manager for the +revocation status of certificates issued by all of these CA servers. + +When an instance of OCSP Manager is set up with an instance of CA, and +publishing is set up to this OCSP Manager, CRLs are published to it +whenever they are issued or updated. + +This package is one of the top-level java-based Tomcat PKI subsystems +provided by the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-tks +Summary: Certificate System - Token Key Service +Group: System Environment/Daemons + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: pki-tks-theme >= 9.0.0 +Requires: pki-common = %{version}-%{release} +Requires: pki-selinux = %{version}-%{release} +Requires: pki-symkey = %{version}-%{release} +%if 0%{?fedora} >= 16 +Requires(post): systemd-units +Requires(preun): systemd-units +Requires(postun): systemd-units +%else +%if 0%{?fedora} >= 15 +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +Requires: initscripts +%else +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +%endif +%endif + +%description -n pki-tks +The Token Key Service (TKS) is an optional PKI subsystem that manages the +master key(s) and the transport key(s) required to generate and distribute +keys for hardware tokens. TKS provides the security between tokens and an +instance of Token Processing System (TPS), where the security relies upon the +relationship between the master key and the token keys. A TPS communicates +with a TKS over SSL using client authentication. + +TKS helps establish a secure channel (signed and encrypted) between the token +and the TPS, provides proof of presence of the security token during +enrollment, and supports key changeover when the master key changes on the +TKS. Tokens with older keys will get new token keys. + +Because of the sensitivity of the data that TKS manages, TKS should be set up +behind the firewall with restricted access. + +This package is one of the top-level java-based Tomcat PKI subsystems +provided by the PKI Core used by the Certificate System. + +%{overview} + + +%package -n pki-silent +Summary: Certificate System - Silent Installer +Group: System Environment/Base + +BuildArch: noarch + +Requires: java >= 1:1.6.0 +Requires: pki-common = %{version}-%{release} + +%description -n pki-silent +The PKI Silent Installer may be used to "automatically" configure +the following PKI subsystems in a non-graphical (batch) fashion +including: + + the Certificate Authority (CA), + the Data Recovery Manager (DRM), + the Online Certificate Status Protocol (OCSP) Manager, + the Registration Authority (RA), + the Token Key Service (TKS), and/or + the Token Processing System (TPS). + +This package is a part of the PKI Core used by the Certificate System. + +%{overview} + + +%prep + + +%setup -q -n %{name}-%{version}%{?prerel} + +%if 0%{?fedora} >= 17 +%patch1 -p2 -b .f17 +%else +%if 0%{?fedora} >= 16 +%patch0 -p2 -b .f16 +%endif +%endif + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_CORE:BOOL=ON -DJAVA_LIB_INSTALL_DIR=%{_jnidir} -DSYSTEMD_LIB_INSTALL_DIR=%{_unitdir} .. +%{__make} VERBOSE=1 %{?_smp_mflags} all +%{__make} VERBOSE=1 %{?_smp_mflags} test + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" + +cd %{buildroot}%{_libdir}/symkey +%{__rm} symkey.jar +%if 0%{?fedora} >= 16 +%{__rm} %{buildroot}%{_jnidir}/symkey.jar +%{__mv} symkey-%{version}.jar %{buildroot}%{_jnidir}/symkey.jar +%else +%{__ln_s} symkey-%{version}.jar symkey.jar +%endif + +%if 0%{?rhel} || 0%{?fedora} < 16 +cd %{buildroot}%{_jnidir} +%{__rm} symkey.jar +%{__ln_s} %{_libdir}/symkey/symkey.jar symkey.jar +%endif + +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%{__mkdir_p} %{buildroot}%{_sysconfdir}/tmpfiles.d +# generate 'pki-ca.conf' under the 'tmpfiles.d' directory +echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf +echo "D /var/lock/pki/ca 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf +echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf +echo "D /var/run/pki/ca 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf +# generate 'pki-kra.conf' under the 'tmpfiles.d' directory +echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf +echo "D /var/lock/pki/kra 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf +echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf +echo "D /var/run/pki/kra 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-kra.conf +# generate 'pki-ocsp.conf' under the 'tmpfiles.d' directory +echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf +echo "D /var/lock/pki/ocsp 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf +echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf +echo "D /var/run/pki/ocsp 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ocsp.conf +# generate 'pki-tks.conf' under the 'tmpfiles.d' directory +echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf +echo "D /var/lock/pki/tks 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf +echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf +echo "D /var/run/pki/tks 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tks.conf +%endif + +%if 0%{?fedora} >= 16 +%{__rm} %{buildroot}%{_initrddir}/pki-cad +%{__rm} %{buildroot}%{_initrddir}/pki-krad +%{__rm} %{buildroot}%{_initrddir}/pki-ocspd +%{__rm} %{buildroot}%{_initrddir}/pki-tksd +# Create symlink to the pki-jndi-realm jar +mkdir -p %{buildroot}%{_javadir}/tomcat6 +ln -s -f %{_javadir}/pki/pki-jndi-realm.jar %{buildroot}%{_javadir}/tomcat6/pki-jndi-realm.jar +%else +%{__rm} %{buildroot}%{_bindir}/pkicontrol +%{__rm} -rf %{buildroot}%{_sysconfdir}/systemd/system/pki-cad.target.wants +%{__rm} -rf %{buildroot}%{_sysconfdir}/systemd/system/pki-krad.target.wants +%{__rm} -rf %{buildroot}%{_sysconfdir}/systemd/system/pki-ocspd.target.wants +%{__rm} -rf %{buildroot}%{_sysconfdir}/systemd/system/pki-tksd.target.wants +%{__rm} -rf %{buildroot}%{_unitdir} +%endif + +# tomcat6 has changed how TOMCAT_LOG is used. +# Need to adjust accordingly +# This macro will be executed in the postinstall scripts +%define fix_tomcat_log() ( \ +if [ -d /etc/sysconfig/pki/%i ]; then \ + for F in `find /etc/sysconfig/pki/%1 -type f`; do \ + instance=`basename $F` \ + if [ -f /etc/sysconfig/$instance ]; then \ + sed -i -e 's/catalina.out/tomcat-initd.log/' /etc/sysconfig/$instance \ + fi \ + done \ +fi \ +) + +%pre -n pki-selinux +%saveFileContext targeted + + +%post -n pki-selinux +semodule -s targeted -i %{_datadir}/selinux/modules/pki.pp +%relabel targeted + + +%preun -n pki-selinux +if [ $1 = 0 ]; then + %saveFileContext targeted +fi + + +%postun -n pki-selinux +if [ $1 = 0 ]; then + semodule -s targeted -r pki + %relabel targeted +fi + +%if 0%{?rhel} || 0%{?fedora} < 16 +%post -n pki-ca +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-cad || : +%fix_tomcat_log ca + +%post -n pki-kra +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-krad || : +%fix_tomcat_log kra + +%post -n pki-ocsp +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-ocspd || : +%fix_tomcat_log ocsp + +%post -n pki-tks +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-tksd || : +%fix_tomcat_log tks + + +%preun -n pki-ca +if [ $1 = 0 ] ; then + /sbin/service pki-cad stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-cad || : +fi + + +%preun -n pki-kra +if [ $1 = 0 ] ; then + /sbin/service pki-krad stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-krad || : +fi + + +%preun -n pki-ocsp +if [ $1 = 0 ] ; then + /sbin/service pki-ocspd stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-ocspd || : +fi + + +%preun -n pki-tks +if [ $1 = 0 ] ; then + /sbin/service pki-tksd stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-tksd || : +fi + + +%postun -n pki-ca +if [ "$1" -ge "1" ] ; then + /sbin/service pki-cad condrestart >/dev/null 2>&1 || : +fi + + +%postun -n pki-kra +if [ "$1" -ge "1" ] ; then + /sbin/service pki-krad condrestart >/dev/null 2>&1 || : +fi + + +%postun -n pki-ocsp +if [ "$1" -ge "1" ] ; then + /sbin/service pki-ocspd condrestart >/dev/null 2>&1 || : +fi + + +%postun -n pki-tks +if [ "$1" -ge "1" ] ; then + /sbin/service pki-tksd condrestart >/dev/null 2>&1 || : +fi +%else +%post -n pki-ca +# Attempt to update ALL old "CA" instances to "systemd" +if [ -d /etc/sysconfig/pki/ca ]; then + for inst in `ls /etc/sysconfig/pki/ca`; do + if [ ! -e "/etc/systemd/system/pki-cad.target.wants/pki-cad@${inst}.service" ]; then + ln -s "/lib/systemd/system/pki-cad@.service" \ + "/etc/systemd/system/pki-cad.target.wants/pki-cad@${inst}.service" + [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst} + ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst} + + if [ -e /var/run/${inst}.pid ]; then + kill -9 `cat /var/run/${inst}.pid` || : + rm -f /var/run/${inst}.pid + echo "pkicreate.systemd.servicename=pki-cad@${inst}.service" >> \ + /var/lib/${inst}/conf/CS.cfg || : + /bin/systemctl daemon-reload >/dev/null 2>&1 || : + /bin/systemctl restart pki-cad@${inst}.service || : + else + echo "pkicreate.systemd.servicename=pki-cad@${inst}.service" >> \ + /var/lib/${inst}/conf/CS.cfg || : + fi + fi + done +fi +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +%fix_tomcat_log ca + + +%post -n pki-kra +# Attempt to update ALL old "KRA" instances to "systemd" +if [ -d /etc/sysconfig/pki/kra ]; then + for inst in `ls /etc/sysconfig/pki/kra`; do + if [ ! -e "/etc/systemd/system/pki-krad.target.wants/pki-krad@${inst}.service" ]; then + ln -s "/lib/systemd/system/pki-krad@.service" \ + "/etc/systemd/system/pki-krad.target.wants/pki-krad@${inst}.service" + [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst} + ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst} + + if [ -e /var/run/${inst}.pid ]; then + kill -9 `cat /var/run/${inst}.pid` || : + rm -f /var/run/${inst}.pid + echo "pkicreate.systemd.servicename=pki-krad@${inst}.service" >> \ + /var/lib/${inst}/conf/CS.cfg || : + /bin/systemctl daemon-reload >/dev/null 2>&1 || : + /bin/systemctl restart pki-krad@${inst}.service || : + else + echo "pkicreate.systemd.servicename=pki-krad@${inst}.service" >> \ + /var/lib/${inst}/conf/CS.cfg || : + fi + fi + done +fi +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +%fix_tomcat_log kra + + +%post -n pki-ocsp +# Attempt to update ALL old "OCSP" instances to "systemd" +if [ -d /etc/sysconfig/pki/ocsp ]; then + for inst in `ls /etc/sysconfig/pki/ocsp`; do + if [ ! -e "/etc/systemd/system/pki-ocspd.target.wants/pki-ocspd@${inst}.service" ]; then + ln -s "/lib/systemd/system/pki-ocspd@.service" \ + "/etc/systemd/system/pki-ocspd.target.wants/pki-ocspd@${inst}.service" + [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst} + ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst} + + if [ -e /var/run/${inst}.pid ]; then + kill -9 `cat /var/run/${inst}.pid` || : + rm -f /var/run/${inst}.pid + echo "pkicreate.systemd.servicename=pki-ocspd@${inst}.service" >> \ + /var/lib/${inst}/conf/CS.cfg || : + /bin/systemctl