path: root/pki/specs/pki-core.spec

Name:             pki-core
Version:          9.0.3
Release:          20%{?dist}
Summary:          Certificate System - PKI Core Components
URL:              http://pki.fedoraproject.org/
License:          GPLv2
Group:            System Environment/Daemons

BuildRoot:        %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

# jss requires versioning to meet both build and runtime requirements
# tomcatjss requires versioning since version 2.0.0 requires tomcat6
# pki-common-theme requires versioning to meet runtime requirements
# pki-ca-theme requires versioning to meet runtime requirements
BuildRequires:    cmake
BuildRequires:    java-devel >= 1:1.6.0
BuildRequires:    jpackage-utils
BuildRequires:    jss >= 4.2.6-12
BuildRequires:    ldapjdk
BuildRequires:    nspr-devel
BuildRequires:    nss-devel
BuildRequires:    openldap-devel
BuildRequires:    osutil
BuildRequires:    pkgconfig
BuildRequires:    policycoreutils
BuildRequires:    selinux-policy-devel
BuildRequires:    tomcatjss >= 2.0.0
BuildRequires:    velocity
BuildRequires:    xalan-j2
BuildRequires:    xerces-j2

Source0:          http://pki.fedoraproject.org/pki/sources/%{name}/%{name}-%{version}.tar.gz

Patch0:           %{name}-%{version}-r1846.patch
Patch1:           %{name}-%{version}-r1860.patch
Patch2:           %{name}-%{version}-r1862.patch
Patch3:           %{name}-%{version}-r1864.patch
Patch4:           %{name}-%{version}-r1875.patch
Patch5:           %{name}-%{version}-r1879.patch
Patch6:           %{name}-%{version}-r1886.patch
Patch7:           %{name}-%{version}-r1908.patch
Patch8:           %{name}-%{version}-r2074.patch
Patch9:           %{name}-%{version}-r2097.patch
Patch10:          %{name}-%{version}-r2103.patch
Patch11:          %{name}-%{version}-r2104.patch
Patch12:          %{name}-%{version}-r2106.patch
Patch13:          %{name}-%{version}-r2112.patch
Patch14:          %{name}-%{version}-r2118.patch
Patch15:          %{name}-%{version}-r2125.patch
Patch16:          %{name}-%{version}-r2126.patch
Patch17:          %{name}-%{version}-r2128.patch
Patch18:          %{name}-%{version}-r2149.patch
Patch19:          %{name}-%{version}-r2151.patch
Patch20:          %{name}-%{version}-r2153.patch
Patch21:          %{name}-%{version}-r2161.patch
Patch22:          %{name}-%{version}-r2163.patch
Patch23:          %{name}-%{version}-r2182.patch
Patch24:          %{name}-%{version}-r2249.patch

%if 0%{?rhel}
ExcludeArch:      ppc ppc64 s390 s390x
%endif

%global saveFileContext() \
if [ -s /etc/selinux/config ]; then \
     . %{_sysconfdir}/selinux/config; \
     FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
     if [ "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT} ]; then \
          cp -f ${FILE_CONTEXT} ${FILE_CONTEXT}.%{name}; \
     fi \
fi;

%global relabel() \
. %{_sysconfdir}/selinux/config; \
FILE_CONTEXT=%{_sysconfdir}/selinux/%1/contexts/files/file_contexts; \
selinuxenabled; \
if [ $? == 0  -a "${SELINUXTYPE}" == %1 -a -f ${FILE_CONTEXT}.%{name} ]; then \
     fixfiles -C ${FILE_CONTEXT}.%{name} restore; \
     rm -f ${FILE_CONTEXT}.%name; \
fi;

%global overview                                                       \
==================================                                     \
||  ABOUT "CERTIFICATE SYSTEM"  ||                                     \
==================================                                     \
                                                                       \
Certificate System (CS) is an enterprise software system designed      \
to manage enterprise Public Key Infrastructure (PKI) deployments.      \
                                                                       \
PKI Core contains fundamental packages required by Certificate System, \
and consists of the following components:                              \
                                                                       \
  * pki-setup                                                          \
  * pki-symkey                                                         \
  * pki-native-tools                                                   \
  * pki-util                                                           \
  * pki-util-javadoc                                                   \
  * pki-java-tools                                                     \
  * pki-java-tools-javadoc                                             \
  * pki-common                                                         \
  * pki-common-javadoc                                                 \
  * pki-selinux                                                        \
  * pki-ca                                                             \
  * pki-silent                                                         \
                                                                       \
which comprise the following PKI subsystems:                           \
                                                                       \
  * Certificate Authority (CA)                                         \
                                                                       \
For deployment purposes, Certificate System requires ONE AND ONLY ONE  \
of the following "Mutually-Exclusive" PKI Theme packages:              \
                                                                       \
  * ipa-pki-theme    (IPA deployments)                                 \
  * dogtag-pki-theme (Dogtag Certificate System deployments)           \
  * redhat-pki-theme (Red Hat Certificate System deployments)          \
                                                                       \
%{nil}

%description %{overview}


%package -n       pki-setup
Summary:          Certificate System - PKI Instance Creation & Removal Scripts
Group:            System Environment/Base

BuildArch:        noarch

Requires:         perl-Crypt-SSLeay
Requires:         policycoreutils
Requires:         openldap-clients

%description -n   pki-setup
PKI setup scripts are used to create and remove instances from PKI deployments.