daemon-reload >/dev/null 2>&1 || : + /bin/systemctl restart pki-ocspd@${inst}.service || : + else + echo "pkicreate.systemd.servicename=pki-ocspd@${inst}.service" >> \ + /var/lib/${inst}/conf/CS.cfg || : + fi + fi + done +fi +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +%fix_tomcat_log ocsp + + +%post -n pki-tks +# Attempt to update ALL old "TKS" instances to "systemd" +if [ -d /etc/sysconfig/pki/tks ]; then + for inst in `ls /etc/sysconfig/pki/tks`; do + if [ ! -e "/etc/systemd/system/pki-tksd.target.wants/pki-tksd@${inst}.service" ]; then + ln -s "/lib/systemd/system/pki-tksd@.service" \ + "/etc/systemd/system/pki-tksd.target.wants/pki-tksd@${inst}.service" + [ -L /var/lib/${inst}/${inst} ] && unlink /var/lib/${inst}/${inst} + ln -s /usr/sbin/tomcat6-sysd /var/lib/${inst}/${inst} + + if [ -e /var/run/${inst}.pid ]; then + kill -9 `cat /var/run/${inst}.pid` || : + rm -f /var/run/${inst}.pid + echo "pkicreate.systemd.servicename=pki-tksd@${inst}.service" >> \ + /var/lib/${inst}/conf/CS.cfg || : + /bin/systemctl daemon-reload >/dev/null 2>&1 || : + /bin/systemctl restart pki-tksd@${inst}.service || : + else + echo "pkicreate.systemd.servicename=pki-tksd@${inst}.service" >> \ + /var/lib/${inst}/conf/CS.cfg || : + fi + fi + done +fi +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +%fix_tomcat_log tks + +%preun -n pki-ca +if [ $1 = 0 ] ; then + /bin/systemctl --no-reload disable pki-cad.target > /dev/null 2>&1 || : + /bin/systemctl stop pki-cad.target > /dev/null 2>&1 || : +fi + + +%preun -n pki-kra +if [ $1 = 0 ] ; then + /bin/systemctl --no-reload disable pki-krad.target > /dev/null 2>&1 || : + /bin/systemctl stop pki-krad.target > /dev/null 2>&1 || : +fi + + +%preun -n pki-ocsp +if [ $1 = 0 ] ; then + /bin/systemctl --no-reload disable pki-ocspd.target > /dev/null 2>&1 || : + /bin/systemctl stop pki-ocspd.target > /dev/null 2>&1 || : +fi + + +%preun -n pki-tks +if [ $1 = 0 ] ; then + /bin/systemctl --no-reload disable pki-tksd.target > /dev/null 2>&1 || : + /bin/systemctl stop pki-tksd.target > /dev/null 2>&1 || : +fi + + +%postun -n pki-ca +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ "$1" -ge "1" ] ; then + /bin/systemctl try-restart pki-cad.target >/dev/null 2>&1 || : +fi + + +%postun -n pki-kra +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ "$1" -ge "1" ] ; then + /bin/systemctl try-restart pki-krad.target >/dev/null 2>&1 || : +fi + + +%postun -n pki-ocsp +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ "$1" -ge "1" ] ; then + /bin/systemctl try-restart pki-ocspd.target >/dev/null 2>&1 || : +fi + + +%postun -n pki-tks +/bin/systemctl daemon-reload >/dev/null 2>&1 || : +if [ "$1" -ge "1" ] ; then + /bin/systemctl try-restart pki-tksd.target >/dev/null 2>&1 || : +fi +%endif + +%files -n pki-deploy +%defattr(-,root,root,-) +%doc base/deploy/LICENSE +%{_bindir}/pkispawn +%{_bindir}/pkidestroy +#%{_bindir}/pki-setup-proxy +%dir %{python_sitelib}/pki +%{python_sitelib}/pki/_* +%{python_sitelib}/pki/deployment/ +%dir %{_datadir}/pki +%dir %{_datadir}/pki/deployment +%{_datadir}/pki/deployment/config/ +%dir %{_datadir}/pki/deployment/spawn +%{_datadir}/pki/deployment/spawn/ca/ +%{_datadir}/pki/deployment/spawn/kra/ +%{_datadir}/pki/deployment/spawn/ocsp/ +%{_datadir}/pki/deployment/spawn/ra/ +%{_datadir}/pki/deployment/spawn/tks/ +%{_datadir}/pki/deployment/spawn/tps/ +%dir %{_datadir}/pki/deployment/destroy +%{_datadir}/pki/deployment/destroy/ca/ +%{_datadir}/pki/deployment/destroy/kra/ +%{_datadir}/pki/deployment/destroy/ocsp/ +%{_datadir}/pki/deployment/destroy/ra/ +%{_datadir}/pki/deployment/destroy/tks/ +%{_datadir}/pki/deployment/destroy/tps/ +#%dir %{_localstatedir}/lock/pki +#%dir %{_localstatedir}/run/pki +#%if 0%{?fedora} >= 16 +#%{_bindir}/pkicontrol +#%endif +#%{_javadir}/resteasy-jettison-provider-2.3-RC1.jar + + +%files -n pki-setup +%defattr(-,root,root,-) +%doc base/setup/LICENSE +%{_bindir}/pkicreate +%{_bindir}/pkiremove +%{_bindir}/pki-setup-proxy +%dir %{_datadir}/pki +%dir %{_datadir}/pki/scripts +%{_datadir}/pki/scripts/pkicommon.pm +%{_datadir}/pki/scripts/functions +%{_datadir}/pki/scripts/pki_apache_initscript +%dir %{_localstatedir}/lock/pki +%dir %{_localstatedir}/run/pki +%if 0%{?fedora} >= 16 +%{_bindir}/pkicontrol +%endif +%{_javadir}/resteasy-jettison-provider-2.3-RC1.jar + + +%files -n pki-symkey +%defattr(-,root,root,-) +%doc base/symkey/LICENSE +%{_jnidir}/symkey.jar +%{_libdir}/symkey/ + +%files -n pki-native-tools +%defattr(-,root,root,-) +%doc base/native-tools/LICENSE base/native-tools/doc/README +%{_bindir}/p7tool +%{_bindir}/revoker +%{_bindir}/setpin +%{_bindir}/sslget +%{_bindir}/tkstool +%dir %{_datadir}/pki +%{_datadir}/pki/native-tools/ + + +%files -n pki-util +%defattr(-,root,root,-) +%doc base/util/LICENSE +%dir %{_javadir}/pki +%{_javadir}/pki/pki-cmsutil-%{version}.jar +%{_javadir}/pki/pki-cmsutil.jar +%{_javadir}/pki/pki-nsutil-%{version}.jar +%{_javadir}/pki/pki-nsutil.jar + +%files -n pki-util-javadoc +%defattr(-,root,root,-) +%{_javadocdir}/pki-util-%{version}/ + + +%files -n pki-java-tools +%defattr(-,root,root,-) +%doc base/java-tools/LICENSE +%{_bindir}/AtoB +%{_bindir}/AuditVerify +%{_bindir}/BtoA +%{_bindir}/CMCEnroll +%{_bindir}/CMCRequest +%{_bindir}/CMCResponse +%{_bindir}/CMCRevoke +%{_bindir}/CRMFPopClient +%{_bindir}/DRMTool +%{_bindir}/ExtJoiner +%{_bindir}/GenExtKeyUsage +%{_bindir}/GenIssuerAltNameExt +%{_bindir}/GenSubjectAltNameExt +%{_bindir}/HttpClient +%{_bindir}/OCSPClient +%{_bindir}/PKCS10Client +%{_bindir}/PKCS12Export +%{_bindir}/PrettyPrintCert +%{_bindir}/PrettyPrintCrl +%{_bindir}/TokenInfo +%{_javadir}/pki/pki-tools-%{version}.jar +%{_javadir}/pki/pki-tools.jar +%{_datadir}/pki/java-tools/ + +%files -n pki-java-tools-javadoc +%defattr(-,root,root,-) +%{_javadocdir}/pki-java-tools-%{version}/ + + +%files -n pki-common +%defattr(-,root,root,-) +%doc base/common/LICENSE +%{_javadir}/pki/pki-certsrv-%{version}.jar +%{_javadir}/pki/pki-certsrv.jar +%{_javadir}/pki/pki-cms-%{version}.jar +%{_javadir}/pki/pki-cms.jar +%{_javadir}/pki/pki-cmsbundle-%{version}.jar +%{_javadir}/pki/pki-cmsbundle.jar +%{_javadir}/pki/pki-cmscore-%{version}.jar +%{_javadir}/pki/pki-cmscore.jar + +%if 0%{?fedora} >= 16 +# Create symlink to the pki-jndi-realm jar +%{_javadir}/tomcat6/pki-jndi-realm.jar +%endif + +%{_javadir}/pki/pki-jndi-realm-%{version}.jar +%{_javadir}/pki/pki-jndi-realm.jar + +%{_datadir}/pki/setup/ + +%files -n pki-common-javadoc +%defattr(-,root,root,-) +%{_javadocdir}/pki-common-%{version}/ + + +%files -n pki-selinux +%defattr(-,root,root,-) +%doc base/selinux/LICENSE +%{_datadir}/selinux/modules/pki.pp + + +%files -n pki-ca +%defattr(-,root,root,-) +%doc base/ca/LICENSE +%if 0%{?fedora} >= 16 +%dir %{_sysconfdir}/systemd/system/pki-cad.target.wants +%{_unitdir}/pki-cad@.service +%{_unitdir}/pki-cad.target +%else +%{_initrddir}/pki-cad +%endif +%{_javadir}/pki/pki-ca-%{version}.jar +%{_javadir}/pki/pki-ca.jar +%dir %{_datadir}/pki/ca +%{_datadir}/pki/ca/conf/ +%{_datadir}/pki/ca/emails/ +%dir %{_datadir}/pki/ca/profiles +%{_datadir}/pki/ca/profiles/ca/ +%{_datadir}/pki/ca/webapps/ +%{_datadir}/pki/ca/setup/ +%dir %{_localstatedir}/lock/pki/ca +%dir %{_localstatedir}/run/pki/ca +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-ca.conf +%endif + + +%files -n pki-kra +%defattr(-,root,root,-) +%doc base/kra/LICENSE +%if 0%{?fedora} >= 16 +%dir %{_sysconfdir}/systemd/system/pki-krad.target.wants +%{_unitdir}/pki-krad@.service +%{_unitdir}/pki-krad.target +%else +%{_initrddir}/pki-krad +%endif +%{_javadir}/pki/pki-kra-%{version}.jar +%{_javadir}/pki/pki-kra.jar +%dir %{_datadir}/pki/kra +%{_datadir}/pki/kra/conf/ +%{_datadir}/pki/kra/setup/ +%{_datadir}/pki/kra/webapps/ +%dir %{_localstatedir}/lock/pki/kra +%dir %{_localstatedir}/run/pki/kra +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-kra.conf +%endif + + +%files -n pki-ocsp +%defattr(-,root,root,-) +%doc base/ocsp/LICENSE +%if 0%{?fedora} >= 16 +%dir %{_sysconfdir}/systemd/system/pki-ocspd.target.wants +%{_unitdir}/pki-ocspd@.service +%{_unitdir}/pki-ocspd.target +%else +%{_initrddir}/pki-ocspd +%endif +%{_javadir}/pki/pki-ocsp-%{version}.jar +%{_javadir}/pki/pki-ocsp.jar +%dir %{_datadir}/pki/ocsp +%{_datadir}/pki/ocsp/conf/ +%{_datadir}/pki/ocsp/setup/ +%{_datadir}/pki/ocsp/webapps/ +%dir %{_localstatedir}/lock/pki/ocsp +%dir %{_localstatedir}/run/pki/ocsp +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-ocsp.conf +%endif + + +%files -n pki-tks +%defattr(-,root,root,-) +%doc base/tks/LICENSE +%if 0%{?fedora} >= 16 +%dir %{_sysconfdir}/systemd/system/pki-tksd.target.wants +%{_unitdir}/pki-tksd@.service +%{_unitdir}/pki-tksd.target +%else +%{_initrddir}/pki-tksd +%endif +%{_javadir}/pki/pki-tks-%{version}.jar +%{_javadir}/pki/pki-tks.jar +%dir %{_datadir}/pki/tks +%{_datadir}/pki/tks/conf/ +%{_datadir}/pki/tks/setup/ +%{_datadir}/pki/tks/webapps/ +%dir %{_localstatedir}/lock/pki/tks +%dir %{_localstatedir}/run/pki/tks +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-tks.conf +%endif + + +%files -n pki-silent +%defattr(-,root,root,-) +%doc base/silent/LICENSE +%{_bindir}/pkisilent +%{_javadir}/pki/pki-silent-%{version}.jar +%{_javadir}/pki/pki-silent.jar +%{_datadir}/pki/silent/ + + +%changelog +* Fri Mar 16 2012 Ade Lee 10.0.0-0.11.a1 +- BZ 802396 - Change location of TOMCAT_LOG to match tomcat6 changes +- Corrected patch selected for selinux f17 rules + +* Wed Mar 14 2012 Matthew Harmsen 10.0.0-0.10.a1 +- Corrected 'junit' dependency check + +* Mon Mar 12 2012 Matthew Harmsen 10.0.0-0.9.a1 +- Initial attempt at PKI deployment framework described in + 'http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment'. + +* Fri Mar 09 2012 Jack Magne 10.0.0-0.8.a1 +- Added support for pki-jndi-realm in tomcat6 in pki-common + and pki-kra. +- Ticket #69. + +* Fri Mar 2 2012 Matthew Harmsen 10.0.0-0.7.a1 +- For 'mock' purposes, removed platform-specific logic from around + the 'patch' files so that ALL 'patch' files will be included in + the SRPM. + +* Wed Feb 29 2012 Endi S. Dewata 10.0.0-0.6.a1 +- Removed dependency on OSUtil. + +* Tue Feb 28 2012 Ade Lee 10.0.0-0.5.a1 +- 'pki-selinux' +- Added platform-dependent patches for SELinux component +- Bugzilla Bug #739708 - Selinux fix for ephemeral ports (F16) +- Bugzilla Bug #795966 - pki-selinux policy is kind of a mess (F17) + +* Wed Feb 23 2012 Endi S. Dewata 10.0.0-0.4.a1 +- Added dependency on Apache Commons Codec. + +* Wed Feb 22 2012 Matthew Harmsen 10.0.0-0.3.a1 +- Add '-DSYSTEMD_LIB_INSTALL_DIR' override flag to 'cmake' to address changes + in fundamental path structure in Fedora 17 +- 'pki-setup' +- Hard-code Perl dependencies to protect against bugs such as + Bugzilla Bug #772699 - Adapt perl and python fileattrs to + changed file 5.10 magics +- 'pki-selinux' +- Bugzilla Bug #795966 - pki-selinux policy is kind of a mess + +* Mon Feb 20 2012 Matthew Harmsen 10.0.0-0.2.a1 +- Integrated 'pki-kra' into 'pki-core' +- Integrated 'pki-ocsp' into 'pki-core' +- Integrated 'pki-tks' into 'pki-core' +- Bugzilla Bug #788787 - added 'junit'/'junit4' build-time requirements + +* Wed Feb 1 2012 Nathan Kinder 10.0.0-0.1.a1 +- Updated package version number + +* Mon Jan 16 2012 Ade Lee 9.0.16-3 +- Added resteasy-jettison-provider-2.3-RC1.jar to pki-setup + +* Mon Nov 28 2011 Endi S. Dewata 9.0.16-2 +- Added JUnit tests + +* Fri Oct 28 2011 Matthew Harmsen 9.0.16-1 +- 'pki-setup' +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- Bugzilla Bug #737122 - DRM: during archiving and recovering, + wrapping unwrapping keys should be done in the token (cfu) +- 'pki-java-tools' +- 'pki-common' +- Bugzilla Bug #744797 - KRA key recovery (retrieve pkcs#12) fails after + the in-place upgrade( CS 8.0->8.1) (cfu) +- 'pki-selinux' +- 'pki-ca' +- Bugzilla Bug #746367 - Typo in the profile name. (jmagne) +- Bugzilla Bug #737122 - DRM: during archiving and recovering, + wrapping unwrapping keys should be done in the token (cfu) +- Bugzilla Bug #749927 - Java class conflicts using Java 7 in Fedora 17 + (rawhide) . . . (mharmsen) +- Bugzilla Bug #749945 - Installation error reported during CA, DRM, + OCSP, and TKS package installation . . . (mharmsen) +- 'pki-silent' + +* Thu Sep 22 2011 Matthew Harmsen 9.0.15-1 +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . (mharmsen) +- Bugzilla Bug #699809 - Convert CS to use systemd (alee) +- 'pki-setup' +- Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS + mode (cfu) +- Bugzilla Bug #737192 - Need script to upgrade proxy configuration (alee) +- 'pki-symkey' +- Bugzilla Bug #730162 - TPS/TKS token enrollment failure in FIPS mode + (hsm+NSS). (jmagne) +- 'pki-native-tools' +- Bugzilla Bug #730801 - Coverity issues in native-tools area (awnuk) +- Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS + mode (cfu) +- 'pki-util' +- Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS + mode (cfu) +- 'pki-java-tools' +- 'pki-common' +- Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS + mode (cfu) +- Bugzilla Bug #737218 - Incorrect request attribute name matching + ignores request attributes during request parsing. (awnuk) +- Bugzilla Bug #730162 - TPS/TKS token enrollment failure in FIPS mode + (hsm+NSS). (jmagne) +- 'pki-selinux' +- Bugzilla Bug #739708 - pki-selinux lacks rules in F16 (alee) +- 'pki-ca' +- Bugzilla Bug #712931 - CS requires too many ports + to be open in the FW (alee) +- Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS + mode (cfu) +- 'pki-silent' +- Bugzilla Bug #739201 - pkisilent does not take arch into account + as Java packages migrated to arch-dependent directories (mharmsen) + +* Fri Sep 9 2011 Matthew Harmsen 9.0.14-1 +- 'pki-setup' +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . +- 'pki-symkey' +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . +- 'pki-native-tools' +- 'pki-util' +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . +- 'pki-java-tools' +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . +- 'pki-common' +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . +- 'pki-selinux' +- 'pki-ca' +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . +- Bugzilla Bug #699809 - Convert CS to use systemd (alee) +- 'pki-silent' +- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . + +* Tue Sep 6 2011 Ade Lee 9.0.13-1 +- 'pki-setup' +- Bugzilla Bug #699809 - Convert CS to use systemd (alee) +- 'pki-ca' +- Bugzilla Bug #699809 - Convert CS to use systemd (alee) +- 'pki-common' +- Bugzilla Bug #699809 - Convert CS to use systemd (alee) + +* Tue Aug 23 2011 Matthew Harmsen 9.0.12-1 +- 'pki-setup' +- Bugzilla Bug #712931 - CS requires too many ports + to be open in the FW (alee) +- 'pki-symkey' +- 'pki-native-tools' +- Bugzilla Bug #717643 - Fopen without NULL check and other Coverity + issues (awnuk) +- Bugzilla Bug #730801 - Coverity issues in native-tools area (awnuk) +- 'pki-util' +- 'pki-java-tools' +- 'pki-common' +- Bugzilla Bug #700522 - pki tomcat6 instances currently running + unconfined, allow server to come up when selinux disabled (alee) +- Bugzilla Bug #731741 - some CS.cfg nickname parameters not updated + correctly when subsystem cloned (using hsm) (alee) +- Bugzilla Bug #712931 - CS requires too many ports + to be open in the FW (alee) +- 'pki-selinux' +- Bugzilla Bug #712931 - CS requires too many ports + to be open in the FW (alee) +- 'pki-ca' +- Bugzilla Bug #712931 - CS requires too many ports + to be open in the FW (alee) +- 'pki-silent' + +* Wed Aug 10 2011 Matthew Harmsen 9.0.11-1 +- 'pki-setup' +- Bugzilla Bug #689909 - Dogtag installation under IPA takes too much + time - remove the inefficient sleeps (alee) +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- 'pki-java-tools' +- Bugzilla Bug #724861 - DRMTool: fix duplicate "dn:" records by + renumbering "cn=" (mharmsen) +- 'pki-common' +- Bugzilla Bug #717041 - Improve escaping of some enrollment inputs like + (jmagne, awnuk) +- Bugzilla Bug #689909 - Dogtag installation under IPA takes too much + time - remove the inefficient sleeps (alee) +- Bugzilla Bug #708075 - Clone installation does not work over NAT + (alee) +- Bugzilla Bug #726785 - If replication fails while setting up a clone + it will wait forever (alee) +- Bugzilla Bug #728332 - xml output has changed on cert requests (awnuk) +- Bugzilla Bug #700505 - pki tomcat6 instances currently running + unconfined (alee) +- 'pki-selinux' +- Bugzilla Bug #700505 - pki tomcat6 instances currently running + unconfined (alee) +- 'pki-ca' +- Bugzilla Bug #728605 - RFE: increase default validity from 6mo to 2yrs + in IPA profile (awnuk) +- 'pki-silent' +- Bugzilla Bug #689909 - Dogtag installation under IPA takes too much + time - remove the inefficient sleeps (alee) + +* Fri Jul 22 2011 Matthew Harmsen 9.0.10-1 +- 'pki-setup' +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- Bugzilla Bug #719007 - Key Constraint keyParameter being ignored + using an ECC CA to generate ECC certs from CRMF. (jmagne) +- Bugzilla Bug #716307 - rhcs80 - DER shall not include an encoding + for any component value which is equal to its default value (alee) +- 'pki-java-tools' +- 'pki-common' +- Bugzilla Bug #720510 - Console: Adding a certificate into nethsm + throws Token not found error. (jmagne) +- Bugzilla Bug #719007 - Key Constraint keyParameter being ignored + using an ECC CA to generate ECC certs from CRMF. (jmagne) +- Bugzilla Bug #716307 - rhcs80 - DER shall not include an encoding + for any component value which is equal to its default value (alee) +- Bugzilla Bug #722989 - Registering an agent when a subsystem is + created - does not log AUTHZ_SUCCESS event. (alee) +- 'pki-selinux' +- 'pki-ca' +- Bugzilla Bug #719113 - Add client usage flag to caIPAserviceCert + (awnuk) +- 'pki-silent' + +* Thu Jul 14 2011 Matthew Harmsen 9.0.9-1 +- Updated release of 'jss' +- Updated release of 'tomcatjss' for Fedora 15 +- 'pki-setup' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser + (jdennis) +- Bugzilla Bug #694569 - parameter used by pkiremove not updated (alee) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-symkey' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-native-tools' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #717765 - TPS configuration: logging into security domain + from tps does not work with clientauth=want. (alee) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-util' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-java-tools' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #532548 - Tool to do DRM re-key (mharmsen) +- Bugzilla Bug #532548 - Tool to do DRM re-key (config file and record + processing) (mharmsen) +- Bugzilla Bug #532548 - Tool to do DRM re-key (tweaks) (mharmsen) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-common' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #695403 - Editing signedaudit or transaction, system + logs throws 'Invalid protocol' for OCSP subsystems (alee) +- Bugzilla Bug #694569 - parameter used by pkiremove not updated (alee) +- Bugzilla Bug #695015 - Serial No. of a revoked certificate is not + populated in the CA signedAudit messages (alee) +- Bugzilla Bug #694143 - CA Agent not returning specified request (awnuk) +- Bugzilla Bug #695015 - Serial No. of a revoked certificate is not + populated in the CA signedAudit messages (jmagne) +- Bugzilla Bug #698885 - Race conditions during IPA installation (alee) +- Bugzilla Bug #704792 - CC_LAB_EVAL: CA agent interface: + SubjectID=$Unidentified$ fails audit evaluation (jmagne) +- Bugzilla Bug #705914 - SCEP mishandles nicknames when processing + subsequent SCEP requests. (awnuk) +- Bugzilla Bug #661142 - Verification should fail when a revoked + certificate is added. (jmagne) +- Bugzilla Bug #707416 - CC_LAB_EVAL: Security Domain: missing audit msgs + for modify/add (alee) +- Bugzilla Bug #707416 - additional audit messages for GetCookie (alee) +- Bugzilla Bug #707607 - Published certificate summary has list of + non-published certificates with succeeded status (jmagne) +- Bugzilla Bug #717813 - EV_AUDIT_LOG_SHUTDOWN audit log not generated + for tps and ca on server shutdown (jmagne) +- Bugzilla Bug #697939 - DRM signed audit log message - operation should + be read instead of modify (jmagne) +- Bugzilla Bug #718427 - When audit log is full, server continue to + function. (alee) +- Bugzilla Bug #718607 - CC_LAB_EVAL: No AUTH message is generated in + CA's signedaudit log when a directory based user enrollment is + performed (jmagne) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-selinux' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #720503 - RA and TPS require additional SELinux + permissions to run in "Enforcing" mode (alee) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-ca' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser + (jdennis) +- Bugzilla Bug #699837 - service command is not fully backwards + compatible with Dogtag pki subsystems (mharmsen) +- Bugzilla Bug #649910 - Console: an auditor or agent can be added to an + administrator group. (jmagne) +- Bugzilla Bug #707416 - CC_LAB_EVAL: Security Domain: missing audit msgs + for modify/add (alee) +- Bugzilla Bug #716269 - make ra authenticated profiles non-visible on ee + pages (alee) +- Bugzilla Bug #718621 - CC_LAB_EVAL: PRIVATE_KEY_ARCHIVE_REQUEST occurs + for a revocation invoked by EE user (awnuk) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) +- 'pki-silent' +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + (mharmsen) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) + +* Wed May 25 2011 Matthew Harmsen 9.0.8-2 +- 'pki-setup' +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- 'pki-java-tools' +- Added 'DRMTool.cfg' configuration file to inventory +- 'pki-common' +- 'pki-selinux' +- 'pki-ca' +- 'pki-silent' + +* Wed