This package is a part of the PKI Core used by the Certificate System.

%{overview}


%package -n       pki-symkey
Summary:          Symmetric Key JNI Package
Group:            System Environment/Libraries

Requires:         java >= 1:1.6.0
Requires:         jpackage-utils
Requires:         jss >= 4.2.6-12
Requires:         nss

Provides:         symkey = %{version}-%{release}

Obsoletes:        symkey < %{version}-%{release}

%description -n   pki-symkey
The Symmetric Key Java Native Interface (JNI) package supplies various native
symmetric key operations to Java programs.

This package is a part of the PKI Core used by the Certificate System.

%{overview}


%package -n       pki-native-tools
Summary:          Certificate System - Native Tools
Group:            System Environment/Base

Requires:         openldap-clients
Requires:         nss
Requires:         nss-tools

%description -n   pki-native-tools
These platform-dependent PKI executables are used to help make
Certificate System into a more complete and robust PKI solution.

This package is a part of the PKI Core used by the Certificate System.

%{overview}


%package -n       pki-util
Summary:          Certificate System - PKI Utility Framework
Group:            System Environment/Base

BuildArch:        noarch

Requires:         java >= 1:1.6.0
Requires:         jpackage-utils
Requires:         jss >= 4.2.6-12
Requires:         ldapjdk

%description -n   pki-util
The PKI Utility Framework is required by the following four PKI subsystems:

    the Certificate Authority (CA),
    the Data Recovery Manager (DRM),
    the Online Certificate Status Protocol (OCSP) Manager, and
    the Token Key Service (TKS).

This package is a part of the PKI Core used by the Certificate System.

%{overview}


%package -n       pki-util-javadoc
Summary:          Certificate System - PKI Utility Framework Javadocs
Group:            Documentation

BuildArch:        noarch

Requires:         pki-util = %{version}-%{release}

%description -n   pki-util-javadoc
This documentation pertains exclusively to version %{version} of
the PKI Utility Framework.

This package is a part of the PKI Core used by the Certificate System.

%{overview}


%package -n       pki-java-tools
Summary:          Certificate System - PKI Java-Based Tools
Group:            System Environment/Base

BuildArch:        noarch

Requires:         java >= 1:1.6.0
Requires:         pki-native-tools = %{version}-%{release}
Requires:         pki-util = %{version}-%{release}

%description -n   pki-java-tools
These platform-independent PKI executables are used to help make
Certificate System into a more complete and robust PKI solution.

This package is a part of the PKI Core used by the Certificate System.

%{overview}


%package -n       pki-java-tools-javadoc
Summary:          Certificate System - PKI Java-Based Tools Javadocs
Group:            Documentation

BuildArch:        noarch

Requires:         pki-java-tools = %{version}-%{release}

%description -n   pki-java-tools-javadoc
This documentation pertains exclusively to version %{version} of
the PKI Java-Based Tools.

This package is a part of the PKI Core used by the Certificate System.

%{overview}


%package -n       pki-common
Summary:          Certificate System - PKI Common Framework
Group:            System Environment/Base

BuildArch:        noarch

%if 0%{?fedora} >= 14
Requires:         apache-commons-lang
Requires:         apache-commons-logging
%endif
%if 0%{?rhel} || 0%{?fedora} < 14
Requires:         jakarta-commons-lang
Requires:         jakarta-commons-logging
%endif
Requires:         java >= 1:1.6.0
Requires:         jss >= 4.2.6-12
Requires:         osutil
Requires:         pki-common-theme >= 9.0.0
Requires:         pki-java-tools = %{version}-%{release}
Requires:         pki-setup = %{version}-%{release}
Requires:         pki-symkey = %{version}-%{release}
Requires:         tomcatjss >= 2.0.0
Requires:         %{_javadir}/ldapjdk.jar
Requires:         %{_javadir}/velocity.jar
Requires:         %{_javadir}/xalan-j2.jar
Requires:         %{_javadir}/xalan-j2-serializer.jar
Requires:         %{_javadir}/xerces-j2.jar
Requires:         %{_javadir}/xml-commons-apis.jar
Requires:         %{_javadir}/xml-commons-resolver.jar
Requires:         velocity

%description -n   pki-common
The PKI Common Framework is required by the following four PKI subsystems:

    the Certificate Authority (CA),
    the Data Recovery Manager (DRM),
    the Online Certificate Status Protocol (OCSP) Manager, and
    the Token Key Service (TKS).