May 25 2011 Matthew Harmsen 9.0.8-1 +- 'pki-setup' +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- 'pki-java-tools' +- Bugzilla Bug #532548 - Tool to do DRM re-key +- 'pki-common' +- 'pki-selinux' +- 'pki-ca' +- 'pki-silent' + +* Tue Apr 26 2011 Matthew Harmsen 9.0.7-1 +- 'pki-setup' +- Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser +- Bugzilla Bug #694569 - parameter used by pkiremove not updated +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- 'pki-java-tools' +- 'pki-common' +- Bugzilla Bug #695403 - Editing signedaudit or transaction, system logs + throws 'Invalid protocol' for OCSP subsystems +- Bugzilla Bug #694569 - parameter used by pkiremove not updated +- Bugzilla Bug #695015 - Serial No. of a revoked certificate is not + populated in the CA signedAudit messages +- Bugzilla Bug #694143 - CA Agent not returning specified request +- Bugzilla Bug #695015 - Serial No. of a revoked certificate is not + populated in the CA signedAudit messages +- Bugzilla Bug #698885 - Race conditions during IPA installation +- 'pki-selinux' +- 'pki-ca' +- Bugzilla Bug #693815 - /var/log/tomcat6/catalina.out owned by pkiuser +- Bugzilla Bug #699837 - service command is not fully backwards compatible + with Dogtag pki subsystems +- 'pki-silent' + +* Mon Apr 11 2011 Matthew Harmsen 9.0.6-2 +- Bugzilla Bug #695157 - Auditverify on TPS audit log throws error. + +* Tue Apr 5 2011 Matthew Harmsen 9.0.6-1 +- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) +- Bugzilla Bug #693327 - Missing requires: tomcatjss +- 'pki-setup' +- Bugzilla Bug #690626 - pkiremove removes the registry entry for + all instances on a machine +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- 'pki-java-tools' +- Bugzilla Bug #689453 - CRMFPopClient request to CA's unsecure port + throws file not found exception. +- 'pki-common' +- Bugzilla Bug #692990 - Audit log messages needed to match CC doc: + DRM Recovery audit log messages +- 'pki-selinux' +- 'pki-ca' +- 'pki-silent' + +* Tue Apr 5 2011 Matthew Harmsen 9.0.5-2 +- Bugzilla Bug #693327 - Missing requires: tomcatjss + +* Fri Mar 25 2011 Matthew Harmsen 9.0.5-1 +- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) +- Require "jss >= 4.2.6-15" as a build and runtime requirement +- Require "tomcatjss >= 2.1.1" as a build and runtime requirement + for Fedora 15 and later platforms +- 'pki-setup' +- Bugzilla Bug #688287 - Add "deprecation" notice regarding using + "shared ports" in pkicreate -help . . . +- Bugzilla Bug #688251 - Dogtag installation under IPA takes + too much time - SELinux policy compilation +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- 'pki-java-tools' +- Bugzilla Bug #689501 - ExtJoiner tool fails to join the multiple + extensions +- 'pki-common' +- Bugzilla Bug #683581 - CA configuration with ECC(Default + EC curve-nistp521) CA fails with 'signing operation failed' +- Bugzilla Bug #689662 - ocsp publishing needs to be re-enabled + on the EE port +- 'pki-selinux' +- Bugzilla Bug #684871 - ldaps selinux link change +- 'pki-ca' +- Bugzilla Bug #683581 - CA configuration with ECC(Default + EC curve-nistp521) CA fails with 'signing operation failed' +- Bugzilla Bug #684381 - CS.cfg specifies incorrect type of comments +- Bugzilla Bug #689453 - CRMFPopClient request to CA's unsecure port + throws file not found exception.(profile and CS.cfg only) +- 'pki-silent' + +* Thu Mar 17 2011 Matthew Harmsen 9.0.4-1 +- Bugzilla Bug #688763 - Rebase updated Dogtag Packages for Fedora 15 (alpha) +- Bugzilla Bug #676182 - IPA installation failing - Fails to create CA + instance +- Bugzilla Bug #675742 - Profile caIPAserviceCert Not Found +- 'pki-setup' +- Bugzilla Bug #678157 - uninitialized variable warnings from Perl +- Bugzilla Bug #679574 - Velocity fails to load all dependent classes +- Bugzilla Bug #680420 - xml-commons-apis.jar dependency +- Bugzilla Bug #682013 - pkisilent needs xml-commons-apis.jar in it's + classpath +- Bugzilla Bug #673508 - CS8 64 bit pkicreate script uses wrong library + name for SafeNet LunaSA +- 'pki-common' +- Bugzilla Bug #673638 - Installation within IPA hangs +- Bugzilla Bug #678715 - netstat loop fixes needed +- Bugzilla Bug #673609 - CC: authorize() call needs to be added to + getStats servlet +- 'pki-selinux' +- Bugzilla Bug #674195: SELinux error message thrown during token + enrollment +- 'pki-ca' +- Bugzilla Bug #673638 - Installation within IPA hangs +- Bugzilla Bug #673609 - CC: authorize() call needs to be added to + getStats servlet +- Bugzilla Bug #676330 - init script cannot start service +- 'pki-silent' +- Bugzilla Bug #682013 - pkisilent needs xml-commons-apis.jar in it's + classpath + +* Wed Feb 9 2011 Matthew Harmsen 9.0.3-2 +- 'pki-common' +- Bugzilla Bug #676051 - IPA installation failing - Fails to create CA + instance +- Bugzilla Bug #676182 - IPA installation failing - Fails to create CA + instance + +* Fri Feb 4 2011 Matthew Harmsen 9.0.3-1 +- 'pki-common' +- Bugzilla Bug #674894 - ipactl restart : an annoy output line +- Bugzilla Bug #675179 - ipactl restart : an annoy output line + +* Thu Feb 3 2011 Matthew Harmsen 9.0.2-1 +- Bugzilla Bug #673233 - Rebase pki-core to pick the latest features and fixes +- 'pki-setup' +- Bugzilla Bug #673638 - Installation within IPA hangs +- 'pki-symkey' +- 'pki-native-tools' +- 'pki-util' +- 'pki-java-tools' +- Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided + by 'netscape.security.provider' package +- 'pki-common' +- Bugzilla Bug #672291 - CA is not publishing certificates issued using + "Manual User Dual-Use Certificate Enrollment" +- Bugzilla Bug #670337 - CA Clone configuration throws TCP connection + error. +- Bugzilla Bug #504056 - Completed SCEP requests are assigned to the + "begin" state instead of "complete". +- Bugzilla Bug #504055 - SCEP requests are not properly populated +- Bugzilla Bug #564207 - Searches for completed requests in the agent + interface returns zero entries +- Bugzilla Bug #672291 - CA is not publishing certificates issued using + "Manual User Dual-Use Certificate Enrollment" - +- Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided + by 'netscape.security.provider' package +- Bugzilla Bug #672920 - CA console: adding policy to a profile throws + 'Duplicate policy' error in some cases. +- Bugzilla Bug #673199 - init script returns control before web apps have + started +- Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI + subsystem instances +- 'pki-selinux' +- 'pki-ca' +- Bugzilla Bug #504013 - sscep request is rejected due to authentication + error if submitted through one time pin router certificate enrollment. +- Bugzilla Bug #672111 - CC doc: certServer.usrgrp.administration missing + information +- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml + as part of CC interface review +- Bugzilla Bug #672333 - Creation of RA agent fails in IPA installation +- Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI + subsystem instances +- 'pki-silent' +- Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided + by 'netscape.security.provider' package + +* Wed Feb 2 2011 Matthew Harmsen 9.0.1-3 +- Bugzilla Bug #656661 - Please Update Spec File to use 'ghost' on files + in /var/run and /var/lock + +* Thu Jan 20 2011 Matthew Harmsen 9.0.1-2 +- 'pki-symkey' +- Bugzilla Bug #671265 - pki-symkey jar version incorrect +- 'pki-common' +- Bugzilla Bug #564207 - Searches for completed requests in the agent + interface returns zero entries + +* Tue Jan 18 2011 Matthew Harmsen 9.0.1-1 +- Allow 'pki-native-tools' to be installed independently of 'pki-setup' +- Removed explicit 'pki-setup' requirement from 'pki-ca' + (since it already requires 'pki-common') +- 'pki-setup' +- Bugzilla Bug #223343 - pkicreate: should add 'pkiuser' to nfast group +- Bugzilla Bug #629377 - Selinux errors during pkicreate CA, KRA, OCSP + and TKS. +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port + fowarding for agent services +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #606946 - Convert Native Tools to use ldapAPI from + OpenLDAP instead of the Mozldap +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #658926 - org.apache.commons.lang class not found on F13 +- Bugzilla Bug #661514 - CMAKE build system requires rules to make + javadocs +- Bugzilla Bug #665388 - jakarta-* jars have been renamed to apache-*, + pkicreate fails Fedora 14 and above +- Bugzilla Bug #23346 - Two conflicting ACL list definitions in source + repository +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- 'pki-symkey' +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #644056 - CS build contains warnings +- 'pki-native-tools' +- template change +- Bugzilla Bug #606946 - Convert Native Tools to use ldapAPI from + OpenLDAP instead of the Mozldap +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #644056 - CS build contains warnings +- 'pki-util' +- Bugzilla Bug #615814 - rhcs80 - profile policyConstraintsCritical + cannot be set to true +- Bugzilla Bug #224945 - javadocs has missing descriptions, contains + empty packages +- Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. +- Bugzilla Bug #621338 - Include a server randomly-generated 16 byte + senderNonce in all signed SCEP responses. +- Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade + attack in SCEP +- Bugzilla Bug #621334 - Provide an option to set default hash algorithm + for signing SCEP response messages. +- Bugzilla Bug #635033 - At installation wizard selecting key types other + than CA's signing cert will fail +- Bugzilla Bug #645874 - rfe ecc - add ecc curve name support in JSS and + CS interface +- Bugzilla Bug #488253 - com.netscape.cmsutil.ocsp.BasicOCSPResponse + ASN.1 encoding/decoding is broken +- Bugzilla Bug #551410 - com.netscape.cmsutil.ocsp.TBSRequest ASN.1 + encoding/decoding is incomplete +- Bugzilla Bug #550331 - com.netscape.cmsutil.ocsp.ResponseData ASN.1 + encoding/decoding is incomplete +- Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit + policy extension to 5 only +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #661514 - CMAKE build system requires rules to make + javadocs +- Bugzilla Bug #658188 - remove remaining references to tomcat5 +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- Bugzilla Bug #223319 - Certificate Status inconsistency between token + db and CA +- Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory + During CRL Generation +- 'pki-java-tools' +- Bugzilla Bug #224945 - javadocs has missing descriptions, contains + empty packages +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #659004 - CC: AuditVerify hardcoded with SHA-1 +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #661514 - CMAKE build system requires rules to make + javadocs +- Bugzilla Bug #662156 - HttpClient is hard-coded to handle only up to + 5000 bytes +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- 'pki-common' +- Bugzilla Bug #583822 - CC: ACL issues from CA interface CC doc review +- Bugzilla Bug #623745 - SessionTimer with LDAPSecurityDomainSessionTable + started before configuration completed +- Bugzilla Bug #620925 - CC: auditor needs to be able to download audit + logs in the java subsystems +- Bugzilla Bug #615827 - rhcs80 - profile policies need more than 5 + policy mappings (seem hardcoded) +- Bugzilla Bug #224945 - javadocs has missing descriptions, contains + empty packages +- Bugzilla Bug #548699 - subCA's admin certificate should be generated by + itself +- Bugzilla Bug #621322 - Provide switch disabling SCEP support in CA +- Bugzilla Bug #563386 - rhcs80 ca crash on invalid inputs to profile + caAgentServerCert (null cert_request) +- Bugzilla Bug #621339 - SCEP one-time PIN can be used an unlimited + number of times +- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml + as part of CC interface review +- Bugzilla Bug #629677 - TPS: token enrollment fails. +- Bugzilla Bug #621350 - Unauthenticated user can decrypt a one-time PIN + in a SCEP request +- Bugzilla Bug #503838 - rhcs71-80 external publishing ldap connection + pools not reliable - improve connections or discovery +- Bugzilla Bug #629769 - password decryption logs plain text password +- Bugzilla Bug #583823 - CC: Auditing issues found as result of + CC - interface review +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #586700 - OCSP Server throws fatal error while using + OCSP console for renewing SSL Server certificate. +- Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. +- Bugzilla Bug #621338 - Include a server randomly-generated 16 byte + senderNonce in all signed SCEP responses. +- Bugzilla Bug #607380 - CC: Make sure Java Console can configure all + security relevant config items +- Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be + generated on TKS instead of TPS. +- Bugzilla Bug #489342 - + com.netscape.cms.servlet.common.CMCOutputTemplate.java + doesn't support EC +- Bugzilla Bug #630121 - OCSP responder lacking option to delete or + disable a CA that it serves +- Bugzilla Bug #634663 - CA CMC response default hard-coded to SHA1 +- Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade + attack in SCEP +- Bugzilla Bug #621334 - Provide an option to set default hash algorithm + for signing SCEP response messages. +- Bugzilla Bug #635033 - At installation wizard selecting key types other + than CA's signing cert will fail +- Bugzilla Bug #621341 - Add CA support for new SCEP key pair dedicated + for SCEP signing and encryption. +- Bugzilla Bug #223336 - ECC: unable to clone a ECC CA +- Bugzilla Bug #539781 - rhcs 71 - CRLs Partitioned + by Reason Code - onlySomeReasons ? +- Bugzilla Bug #637330 - CC feature: Key Management - provide signature + verification functions (JAVA subsystems) +- Bugzilla Bug #223313 - should do random generated IV param + for symmetric keys +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port + fowarding for agent services +- Bugzilla Bug #630176 - Improve reliability of the LdapAnonConnFactory +- Bugzilla Bug #524916 - ECC key constraints plug-ins should be based on + ECC curve names (not on key sizes). +- Bugzilla Bug #516632 - RHCS 7.1 - CS Incorrectly Issuing Multiple + Certificates from the Same Request +- Bugzilla Bug #648757 - expose and use updated cert verification + function in JSS +- Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection + of signature algorithm; and for ECC curves +- Bugzilla Bug #451874 - RFE - Java console - Certificate Wizard missing + e.c. support +- Bugzilla Bug #651040 - cloning shoud not include sslserver +- Bugzilla Bug #542863 - RHCS8: Default cert audit nickname written to + CS.cfg files imcomplete when the cert is stored on a hsm +- Bugzilla Bug #360721 - New Feature: Profile Integrity Check . . . +- Bugzilla Bug #651916 - kra and ocsp are using incorrect ports + to talk to CA and complete configuration in DonePanel +- Bugzilla Bug #642359 - CC Feature - need to verify certificate when it + is added +- Bugzilla Bug #653713 - CC: setting trust on a CIMC cert requires + auditing +- Bugzilla Bug #489385 - references to rhpki +- Bugzilla Bug #499494 - change CA defaults to SHA2 +- Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit + policy extension to 5 only +- Bugzilla Bug #649910 - Console: an auditor or agent can be added to + an administrator group. +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) +- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets + as expected +- Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for + validity +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #659004 - CC: AuditVerify hardcoded with SHA-1 +- Bugzilla Bug #661196 - ECC(with nethsm) subca configuration fails with + Key Type RSA Not Matched despite using ECC key pairs for rootCA & subCA. +- Bugzilla Bug #661889 - The Servlet TPSRevokeCert of the CA returns an + error to TPS even if certificate in question is already revoked. +- Bugzilla Bug #663546 - Disable the functionalities that are not exposed + in the console +- Bugzilla Bug #661514 - CMAKE build system requires rules to make + javadocs +- Bugzilla Bug #658188 - remove remaining references to tomcat5 +- Bugzilla Bug #649343 - Publishing queue should recover from CA crash. +- Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and + pkiCA, obsolete 2252 and 2256 +- Bugzilla Bug #640710 - Current SCEP implementation does not support HSMs +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- Bugzilla Bug #661142 - Verification should fail when + a revoked certificate is added +- Bugzilla Bug #642741 - CS build uses deprecated functions +- Bugzilla Bug #670337 - CA Clone configuration throws TCP connection error +- Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time + interface is no longer available through console +- 'pki-selinux' +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #667153 - store nuxwdog passwords in kernel ring buffer - + selinux changes +- 'pki-ca' +- Bugzilla Bug #583822 - CC: ACL issues from CA interface CC doc review +- Bugzilla Bug #620925 - CC: auditor needs to be able to download audit + logs in the java subsystems +- Bugzilla Bug #621322 - Provide switch disabling SCEP support in CA +- Bugzilla Bug #583824 - CC: Duplicate servlet mappings found as part of + CC interface doc review +- Bugzilla Bug #621602 - pkiconsole: Click on 'Publishing' option with + admin privilege throws error "You are not authorized to perform this + operation". +- Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml + as part of CC interface review +- Bugzilla Bug #583823 - CC: Auditing issues found as result of + CC - interface review +- Bugzilla Bug #519291 - Deleting a CRL Issuing Point after edits throws + 'Internal Server Error'. +- Bugzilla Bug #586700 - OCSP Server throws fatal error while using + OCSP console for renewing SSL Server certificate. +- Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes. +- Bugzilla Bug #621338 - Include a server randomly-generated 16 byte + senderNonce in all signed SCEP responses. +- Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be + generated on TKS instead of TPS. +- Bugzilla Bug #630121 - OCSP responder lacking option to delete or + disable a CA that it serves +- Bugzilla Bug #634663 - CA CMC response default hard-coded to SHA1 +- Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade + attack in SCEP +- Bugzilla Bug #621334 - Provide an option to set default hash algorithm + for signing SCEP response messages. +- Bugzilla Bug #539781 - rhcs 71 - CRLs Partitioned + by Reason Code - onlySomeReasons ? +- Bugzilla Bug #637330 - CC feature: Key Management - provide signature + verification functions (JAVA subsystems) +- Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port + fowarding for agent services +- Bugzilla Bug #524916 - ECC key constraints plug-ins should be based on + ECC curve names (not on key sizes). +- Bugzilla Bug #516632 - RHCS 7.1 - CS Incorrectly Issuing Multiple + Certificates from the Same Request +- Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection + of signature algorithm; and for ECC curves +- Bugzilla Bug #529945 - (Instructions and sample only) CS 8.0 GA + release -- DRM and TKS do not seem to have CRL checking enabled +- Bugzilla Bug #609641 - CC: need procedure (and possibly tools) to help + correctly set up CC environment +- Bugzilla Bug #509481 - RFE: support sMIMECapabilities extensions in + certificates (RFC 4262) +- Bugzilla Bug #651916 - kra and ocsp are using incorrect ports + to talk to CA and complete configuration in DonePanel +- Bugzilla Bug #511990 - rhcs 7.3, 8.0 - re-activate missing object + signing support in RHCS +- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) +- Bugzilla Bug #489385 - references to rhpki +- Bugzilla Bug #499494 - change CA defaults to SHA2 +- Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit + policy extension to 5 only +- Bugzilla Bug #649910 - Console: an auditor or agent can be added to + an administrator group. +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets + as expected +- Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for + validity +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #661128 - incorrect CA ports used for revoke, unrevoke + certs in TPS +- Bugzilla Bug #512496 - RFE rhcs80 - crl updates and scheduling feature +- Bugzilla Bug #661196 - ECC(with nethsm) subca configuration fails with + Key Type RSA Not Matched despite using ECC key pairs for rootCA & subCA. +- Bugzilla Bug #649343 - Publishing queue should recover from CA crash. +- Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and + pkiCA, obsolete 2252 and 2256 +- Bugzilla Bug #223346 - Two conflicting ACL list definitions in source + repository +- Bugzilla Bug #640710 - Current SCEP implementation does not support HSMs +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- Bugzilla Bug #661142 - Verification should fail when + a revoked certificate is added +- Bugzilla Bug #668100 - DRM storage cert has OCSP signing extended key + usage +- Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time + interface is no longer available through console +- Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory + During CRL Generation +- 'pki-silent' +- Bugzilla Bug #627309 - pkisilent subca configuration fails. +- Bugzilla Bug #640091 - pkisilent panels need to match with changed java + subsystems +- Bugzilla Bug #527322 - pkisilent ConfigureDRM should configure DRM + Clone. +- Bugzilla Bug #643053 - pkisilent DRM configuration fails +- Bugzilla Bug #583754 - pki-silent needs an option to configure signing + algorithm for CA certificates +- Bugzilla Bug #489385 - references to rhpki +- Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI + interface +- Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml) +- Bugzilla Bug #640042 - TPS Installlation Wizard: need to move Module + Panel up to before Security Domain Panel +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #588323 - Failed to enable cipher 0xc001 +- Bugzilla Bug #656733 - Standardize jar install location and jar names +- Bugzilla Bug #645895 - pkisilent: add ability to select ECC curves, + signing algorithm +- Bugzilla Bug #658641 - pkisilent doesn't not properly handle passwords + with special characters +- Bugzilla Bug #642741 - CS build uses deprecated functions + +* Thu Jan 13 2011 Matthew Harmsen 9.0.0-3 +- Bugzilla Bug #668839 - Review Request: pki-core +- Removed empty "pre" from "pki-ca" +- Consolidated directory ownership +- Corrected file ownership within subpackages +- Removed all versioning from NSS and NSPR packages + +* Thu Jan 13 2011 Matthew Harmsen 9.0.0-2 +- Bugzilla Bug #668839 - Review Request: pki-core +- Added component versioning comments +- Updated JSS from "4.2.6-10" to "4.2.6-12" +- Modified installation section to preserve timestamps +- Removed sectional comments + +* Wed Dec 1 2010 Matthew Harmsen 9.0.0-1 +- Initial revision. (kwright@redhat.com & mharmsen@redhat.com) + diff --git a/specs/pki-migrate.spec b/specs/pki-migrate.spec new file mode 100644 index 000000000..9047e3b2b --- /dev/null +++ b/specs/pki-migrate.spec @@ -0,0 +1,156 @@ +# for a pre-release, define the prerel field e.g. .a1 .rc2 - comment out for official release +# also remove the space between % and global - this space is needed because +# fedpkg verrel stupidly ignores comment lines +%global prerel .a1 +# also need the relprefix field for a pre-release e.g. .0 - also comment out for official release +%global relprefix 0. + +Name: pki-migrate +Version: 10.0.0 +Release: %{?relprefix}1%{?prerel}%{?dist} +Summary: Red Hat Certificate System - PKI Migration Scripts +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Base + +# Suppress automatic 'requires' and 'provisions' of multi-platform 'binaries' +AutoReqProv: no + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: java-devel >= 1:1.6.0 +BuildRequires: jpackage-utils + +Requires: java >= 1:1.6.0 + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}%{?prerel}.tar.gz + +%global _binaries_in_noarch_packages_terminate_build 0 + +%description +Red Hat Certificate System (CS) is an enterprise software system designed +to manage enterprise Public Key Infrastructure (PKI) deployments. + +PKI Migration Scripts are used to export data from previous versions of +Netscape Certificate Management Systems, iPlanet Certificate Management +Systems, and Red Hat Certificate Systems into a flat-file which may then +be imported into this release of Red Hat Certificate System. + +Note that since this utility is platform-independent, it is generally possible +to migrate data from previous PKI deployments originally stored on other +hardware platforms as well as earlier versions of this operating system. + + +%prep + + +%setup -q -n %{name}-%{version}%{?prerel} + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_MIGRATE:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" + + +%files +%defattr(-,root,root,-) +%doc base/migrate/LICENSE +%dir %{_datadir}/pki +%{_datadir}/pki/migrate/ + + +%changelog +* Wed Feb 1 2012 Nathan Kinder 10.0.0-0.1.a1 +- Updated package version number + +* Fri Oct 28 2011 Andrew Wnuk 9.0.2-1 +- Bugzilla Bug #737216 - unnecessary empty lines in "cert-info" attributes + created in 7.1->8.0 migration +- Bugzilla Bug #737217 - Migration tool is not using proper "ext-data" array + format. + +* Thu Jul 14 2011 Matthew Harmsen 9.0.1-1 +- Bugzilla Bug #669226 - Remove Legacy Build System + +* Wed Dec 1 2010 Matthew Harmsen 9.0.0-1 +- Updated Dogtag 1.3.x --> Dogtag 2.0.0 (internal) --> Dogtag 9.0.0 + +* Mon Jul 13 2009 Matthew Harmsen 8.0.0-17 +- Bugzilla Bug #511136 - Integrate EULA file into RHCS +- Release Candidate 4 build + +* Wed Jul 08 2009 Kevin Wright 8.0.0-16 +- Bugzilla Bug #510352 - Release Candidate 3 build + +* Thu Jul 02 2009 Kevin Wright 8.0.0-15 +- Bugzilla Bug #509447 - Release Candidate 2 build + +* Thu Jun 25 2009 Kevin Wright 8.0.0-14 +- Bugzilla Bug #508179 - Remove base_phase ".beta" tag + +* Fri Jun 05 2009 Matthew Harmsen 8.0.0-13 +- Bugzilla Bug #499496 - pki-migrate package should include only the tools + we support + +* Mon May 18 2009 Ade Lee 8.0.0-12 +- Bugzilla Bug #493717 - migration scripts required for TPS groups + +* Mon May 04 2009 Kevin Wright 8.0.0-11 +- Bugzilla Bug #499030 - Beta 2 Release + +* Fri Mar 27 2009 Matthew Harmsen 8.0.0-10 +- Bugzilla Bug #492502 - Redefine "base_phase" from ".alpha" to ".beta" + +* Sat Feb 28 2009 Matthew Harmsen 8.0.0-9 +- Bugzilla Bug #487896 - Introduce optional 'base_phase' release tag to + denote ".alpha", ".beta", etc. + +* Tue Feb 17 2009 Matthew Harmsen 8.0.0-8 +- Bugzilla Bug #485790 - Need changes made to spec files in various packages + to be able to build in koji/brew + +* Fri Jan 30 2009 Matthew Harmsen 8.0.0-7 +- Bugzilla Bug #253615 - RFE: migration tool needs to be written for the + serialization changes - Allowed 63ToTxt binaries to be published + +* Sat Nov 29 2008 Matthew Harmsen 8.0.0-6 +- Aligned RHEL 5, RHEL 4, and Solaris 9 "base_release" numbers +- Bugzilla Bug #445402 - Changed "base_url" from + "http://www.redhat.com/software/rha/certificate" to + "http://www.redhat.com/certificate_system" + +* Sat Nov 22 2008 Matthew Harmsen 8.0.0-5 +- Bugzilla Bug #472305 - "equality" tests in all spec files need to be fixed +- Bumped "java" and "java-devel" 1.4.2 and 1.5.0 dependencies to 1.6.0 +- Changed "java-sdk" to "java-devel" for consistency + +* Tue Oct 14 2008 Ade Lee 8.0.0-4 +- bugzilla bug #223361 - added 80 migration scripts + +* Fri Jun 08 2007 Matthew Harmsen 8.0.0-3 +- bugzilla bug #243480 - added legacy upgrade path + +* Tue Jun 05 2007 Matthew Harmsen 8.0.0-2 +- bugzilla bug #242575 - Made numerous changes to spec file. + +* Mon May 21 2007 Kevin McCarthy 8.0.0-1 +- Bump to version 8.0. + +* Thu Apr 05 2007 Thomas Kwan 1.0.0-1 +- Fixed change log to use the correct version + diff --git a/specs/pki-ra.spec b/specs/pki-ra.spec new file mode 100644 index 000000000..035cb6204 --- /dev/null +++ b/specs/pki-ra.spec @@ -0,0 +1,271 @@ +# for a pre-release, define the prerel field e.g. .a1 .rc2 - comment out for official release +# also remove the space between % and global - this space is needed because +# fedpkg verrel stupidly ignores comment lines +%global prerel .a1 +# also need the relprefix field for a pre-release e.g. .0 - also comment out for official release +%global relprefix 0. + +Name: pki-ra +Version: 10.0.0 +Release: %{?relprefix}1%{?prerel}%{?dist} +Summary: Certificate System - Registration Authority +URL: http://pki.fedoraproject.org/ +License: GPLv2 +Group: System Environment/Daemons + +BuildArch: noarch + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: nspr-devel +BuildRequires: nss-devel + +Requires: mod_nss >= 1.0.8 +Requires: mod_perl >= 1.99_16 +Requires: mod_revocator >= 1.0.3 +Requires: pki-native-tools +Requires: pki-ra-theme >= 9.0.0 +Requires: pki-selinux +Requires: pki-setup +Requires: perl-DBD-SQLite +Requires: sqlite +Requires: /usr/sbin/sendmail +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +Requires: initscripts +%endif + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}%{?prerel}.tar.gz + +%description +Certificate System (CS) is an enterprise software system designed +to manage enterprise Public Key Infrastructure (PKI) deployments. + +The Registration Authority (RA) is an optional PKI subsystem that acts as a +front-end for authenticating and processing enrollment requests, PIN reset +requests, and formatting requests. + +An RA communicates over SSL with a Certificate Authority (CA) to fulfill +the user's requests. An RA may often be located outside an organization's +firewall to allow external users the ability to communicate with that +organization's PKI deployment. + +For deployment purposes, an RA requires the following components from the PKI +Core package: + + * pki-setup + * pki-native-tools + * pki-selinux + +and can also make use of the following optional components from the PKI Core +package: + + * pki-silent + +Additionally, Certificate System requires ONE AND ONLY ONE of the following +"Mutually-Exclusive" PKI Theme packages: + + * dogtag-pki-theme (Dogtag Certificate System deployments) + * redhat-pki-theme (Red Hat Certificate System deployments) + + +%prep + + +%setup -q -n %{name}-%{version}%{?prerel} + +cat << \EOF > %{name}-prov +#!/bin/sh +%{__perl_provides} $* |\ +sed -e '/perl(PKI.*)/d' -e '/perl(Template.*)/d' +EOF + +%global __perl_provides %{_builddir}/%{name}-%{version}%{?prerel}/%{name}-prov +chmod +x %{__perl_provides} + +cat << \EOF > %{name}-req +#!/bin/sh +%{__perl_requires} $* |\ +sed -e '/perl(PKI.*)/d' -e '/perl(Template.*)/d' +EOF + +%global __perl_requires %{_builddir}/%{name}-%{version}%{?prerel}/%{name}-req +chmod +x %{__perl_requires} + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_RA:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" + +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/admin/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/admin/group/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/admin/user/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/agent/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/agent/cert/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/agent/request/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/ee/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/ee/agent/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/ee/request/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/ee/scep/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/ee/server/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/ra/docroot/ee/user/*.cgi + +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%{__mkdir_p} %{buildroot}%{_sysconfdir}/tmpfiles.d +# generate 'pki-ra.conf' under the 'tmpfiles.d' directory +echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ra.conf +echo "D /var/lock/pki/ra 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ra.conf +echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ra.conf +echo "D /var/run/pki/ra 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ra.conf +%endif + + +%post +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-rad || : + + +%preun +if [ $1 = 0 ] ; then + /sbin/service pki-rad stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-rad || : +fi + + +%postun +if [ "$1" -ge "1" ] ; then + /sbin/service pki-rad condrestart >/dev/null 2>&1 || : +fi + + +%files +%defattr(-,root,root,-) +%doc base/ra/LICENSE +%{_initrddir}/pki-rad +%dir %{_datadir}/pki/ra +%{_datadir}/pki/ra/conf/ +%{_datadir}/pki/ra/docroot/ +%{_datadir}/pki/ra/lib/ +%{_datadir}/pki/ra/scripts/ +%{_datadir}/pki/ra/setup/ +%dir %{_localstatedir}/lock/pki/ra +%dir %{_localstatedir}/run/pki/ra +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-ra.conf +%endif + + +%changelog +* Wed Feb 1 2012 Nathan Kinder 10.0.0-0.1.a1 +- Updated package version number + +* Thu Sep 22 2011 Ade Lee 9.0.4-1 +- Bugzilla Bug #733065 - User enrollment with RA -- this fails with + CA Connection Error + +* Thu Jul 14 2011 Matthew Harmsen 9.0.3-1 +- Bugzilla Bug #694569 - parameter used by pkiremove not updated (alee) +- Bugzilla Bug #699364 - PKI-RA instance not created successfully (alee) +- Bugzilla Bug #699837 - service command is not fully backwards + compatible with Dogtag pki subsystems (mharmsen) +- Bugzilla Bug #717765 - TPS configuration: logging into security domain + from tps does not work with clientauth=want. (alee) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) + +* Tue Apr 26 2011 Matthew Harmsen 9.0.2-1 +- Bugzilla Bug #694569 - parameter used by pkiremove not updated +- Bugzilla Bug #699364 - PKI-RA instance not created successfully +- Bugzilla Bug #699837 - service command is not fully backwards compatible + with Dogtag pki subsystems + +* Fri Mar 25 2011 Matthew Harmsen 9.0.1-1 +- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) +- Bugzilla Bug #684381 - CS.cfg specifies incorrect type of comments + +* Wed Dec 1 2010 Matthew Harmsen 9.0.0-1 +- Updated Dogtag 1.3.x --> Dogtag 2.0.0 --> Dogtag 9.0.0 +- Bugzilla Bug #620925 - CC: auditor needs to be able to download audit logs + in the java subsystems +- Bugzilla Bug #651916 - kra and ocsp are using incorrect ports + to talk to CA and complete configuration in DonePanel +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #638377 - Generate PKI UI components which exclude + a GUI interface +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #499494 - change CA defaults to SHA2 +- Bugzilla Bug #656664 - Please Update Spec File to use 'ghost' on files + in /var/run and /var/lock +- Bugzilla Bug #606943 - Convert RA to use ldap utilities from + OpenLDAP instead of the Mozldap + +* Thu Apr 08 2010 Matthew Harmsen 1.3.1-1 +- Bugzilla Bug #564131 - Config wizard : all subsystems - done panel text + needs correction + +* Tue Feb 16 2010 Matthew Harmsen 1.3.0-6 +- Bugzilla Bug #566060 - Add 'pki-native-tools' as a runtime dependency + for RA, and TPS . . . + +* Fri Jan 29 2010 Matthew Harmsen 1.3.0-5 +- Bugzilla Bug #553076 - Apply "registry" logic to pki-ra . . . +- Applied filters for unwanted perl provides and requires +- Restored "perl-DBD-SQLite" runtime dependency + +* Tue Jan 26 2010 Matthew Harmsen 1.3.0-4 +- Bugzilla Bug #553850 - Review Request: pki-ra - Dogtag Registration Authority +- Per direction from the Fedora community, + removed the following explicit "Requires": + perl-DBI + perl-HTML-Parser + perl-HTML-Tagset + perl-Parse-RecDescent + perl-URI + perl-XML-NamespaceSupport + perl-XML-Parser + perl-XML-Simple + +* Thu Jan 14 2010 Matthew Harmsen 1.3.0-3 +- Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into pkicreate . . . +- Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model +- Bugzilla Bug #553076 - Apply "registry" logic to pki-ra . . . +- Bugzilla Bug #553078 - Apply "registry" logic to pki-tps . . . +- Bugzilla Bug #553850 - Review Request: pki-ra - Dogtag Registration Authority + +* Mon Dec 14 2009 Kevin Wright 1.3.0-2 +- Removed 'with exceptions' from License + +* Fri Oct 16 2009 Ade Lee 1.3.0-1 +- Bugzilla Bug #X - Fedora Packaging Changes + diff --git a/specs/pki-tps.spec b/specs/pki-tps.spec new file mode 100644 index 000000000..f3bff7ae7 --- /dev/null +++ b/specs/pki-tps.spec @@ -0,0 +1,466 @@ +# for a pre-release, define the prerel field e.g. .a1 .rc2 - comment out for official release +# also remove the space between % and global - this space is needed because +# fedpkg verrel stupidly ignores comment lines +%global prerel .a1 +# also need the relprefix field for a pre-release e.g. .0 - also comment out for official release +%global relprefix 0. + +Name: pki-tps +Version: 10.0.0 +Release: %{?relprefix}1%{?prerel}%{?dist} +Summary: Certificate System - Token Processing System +URL: http://pki.fedoraproject.org/ +License: LGPLv2 +Group: System Environment/Daemons + +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) + +BuildRequires: cmake +BuildRequires: apr-devel +BuildRequires: apr-util-devel +BuildRequires: cyrus-sasl-devel +BuildRequires: httpd-devel +BuildRequires: openldap-devel +BuildRequires: nspr-devel +BuildRequires: nss-devel +BuildRequires: pcre-devel +BuildRequires: svrcore-devel +BuildRequires: zlib +BuildRequires: zlib-devel + +Requires: mod_nss +Requires: mod_perl +Requires: mod_revocator +Requires: openldap-clients +Requires: perl-Mozilla-LDAP +Requires: pki-native-tools +Requires: pki-selinux +Requires: pki-setup +Requires: pki-tps-theme >= 9.0.0 +Requires(post): chkconfig +Requires(preun): chkconfig +Requires(preun): initscripts +Requires(postun): initscripts +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +Requires: initscripts +%endif + +Source0: http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}%{?prerel}.tar.gz + +%global overview \ +Certificate System (CS) is an enterprise software system designed \ +to manage enterprise Public Key Infrastructure (PKI) deployments. \ + \ +The Token Processing System (TPS) is an optional PKI subsystem that acts \ +as a Registration Authority (RA) for authenticating and processing \ +enrollment requests, PIN reset requests, and formatting requests from \ +the Enterprise Security Client (ESC). \ + \ +TPS is designed to communicate with tokens that conform to \ +Global Platform's Open Platform Specification. \ + \ +TPS communicates over SSL with various PKI backend subsystems (including \ +the Certificate Authority (CA), the Data Recovery Manager (DRM), and the \ +Token Key Service (TKS)) to fulfill the user's requests. \ + \ +TPS also interacts with the token database, an LDAP server that stores \ +information about individual tokens. \ + \ +For deployment purposes, a TPS requires the following components from the \ +PKI Core package: \ + \ + * pki-setup \ + * pki-native-tools \ + * pki-selinux \ + \ +and can also make use of the following optional components from the \ +PKI CORE package: \ + \ + * pki-silent \ + \ +Additionally, Certificate System requires ONE AND ONLY ONE of the \ +following "Mutually-Exclusive" PKI Theme packages: \ + \ + * dogtag-pki-theme (Dogtag Certificate System deployments) \ + * redhat-pki-theme (Red Hat Certificate System deployments) \ + \ +%{nil} + +%description %{overview} + + +================================== +|| ABOUT "CERTIFICATE SYSTEM" || +================================== +${overview} + + +%prep + + +%setup -q -n %{name}-%{version}%{?prerel} + +cat << \EOF > %{name}-prov +#!/bin/sh +%{__perl_provides} $* |\ +sed -e '/perl(PKI.*)/d' -e '/perl(Template.*)/d' +EOF + +%global __perl_provides %{_builddir}/%{name}-%{version}%{?prerel}/%{name}-prov +chmod +x %{__perl_provides} + +cat << \EOF > %{name}-req +#!/bin/sh +%{__perl_requires} $* |\ +sed -e '/perl(PKI.*)/d' -e '/perl(Template.*)/d' +EOF + +%global __perl_requires %{_builddir}/%{name}-%{version}%{?prerel}/%{name}-req +chmod +x %{__perl_requires} + + +%clean +%{__rm} -rf %{buildroot} + + +%build +%{__mkdir_p} build +cd build +%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_TPS:BOOL=ON .. +%{__make} VERBOSE=1 %{?_smp_mflags} + + +%install +%{__rm} -rf %{buildroot} +cd build +%{__make} install DESTDIR=%{buildroot} INSTALL="install -p" + +chmod 755 %{buildroot}%{_datadir}/pki/tps/cgi-bin/demo/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/tps/cgi-bin/home/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/tps/cgi-bin/so/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/tps/cgi-bin/sow/*.cgi +chmod 755 %{buildroot}%{_datadir}/pki/tps/cgi-bin/sow/cfg.pl + +# This should be done in CMAKE +cd %{buildroot}/%{_datadir}/pki/tps/docroot +%{__ln_s} tokendb tus + +# Internal libraries for 'tps' are present in: +# +# * '/usr/lib/tps' (i386) +# * '/usr/lib64/tps' (x86_64) +# +mkdir %{buildroot}%{_sysconfdir}/ld.so.conf.d +echo %{_libdir}/tps > %{buildroot}%{_sysconfdir}/ld.so.conf.d/tps-%{_arch}.conf + +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%{__mkdir_p} %{buildroot}%{_sysconfdir}/tmpfiles.d +# generate 'pki-tps.conf' under the 'tmpfiles.d' directory +echo "D /var/lock/pki 0755 root root -" > %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tps.conf +echo "D /var/lock/pki/tps 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tps.conf +echo "D /var/run/pki 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tps.conf +echo "D /var/run/pki/tps 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-tps.conf +%endif + + +%post +/sbin/ldconfig +# This adds the proper /etc/rc*.d links for the script +/sbin/chkconfig --add pki-tpsd || : + + +%preun +if [ $1 = 0 ] ; then + /sbin/service pki-tpsd stop >/dev/null 2>&1 + /sbin/chkconfig --del pki-tpsd || : +fi + + +%postun +if [ "$1" -ge "1" ] ; then + /sbin/service pki-tpsd condrestart >/dev/null 2>&1 || : +fi + + +%files +%defattr(-,root,root,-) +%doc base/tps/LICENSE +%{_initrddir}/pki-tpsd +%config(noreplace) %{_sysconfdir}/ld.so.conf.d/tps-%{_arch}.conf +%{_bindir}/tpsclient +%{_libdir}/httpd/modules/* +%{_libdir}/tps/ +%dir %{_datadir}/pki/tps +%{_datadir}/pki/tps/applets/ +%{_datadir}/pki/tps/cgi-bin/ +%{_datadir}/pki/tps/conf/ +%{_datadir}/pki/tps/docroot/ +%{_datadir}/pki/tps/lib/ +%{_datadir}/pki/tps/samples/ +%{_datadir}/pki/tps/scripts/ +%{_datadir}/pki/tps/setup/ +%dir %{_localstatedir}/lock/pki/tps +%dir %{_localstatedir}/run/pki/tps +%if 0%{?fedora} >= 15 +# Details: +# +# * https://fedoraproject.org/wiki/Features/var-run-tmpfs +# * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft +# +%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-tps.conf +%endif + + +%changelog +* Wed Feb 1 2012 Nathan Kinder 10.0.0-0.1.a1 +- Updated package version number + +* Thu Sep 22 2011 Jack Magne 9.0.7-1 +- Bugzilla Bug #730146 - SSL handshake picks non-FIPS ciphers in FIPS mode (cfu) +- Bugzilla Bug #730162 - TPS/TKS token enrollment failure in FIPS mode + (hsm+NSS). (jmagne) +- Bugzilla Bug #737184 - TPS UI display admin user name as + "undefined TUS Administrator". (awnuk) +- Bugzilla Bug #735191 - in ou=tokens, token_type not getting updated if a + card is changed from one type to another (awnuk) + +* Wed Aug 10 2011 Jack Magne 9.0.6-1 +- Bugzilla Bug #725572 - Starting TPS subsystem with no pre-existing audit + log file does not write audit messages. + +* Thu Jul 14 2011 Matthew Harmsen 9.0.5-1 +- Bugzilla Bug #697035 - TPS database schema not populated correctly + (alee) +- Bugzilla Bug #694569 - parameter used by pkiremove not updated (alee) +- Bugzilla Bug #696851 - TPS crashes that cause AuditVerify on TPS audit + logs - some of the signatures are failing. (jmagne) +- Bugzilla