This package is a part of the PKI Core used by the Certificate System.

%{overview}


%package -n       pki-common-javadoc
Summary:          Certificate System - PKI Common Framework Javadocs
Group:            Documentation

BuildArch:        noarch

Requires:         pki-common = %{version}-%{release}

%description -n   pki-common-javadoc
This documentation pertains exclusively to version %{version} of
the PKI Common Framework.

This package is a part of the PKI Core used by the Certificate System.

%{overview}


%package -n       pki-selinux
Summary:          Certificate System - PKI Selinux Policies
Group:            System Environment/Base

BuildArch:        noarch

Requires:         policycoreutils
Requires:         selinux-policy-targeted

%description -n   pki-selinux
Selinux policies for the PKI components.

This package is a part of the PKI Core used by the Certificate System.

%{overview}


%package -n       pki-ca
Summary:          Certificate System - Certificate Authority
Group:            System Environment/Daemons

BuildArch:        noarch

Requires:         java >= 1:1.6.0
Requires:         pki-ca-theme >= 9.0.0
Requires:         pki-common = %{version}-%{release}
Requires:         pki-selinux = %{version}-%{release}
Requires(post):   chkconfig
Requires(preun):  chkconfig
Requires(preun):  initscripts
Requires(postun): initscripts
%if 0%{?fedora} >= 15
# Details:
#
#     * https://fedoraproject.org/wiki/Features/var-run-tmpfs
#     * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft
#
Requires:         initscripts
%endif

%description -n   pki-ca
The Certificate Authority (CA) is a required PKI subsystem which issues,
renews, revokes, and publishes certificates as well as compiling and
publishing Certificate Revocation Lists (CRLs).

The Certificate Authority can be configured as a self-signing Certificate
Authority, where it is the root CA, or it can act as a subordinate CA,
where it obtains its own signing certificate from a public CA.

This package is a part of the PKI Core used by the Certificate System.

%{overview}


%package -n       pki-silent
Summary:          Certificate System - Silent Installer
Group:            System Environment/Base

BuildArch:        noarch

Requires:         java >= 1:1.6.0
Requires:         pki-common = %{version}-%{release}

%description -n   pki-silent
The PKI Silent Installer may be used to "automatically" configure
the following PKI subsystems in a non-graphical (batch) fashion
including:

    the Certificate Authority (CA),
    the Data Recovery Manager (DRM),
    the Online Certificate Status Protocol (OCSP) Manager,
    the Registration Authority (RA),
    the Token Key Service (TKS), and/or
    the Token Processing System (TPS).

This package is a part of the PKI Core used by the Certificate System.

%{overview}


%prep


%setup -q


%patch0 -b .p0
%patch1 -b .p1
%patch2 -b .p2
%patch3 -b .p3
%patch4 -b .p4
%patch5 -b .p5
%patch6 -b .p6
%patch7 -b .p7
%patch8 -b .p8
%patch9 -b .p9
%patch10 -b .p10
%patch11 -b .p11
%patch12 -b .p12
%patch13 -b .p13
%patch14 -b .p14
%patch15 -b .p15
%patch16 -b .p16
%patch17 -b .p17
%patch18 -b .p18
%patch19 -b .p19
%patch20 -b .p20
%patch21 -b .p21
%patch22 -b .p22
%patch23 -b .p23
%patch24 -b .p24


%clean
%{__rm} -rf %{buildroot}


%build
%{__mkdir_p} build
cd build
%cmake -DVAR_INSTALL_DIR:PATH=/var -DBUILD_PKI_CORE:BOOL=ON ..
%{__make} VERBOSE=1 %{?_smp_mflags}


%install
%{__rm} -rf %{buildroot}
cd build
%{__make} install DESTDIR=%{buildroot} INSTALL="install -p"

cd %{buildroot}%{_libdir}/symkey
%{__rm} symkey.jar
%{__ln_s} symkey-%{version}.jar symkey.jar

cd %{buildroot}%{_jnidir}
%{__rm} symkey.jar
%{__ln_s} %{_libdir}/symkey/symkey.jar symkey.jar

%if 0%{?fedora} >= 15
# Details:
#
#     * https://fedoraproject.org/wiki/Features/var-run-tmpfs
#     * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft
#
%{__mkdir_p} %{buildroot}%{_sysconfdir}/tmpfiles.d
# generate 'pki-ca.conf' under the 'tmpfiles.d' directory
echo "D /var/lock/pki 0755 root root -"    >  %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf
echo "D /var/lock/pki/ca 0755 root root -" >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf
echo "D /var/run/pki 0755 root root -"     >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf
echo "D /var/run/pki/ca 0755 root root -"  >> %{buildroot}%{_sysconfdir}/tmpfiles.d/pki-ca.conf
%endif


%pre -n pki-selinux
%saveFileContext targeted


%post -n pki-selinux
semodule -s targeted -i %{_datadir}/selinux/modules/pki.pp
%relabel targeted


%preun -n pki-selinux
if [ $1 = 0 ]; then
     %saveFileContext targeted
fi


%postun -n pki-selinux
if [ $1 = 0 ]; then
     semodule -s targeted -r pki
     %relabel targeted
fi


%post -n pki-ca
# This adds the proper /etc/rc*.d links for the script
/sbin/chkconfig --add pki-cad || :


%preun -n pki-ca
if [ $1 = 0 ] ; then
    /sbin/service pki-cad stop >/dev/null 2>&1
    /sbin/chkconfig --del pki-cad || :
fi


%postun -n pki-ca
if [ "$1" -ge "1" ] ; then
    /sbin/service pki-cad condrestart >/dev/null 2>&1 || :
fi


%files -n pki-setup
%defattr(-,root,root,-)
%doc base/setup/LICENSE
%{_bindir}/pkicreate
%{_bindir}/pkiremove
%{_bindir}/pki-setup-proxy
%dir %{_datadir}/pki
%dir %{_datadir}/pki/scripts
%{_datadir}/pki/scripts/pkicommon.pm
%if 0%{?rhel} || 0%{?fedora} < 15
%dir %{_localstatedir}/lock/pki
%dir %{_localstatedir}/run/pki
%endif


%files -n pki-symkey
%defattr(-,root,root,-)
%doc base/symkey/LICENSE
%{_jnidir}/symkey.jar
%{_libdir}/symkey/


%files -n pki-native-tools
%defattr(-,root,root,-)
%doc base/native-tools/LICENSE base/native-tools/doc/README
%{_bindir}/bulkissuance
%{_bindir}/p7tool
%{_bindir}/revoker
%{_bindir}/setpin
%{_bindir}/sslget
%{_bindir}/tkstool
%dir %{_datadir}/pki
%{_datadir}/pki/native-tools/


%files -n pki-util
%defattr(-,root,root,-)
%doc base/util/LICENSE
%dir %{_javadir}/pki
%{_javadir}/pki/pki-cmsutil-%{version}.jar
%{_javadir}/pki/pki-cmsutil.jar
%{_javadir}/pki/pki-nsutil-%{version}.jar
%{_javadir}/pki/pki-nsutil.jar

%files -n pki-util-javadoc
%defattr(-,root,root,-)
%{_javadocdir}/pki-util-%{version}/


%files -n pki-java-tools
%defattr(-,root,root,-)
%doc base/java-tools/LICENSE
%{_bindir}/AtoB
%{_bindir}/AuditVerify
%{_bindir}/BtoA
%{_bindir}/CMCEnroll
%{_bindir}/CMCRequest
%{_bindir}/CMCResponse
%{_bindir}/CMCRevoke
%{_bindir}/CRMFPopClient
%{_bindir}/ExtJoiner
%{_bindir}/GenExtKeyUsage
%{_bindir}/GenIssuerAltNameExt
%{_bindir}/GenSubjectAltNameExt
%{_bindir}/HttpClient
%{_bindir}/OCSPClient
%{_bindir}/PKCS10Client
%{_bindir}/PKCS12Export
%{_bindir}/PrettyPrintCert
%{_bindir}/PrettyPrintCrl
%{_bindir}/TokenInfo
%{_javadir}/pki/pki-tools-%{version}.jar
%{_javadir}/pki/pki-tools.jar

%files -n pki-java-tools-javadoc
%defattr(-,root,root,-)
%{_javadocdir}/pki-java-tools-%{version}/


%files -n pki-common
%defattr(-,root,root,-)
%doc base/common/LICENSE
%{_javadir}/pki/pki-certsrv-%{version}.jar
%{_javadir}/pki/pki-certsrv.jar
%{_javadir}/pki/pki-cms-%{version}.jar
%{_javadir}/pki/pki-cms.jar
%{_javadir}/pki/pki-cmsbundle-%{version}.jar
%{_javadir}/pki/pki-cmsbundle.jar
%{_javadir}/pki/pki-cmscore-%{version}.jar
%{_javadir}/pki/pki-cmscore.jar
%{_datadir}/pki/scripts/functions
%{_datadir}/pki/scripts/pki_apache_initscript
%{_datadir}/pki/setup/

%files -n pki-common-javadoc
%defattr(-,root,root,-)
%{_javadocdir}/pki-common-%{version}/