Bug #699837 - service command is not fully backwards + compatible with Dogtag pki subsystems (mharmsen) +- Bugzilla Bug #696443 - ESC display Smartcard renewal operation success + for a failed renewal operation. (jmagne) +- Bugzilla Bug #707095 - tps delete user operation should check for roles + (not have them passed in) (alee) +- Bugzilla Bug #717813 - EV_AUDIT_LOG_SHUTDOWN audit log not generated + for tps and ca on server shutdown (alee) +- Bugzilla Bug #717765 - TPS configuration: logging into security domain + from tps does not work with clientauth=want. (alee) +- Bugzilla Bug #669226 - Remove Legacy Build System (mharmsen) + +* Tue Apr 26 2011 Matthew Harmsen 9.0.4-1 +- Bugzilla Bug #697035 - TPS database schema not populated correctly +- Bugzilla Bug #694569 - parameter used by pkiremove not updated +- Bugzilla Bug #696851 - TPS crashes that cause AuditVerify on + TPS audit logs - some of the signatures are failing. +- Bugzilla Bug #699837 - service command is not fully backwards compatible + with Dogtag pki subsystems + +* Tue Apr 5 2011 Matthew Harmsen 9.0.3-1 +- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) +- Bugzilla Bug #691867 - add ldaps support through perLDAP + +* Fri Mar 25 2011 Matthew Harmsen 9.0.2-1 +- Bugzilla Bug #690950 - Update Dogtag Packages for Fedora 15 (beta) +- Bugzilla Bug #684381 - CS.cfg specifies incorrect type of comments +- Bugzilla Bug #689956 - TPS Configuration with nethsm: audit signing + certificate location is not configured to nethsm in CS.cfg + +* Thu Mar 17 2011 Matthew Harmsen 9.0.1-1 +- Bugzilla Bug #688763 - Rebase updated Dogtag Packages for Fedora 15 (alpha) +- Bugzilla Bug #676421 - CC: Remove unused TPS interface calls and add + audit logging +- Bugzilla Bug #676678 - Missing audit log messages for Secure Channel + Generation. +- Bugzilla Bug #606944 - Convert TPS to use ldap utilities and API from + OpenLDAP instead of the Mozldap +- Bugzilla Bug #676152 - Token enrollment with symmetric key change over + fails. +- Bugzilla Bug #674396 - TPS: some audit signatures failed to verify +- Bugzilla Bug #680567 - CC doc: remove update.applet.directory audit + message from TPS doc. +- Bugzilla Bug #681066 - TPS authentication crash when exercising audit + log message. +- Bugzilla Bug #684259 - incorrect group used for tps operators + +* Wed Dec 1 2010 Matthew Harmsen 9.0.0-1 +- Updated Dogtag 1.3.x --> Dogtag 2.0.0 --> Dogtag 9.0.0 +- Bugzilla Bug #620863 - saved CS.cfg files should be moved to a subdirectory + to avoid cluttering +- Bugzilla Bug #607373 - add self test framework to TPS subsytem +- Bugzilla Bug #607374 - add self test to TPS self test framework +- Bugzilla Bug #624847 - Installed TPS cannot be started to be configured. +- Bugzilla Bug #620925 - CC: auditor needs to be able to download audit logs + in the java subsystems +- Bugzilla Bug #547507 - Token renewal: certs on the token is deleted when + one of the certs on the token is outside renewal grace period. +- Bugzilla Bug #622535 - 64 bit host zlib uncompress operation fails when + reading data from token. +- Bugzilla Bug #497931 - CS 8.0 -- Have to download and stall the trust chain + through ESC even if it was already installed in the browser. +- Bugzilla Bug #579790 - errors in ESC communications can leave unusable + tokens and inconsistent data in TPS +- Bugzilla Bug #631474 - Token enrollment with TPS Client fails with error + 'Applet memory exceeded when writing out final token data' +- Bugzilla Bug #488762 - Found HTTP TRACE method enabled on TPS +- Bugzilla Bug #633405 - Tps client unable to perform token enrollment when + tried to load certificates with 2048 bit keys +- Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be + generated on TKS instead of TPS. +- Bugzilla Bug #574942 - TPS database has performance problems with a large + number of tokens +- Bugzilla Bug #637982 - some selftest parameters are not properly substituted +- Bugzilla Bug #637824 - TPS UI: Profile state in CS.cfg is Pending Approval + after agent approve and Enable +- Bugzilla Bug #223313 - should do random generated IV param + for symmetric keys +- Bugzilla Bug #628995 - TPS CC requirement: Unused predicates for revocation + controls for TPS enrollment profiles should be removed. +- Bugzilla Bug #642084 - CC feature: Key Management -provide signature + verification functions (TPS subsystem) +- Bugzilla Bug #646545 - TPS Agent tab: displays approve list parameter with + last character chopped. +- Bugzilla Bug #532724 - Feature: ESC Security officer work station should + display % of operation complete for format SO card +- Bugzilla Bug #647364 - CC: audit signing certs for JAVA subsystems fail + CIMC cert verification (expose updated cert verification function in JSS) +- Bugzilla Bug #651087 - TPS UI Admin tab display 'null' string in the + General configuration +- Bugzilla Bug #651916 - kra and ocsp are using incorrect ports + to talk to CA and complete configuration in DonePanel +- Bugzilla Bug #632425 - Port to tomcat6 +- Bugzilla Bug #638377 - Generate PKI UI components which exclude + a GUI interface +- Bugzilla Bug #640042 - TPS Installlation Wizard: need to move Module Panel + up to before Security Domain Panel +- Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for + validity +- Bugzilla Bug #643206 - New CMake based build system for Dogtag +- Bugzilla Bug #499494 - change CA defaults to SHA2 +- Bugzilla Bug #661128 - incorrect CA ports used for revoke, unrevoke certs + in TPS +- Bugzilla Bug #223314 - AOL: Better activities logs +- Bugzilla Bug #651001 - TPS does not create a password for entries in ldap. + This violates STIG requirements +- Bugzilla Bug #512248 - Status mismatch for the encryption cert in tps agent + and CA when a temporary smart card is issued. +- Bugzilla Bug #666902 - TPS needs to call CERT_VerifyCertificate() correctly +- Bugzilla Bug #223319 - Certificate Status inconsistency between token db + and CA +- Bugzilla Bug #669055 - TPS server does not re-start when signedAudit + logging is turned ON +- Bugzilla Bug #606944 - Convert TPS to use ldap utilities and API from + OpenLDAP instead of the Mozldap +- Bugzilla Bug #606944 - Convert TPS to use ldap utilities and API from + OpenLDAP instead of the Mozldap +- Bugzilla Bug #614639 - 64k gemalto usb token no longer works properly + after a "logout" request is issued +- Bugzilla Bug #671522 - TPS AuditVerify fails. +- Bugzilla Bug #669804 - on active token re-enroll, TPS does not revoke and + remove existing certs. +- Bugzilla Bug #656666 - Please Update Spec File to use 'ghost' on files + in /var/run and /var/lock + +* Wed Aug 04 2010 Matthew Harmsen 1.3.2-1 +- Bugzilla Bug #601299 - tps installation does not update security domain +- Bugzilla Bug #527593 - More robust signature digest alg, like SHA256 + instead of SHA1 for ECC +- Bugzilla Bug #528236 - rhcs80 web conf wizard - cannot specify CA signing + algorithm +- Bugzilla Bug #533510 - tps exception, cannot start when signed audit true +- Bugzilla Bug #529280 - TPS returns HTTP data without ending in 0rn + per RFC 2616 +- Bugzilla Bug #498299 - Should not be able to change the status manually + on a token marked as permanently lost or destroyed +- Bugzilla Bug #554892 - configurable frequency signed audit +- Bugzilla Bug #500700 - tps log rotation +- Bugzilla Bug #562893 - tps shutdown if audit logs full +- Bugzilla Bug #557346 - Name Constraints Extension cant be marked critical +- Bugzilla Bug #556152 - ACL changes to CA and OCSP +- Bugzilla Bug #556167 - ACL changes to CA and OCSP +- Bugzilla Bug #581004 - add more audit logging to the TPS +- Bugzilla Bug #566517 - CC: Add client auth to OCSP publishing, + and move to a client-auth port +- Bugzilla Bug #565842 - Clone config throws errors - fix key_algorithm +- Bugzilla Bug #581017 - enabling log signing from tps ui pages causes tps + crash +- Bugzilla Bug #581004 - add more audit logs +- Bugzilla Bug #595871 - CC: TKS needed audit message changes +- Bugzilla Bug #598752 - Common Criteria: TKS ACL analysis result. +- Bugzilla Bug #598666 - Common Criteria: incorrect ACLs for signedAudit +- Bugzilla Bug #504905 - Smart card renewal should load old encryption cert + on the token. +- Bugzilla Bug #499292 - TPS - Enrollments where keys are recovered need + to do both GenerateNewKey and RecoverLast operation for encryption key. +- Bugzilla Bug #498299 - fix case where no transitions available +- Bugzilla Bug #604186 - Common Criteria: TPS: Key Recovery needs + to meet CC requirements +- Bugzilla Bug #604178 - Common Criteria: TPS: cert registration needs + to meet CC requirements +- Bugzilla Bug #600968 - Common Criteria: TPS: cert registration needs + to meet CC requirements +- Bugzilla Bug #607381 - Common Criteria: TPS: cert registration needs + to meet CC requirements + +* Thu Apr 08 2010 Matthew Harmsen 1.3.1-1 +- Bugzilla Bug #564131 - Config wizard : all subsystems - done panel text + needs correction + +* Tue Feb 16 2010 Matthew Harmsen 1.3.0-8 +- Bugzilla Bug #566060 - Add 'pki-native-tools' as a runtime dependency + for RA, and TPS . . . + +* Fri Jan 29 2010 Matthew Harmsen 1.3.0-7 +- Bugzilla Bug #553852 - Review Request: pki-tps - The Dogtag PKI System + Token Processing System +- Bugzilla Bug #553078 - Apply "registry" logic to pki-tps . . . +- Applied filters for unwanted perl provides and requires +- Applied %{?_smp_mflags} option to 'make' +- Removed manual 'strip' commands + +* Thu Jan 28 2010 Matthew Harmsen 1.3.0-6 +- Bugzilla Bug #553078 - Apply "registry" logic to pki-tps . . . +- Bugzilla Bug #553852 - Review Request: pki-tps - The Dogtag PKI System + Token Processing System + +* Wed Jan 27 2010 Kevin Wright 1.3.0-5 +- Bugzilla Bug #553852 - Review Request: pki-tps - The Dogtag PKI System + Token Processing System +- Per direction from the Fedora community, + removed the following explicit "Requires": + perl-HTML-Parser + perl-HTML-Tagset + perl-Parse-RecDescent + perl-URI + perl-XML-NamespaceSupport + perl-XML-Parser + perl-XML-Simple + +* Thu Jan 14 2010 Matthew Harmsen 1.3.0-4 +- Bugzilla Bug #512234 - Move pkiuser:pkiuser check from spec file into + pkicreate . . . +- Bugzilla Bug #547471 - Apply PKI SELinux changes to PKI registry model +- Bugzilla Bug #553076 - Apply "registry" logic to pki-ra . . . +- Bugzilla Bug #553078 - Apply "registry" logic to pki-tps . . . +- Bugzilla Bug #553852 - Review Request: pki-tps - Dogtag Certificate System + Token Processing System + +* Mon Dec 14 2009 Kevin Wright 1.3.0-3 +- Removed BuildRequires bash - Removed 'with exceptions' from License + +* Mon Nov 02 2009 Matthew Harmsen 1.3.0-2 +- Bugzilla Bug #X - Packaging for Fedora Dogtag PKI +- Prepended directory path in front of setup_package +- Take ownership of pki tps directory. + +* Fri Oct 16 2009 Matthew Harmsen 1.3.0-1 +- Bugzilla Bug #X - Packaging for Fedora Dogtag PKI + -- cgit