%files -n pki-selinux
%defattr(-,root,root,-)
%doc base/selinux/LICENSE
%{_datadir}/selinux/modules/pki.pp


%files -n pki-ca
%defattr(-,root,root,-)
%doc base/ca/LICENSE
%{_initrddir}/pki-cad
%{_javadir}/pki/pki-ca-%{version}.jar
%{_javadir}/pki/pki-ca.jar
%dir %{_datadir}/pki/ca
%{_datadir}/pki/ca/conf/
%{_datadir}/pki/ca/emails/
%dir %{_datadir}/pki/ca/profiles
%{_datadir}/pki/ca/profiles/ca/
%{_datadir}/pki/ca/webapps/
%{_datadir}/pki/ca/setup/
%dir %{_localstatedir}/lock/pki/ca
%dir %{_localstatedir}/run/pki/ca
%if 0%{?fedora} >= 15
# Details:
#
#     * https://fedoraproject.org/wiki/Features/var-run-tmpfs
#     * https://fedoraproject.org/wiki/Tmpfiles.d_packaging_draft
#
%config(noreplace) %{_sysconfdir}/tmpfiles.d/pki-ca.conf
%endif


%files -n pki-silent
%defattr(-,root,root,-)
%doc base/silent/LICENSE
%{_bindir}/pkisilent
%{_javadir}/pki/pki-silent-%{version}.jar
%{_javadir}/pki/pki-silent.jar
%{_datadir}/pki/silent/


%changelog
* Fri Aug 26 2011 Andrew Wnuk <awnuk@redhat.com> 9.0.3-20
- Resolves #737179 - Need script to upgrade proxy configuration, r2249

* Fri Aug 26 2011 Andrew Wnuk <awnuk@redhat.com> 9.0.3-19
- Resolves #730801 - Coverity issues in native-tools area, r2182

* Tue Aug 23 2011 Andrew Wnuk <awnuk@redhat.com> 9.0.3-18
- Resolves #730801 - Coverity issues in native-tools area, r2163

* Tue Aug 23 2011 Ade Lee <alee@redhat.com> 9.0.3-17
- Resolves #712931 - CS requires too many ports to be open in the FW, r2161

* Mon Aug 22 2011 Andrew Wnuk <awnuk@redhat.com> 9.0.3-16
- Resolves #717643 - Fopen without NULL check and other Coverity issues

* Mon Aug 22 2011 Andrew Wnuk <awnuk@redhat.com> 9.0.3-15
- Resolves #717643 - Fopen without NULL check and other Coverity issues

* Mon Aug 15 2011 Ade Lee <alee@redhat.com> 9.0.3-14
- Resolves #700522 - pki tomcat6 instances currently running unconfined, 
  allow server to come up when selinux disabled, r2149

* Thu Aug 4 2011 Ade Lee <alee@redhat.com> 9.0.3-13
- Resolves #698796: Race conditions during IPA installation, r2103 (alee)
- Resolves #708075 - Clone installation does not work over NAT, r2104 (alee)
- Resolves #726785 - If replication fails while setting up a clone it 
  will wait forever, r2106 (alee)
- Resolves #691076 - pkiremove removes the registry entry for all instances
  on a machine, r2112 (mharmsen)
- Resolves #693835 - /var/log/tomcat6/catalina.out owned by pkiuser, r2118
  (mharmsen)
- Resolves #729126 - Increase default validity from 6mo to 2yrs in IPA
  profile, r2125 (awnuk)
- Resolves #728651 - CS8 64 bit pkicreate script uses wrong library name
  for, r2126 (mharmsen)
- Resolves #700522 - pki tomcat6 instances currently running unconfined,
  r2128 (alee)

* Wed Aug 3 2011 Ade Lee <alee@redhat.com> 9.0.3-12
- Resolves #689909 - Dogtag installation under IPA takes too much
  time - remove the inefficient sleeps, r2097

* Fri Jul 22 2011 Andrew Wnuk <awnuk@redhat.com> 9.0.3-11
- Resolves #722634 - Add client usage flag to caIPAserviceCert, r2074

* Tue Mar 22 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-10
- Resolves #688251 - Dogtag installation under IPA takes too much
  time - SELinux policy compilation, r1908

* Fri Mar 9 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-9
- Resolves: bug 645097 
- update to the pki-core-9.0.3-r1886.patch file

* Wed Mar 9 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-8
- Resolves 645097 
- Resolves #683172 - pkisilent needs to provide option to set
  nsDS5ReplicaTransportInfo to TLS in replication agreements
  when creating a clone, r1886

* Fri Mar 4 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-7
- Resolves 645097 

* Fri Mar 4 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-6
- Resolves #682021 - pkisilent needs xml-commons-apis.jar in it's classpath

* Wed Mar 2 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-5
- Resolves 645097 

* Wed Mar 2 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-4
- Resolves #681367 - xml-commons-apis.jar dependency, r1875

* Mon Feb 21 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-3
- Resolves #676873 - Rebase pki-core again to pick the latest features and fixes
-     Resolves #676048 - Installation within IPA hangs, r1846
-     Resolves #679173 - uninitialized variable warnings from Perl, r1860
-     Resolves #679174 - netstat loop fixes needed, r1862
-     Resolves #679580 - Velocity fails to load all dependent classes, r1864

* Wed Feb 9 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-2
- 'pki-common'
-     Bugzilla Bug #676051 - IPA installation failing - Fails to create CA
      instance
-     Bugzilla Bug #676182 - IPA installation failing - Fails to create CA
      instance

* Fri Feb 4 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.3-1
- 'pki-common'
-     Bugzilla Bug #674894 - ipactl restart : an annoy output line
-     Bugzilla Bug #675179 - ipactl restart : an annoy output line

* Thu Feb 3 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.2-1
- Bugzilla Bug #673233 - Rebase pki-core to pick the latest features and fixes
- 'pki-setup'
-     Bugzilla Bug #673638 - Installation within IPA hangs
- 'pki-symkey'
- 'pki-native-tools'
- 'pki-util'
- 'pki-java-tools'
-     Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided
      by 'netscape.security.provider' package
- 'pki-common'
-     Bugzilla Bug #672291 - CA is not publishing certificates issued using
      "Manual User Dual-Use Certificate Enrollment"
-     Bugzilla Bug #670337 - CA Clone configuration throws TCP connection
      error.
-     Bugzilla Bug #504056 - Completed SCEP requests are assigned to the
      "begin" state instead of "complete".
-     Bugzilla Bug #504055 - SCEP requests are not properly populated
-     Bugzilla Bug #564207 - Searches for completed requests in the agent
      interface returns zero entries
-     Bugzilla Bug #672291 - CA is not publishing certificates issued using
      "Manual User Dual-Use Certificate Enrollment" -
-     Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided
      by 'netscape.security.provider' package
-     Bugzilla Bug #672920 - CA console: adding policy to a profile throws
      'Duplicate policy' error in some cases.
-     Bugzilla Bug #673199 - init script returns control before web apps have
      started
-     Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI
      subsystem instances
- 'pki-selinux'
- 'pki-ca'
-     Bugzilla Bug #504013 - sscep request is rejected due to authentication
      error if submitted through one time pin router certificate enrollment.
-     Bugzilla Bug #672111 - CC doc: certServer.usrgrp.administration missing
      information
-     Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml
      as part of CC interface review
-     Bugzilla Bug #672333 - Creation of RA agent fails in IPA installation
-     Bugzilla Bug #674917 - Restore identification of Tomcat-based PKI
      subsystem instances
- 'pki-silent'
-     Bugzilla Bug #673614 - CC: Review of cryptographic algorithms provided
      by 'netscape.security.provider' package

* Wed Feb 2 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.1-3
- Bugzilla Bug #656661 - Please Update Spec File to use 'ghost' on files
  in /var/run and /var/lock

* Thu Jan 20 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.1-2
- 'pki-symkey'
-     Bugzilla Bug #671265 - pki-symkey jar version incorrect
- 'pki-common'
-     Bugzilla Bug #564207 - Searches for completed requests in the agent
      interface returns zero entries

* Tue Jan 18 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.1-1
- Allow 'pki-native-tools' to be installed independently of 'pki-setup'
- Removed explicit 'pki-setup' requirement from 'pki-ca'
  (since it already requires 'pki-common')
- 'pki-setup'
-     Bugzilla Bug #223343 - pkicreate: should add 'pkiuser' to nfast group
-     Bugzilla Bug #629377 - Selinux errors during pkicreate CA, KRA, OCSP
      and TKS.
-     Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port
      fowarding for agent services
-     Bugzilla Bug #632425 - Port to tomcat6
-     Bugzilla Bug #606946 - Convert Native Tools to use ldapAPI from
      OpenLDAP instead of the Mozldap
-     Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI
      interface
-     Bugzilla Bug #643206 - New CMake based build system for Dogtag
-     Bugzilla Bug #658926 - org.apache.commons.lang class not found on F13
-     Bugzilla Bug #661514 - CMAKE build system requires rules to make
      javadocs
-     Bugzilla Bug #665388 - jakarta-* jars have been renamed to apache-*,
      pkicreate fails Fedora 14 and above
-     Bugzilla Bug #23346 - Two conflicting ACL list definitions in source
      repository
-     Bugzilla Bug #656733 - Standardize jar install location and jar names
- 'pki-symkey'
-     Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI
      interface
-     Bugzilla Bug #643206 - New CMake based build system for Dogtag
-     Bugzilla Bug #644056 - CS build contains warnings
- 'pki-native-tools'
-     template change
-     Bugzilla Bug #606946 - Convert Native Tools to use ldapAPI from
      OpenLDAP instead of the Mozldap
-     Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI
      interface
-     Bugzilla Bug #643206 - New CMake based build system for Dogtag
-     Bugzilla Bug #644056 - CS build contains warnings
- 'pki-util'
-     Bugzilla Bug #615814 - rhcs80 - profile policyConstraintsCritical
      cannot be set to true
-     Bugzilla Bug #224945 - javadocs has missing descriptions, contains
      empty packages
-     Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes.
-     Bugzilla Bug #621338 - Include a server randomly-generated 16 byte
      senderNonce in all signed SCEP responses.
-     Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade
      attack in SCEP
-     Bugzilla Bug #621334 - Provide an option to set default hash algorithm
      for signing SCEP response messages.
-     Bugzilla Bug #635033 - At installation wizard selecting key types other
      than CA's signing cert will fail
-     Bugzilla Bug #645874 - rfe ecc - add ecc curve name support in JSS and
      CS interface
-     Bugzilla Bug #488253 - com.netscape.cmsutil.ocsp.BasicOCSPResponse
      ASN.1 encoding/decoding is broken
-     Bugzilla Bug #551410 - com.netscape.cmsutil.ocsp.TBSRequest ASN.1
      encoding/decoding is incomplete
-     Bugzilla Bug #550331 - com.netscape.cmsutil.ocsp.ResponseData ASN.1
      encoding/decoding is incomplete
-     Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit
      policy extension to 5 only
-     Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI
      interface
-     Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml)
-     Bugzilla Bug #643206 - New CMake based build system for Dogtag
-     Bugzilla Bug #661514 - CMAKE build system requires rules to make
      javadocs
-     Bugzilla Bug #658188 - remove remaining references to tomcat5
-     Bugzilla Bug #656733 - Standardize jar install location and jar names
-     Bugzilla Bug #223319 - Certificate Status inconsistency between token
      db and CA
-     Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory
      During CRL Generation
- 'pki-java-tools'
-     Bugzilla Bug #224945 - javadocs has missing descriptions, contains
      empty packages
-     Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI
      interface
-     Bugzilla Bug #659004 - CC: AuditVerify hardcoded with SHA-1
-     Bugzilla Bug #643206 - New CMake based build system for Dogtag
-     Bugzilla Bug #661514 - CMAKE build system requires rules to make
      javadocs
-     Bugzilla Bug #662156 - HttpClient is hard-coded to handle only up to
      5000 bytes
-     Bugzilla Bug #656733 - Standardize jar install location and jar names
- 'pki-common'
-     Bugzilla Bug #583822 - CC: ACL issues from CA interface CC doc review
-     Bugzilla Bug #623745 - SessionTimer with LDAPSecurityDomainSessionTable
      started before configuration completed
-     Bugzilla Bug #620925 - CC: auditor needs to be able to download audit
      logs in the java subsystems
-     Bugzilla Bug #615827 - rhcs80 - profile policies need more than 5
      policy mappings (seem hardcoded)
-     Bugzilla Bug #224945 - javadocs has missing descriptions, contains
      empty packages
-     Bugzilla Bug #548699 - subCA's admin certificate should be generated by
      itself
-     Bugzilla Bug #621322 - Provide switch disabling SCEP support in CA
-     Bugzilla Bug #563386 - rhcs80 ca crash on invalid inputs to profile
      caAgentServerCert (null cert_request)
-     Bugzilla Bug #621339 - SCEP one-time PIN can be used an unlimited
      number of times
-     Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml
      as part of CC interface review
-     Bugzilla Bug #629677 - TPS: token enrollment fails.
-     Bugzilla Bug #621350 - Unauthenticated user can decrypt a one-time PIN
      in a SCEP request
-     Bugzilla Bug #503838 - rhcs71-80 external publishing ldap connection
      pools not reliable - improve connections or discovery
-     Bugzilla Bug #629769 - password decryption logs plain text password
-     Bugzilla Bug #583823 - CC: Auditing issues found as result of
      CC - interface review
-     Bugzilla Bug #632425 - Port to tomcat6
-     Bugzilla Bug #586700 - OCSP Server throws fatal error while using
      OCSP console for renewing SSL Server certificate.
-     Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes.
-     Bugzilla Bug #621338 - Include a server randomly-generated 16 byte
      senderNonce in all signed SCEP responses.
-     Bugzilla Bug #607380 - CC: Make sure Java Console can configure all
      security relevant config items
-     Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be
      generated on TKS instead of TPS.
-     Bugzilla Bug #489342 -
      com.netscape.cms.servlet.common.CMCOutputTemplate.java
      doesn't support EC
-     Bugzilla Bug #630121 - OCSP responder lacking option to delete or
      disable a CA that it serves
-     Bugzilla Bug #634663 - CA CMC response default hard-coded to SHA1
-     Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade
      attack in SCEP
-     Bugzilla Bug #621334 - Provide an option to set default hash algorithm
      for signing SCEP response messages.
-     Bugzilla Bug #635033 - At installation wizard selecting key types other
      than CA's signing cert will fail
-     Bugzilla Bug #621341 - Add CA support for new SCEP key pair dedicated
      for SCEP signing and encryption.
-     Bugzilla Bug #223336 - ECC: unable to clone a ECC CA
-     Bugzilla Bug #539781 - rhcs 71 - CRLs Partitioned
      by Reason Code - onlySomeReasons ?
-     Bugzilla Bug #637330 - CC feature: Key Management - provide signature
      verification functions (JAVA subsystems)
-     Bugzilla Bug #223313 - should do random generated IV param
      for symmetric keys
-     Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port
      fowarding for agent services
-     Bugzilla Bug #630176 - Improve reliability of the LdapAnonConnFactory
-     Bugzilla Bug #524916 - ECC key constraints plug-ins should be based on
      ECC curve names (not on key sizes).
-     Bugzilla Bug #516632 - RHCS 7.1 - CS Incorrectly Issuing Multiple
      Certificates from the Same Request
-     Bugzilla Bug #648757 - expose and use updated cert verification
      function in JSS
-     Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection
      of signature algorithm; and for ECC curves
-     Bugzilla Bug #451874 - RFE - Java console - Certificate Wizard missing
      e.c. support
-     Bugzilla Bug #651040 - cloning shoud not include sslserver
-     Bugzilla Bug #542863 - RHCS8: Default cert audit nickname written to
      CS.cfg files imcomplete when the cert is stored on a hsm
-     Bugzilla Bug #360721 - New Feature: Profile Integrity Check . . .
-     Bugzilla Bug #651916 - kra and ocsp are using incorrect ports
      to talk to CA and complete configuration in DonePanel
-     Bugzilla Bug #642359 - CC Feature - need to verify certificate when it
      is added
-     Bugzilla Bug #653713 - CC: setting trust on a CIMC cert requires
      auditing
-     Bugzilla Bug #489385 - references to rhpki
-     Bugzilla Bug #499494 - change CA defaults to SHA2
-     Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit
      policy extension to 5 only
-     Bugzilla Bug #649910 - Console: an auditor or agent can be added to
      an administrator group.
-     Bugzilla Bug #632425 - Port to tomcat6
-     Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI
      interface
-     Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml)
-     Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets
      as expected
-     Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for
      validity
-     Bugzilla Bug #643206 - New CMake based build system for Dogtag
-     Bugzilla Bug #659004 - CC: AuditVerify hardcoded with SHA-1
-     Bugzilla Bug #661196 - ECC(with nethsm) subca configuration fails with
      Key Type RSA Not Matched despite using ECC key pairs for rootCA & subCA.
-     Bugzilla Bug #661889 - The Servlet TPSRevokeCert of the CA returns an
      error to TPS even if certificate in question is already revoked.
-     Bugzilla Bug #663546 - Disable the functionalities that are not exposed
      in the console
-     Bugzilla Bug #661514 - CMAKE build system requires rules to make
      javadocs
-     Bugzilla Bug #658188 - remove remaining references to tomcat5
-     Bugzilla Bug #649343 - Publishing queue should recover from CA crash.
-     Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and
      pkiCA, obsolete 2252 and 2256
-     Bugzilla Bug #640710 - Current SCEP implementation does not support HSMs
-     Bugzilla Bug #656733 - Standardize jar install location and jar names
-     Bugzilla Bug #661142 - Verification should fail when
      a revoked certificate is added
-     Bugzilla Bug #642741 - CS build uses deprecated functions
-     Bugzilla Bug #670337 - CA Clone configuration throws TCP connection error
-     Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time
      interface is no longer available through console
- 'pki-selinux'
-     Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI
      interface
-     Bugzilla Bug #643206 - New CMake based build system for Dogtag
-     Bugzilla Bug #667153 - store nuxwdog passwords in kernel ring buffer -
      selinux changes
- 'pki-ca'
-     Bugzilla Bug #583822 - CC: ACL issues from CA interface CC doc review
-     Bugzilla Bug #620925 - CC: auditor needs to be able to download audit
      logs in the java subsystems
-     Bugzilla Bug #621322 - Provide switch disabling SCEP support in CA
-     Bugzilla Bug #583824 - CC: Duplicate servlet mappings found as part of
      CC interface doc review
-     Bugzilla Bug #621602 - pkiconsole: Click on 'Publishing' option with
      admin privilege throws error "You are not authorized to perform this
      operation".
-     Bugzilla Bug #583825 - CC: Obsolete servlets to be removed from web.xml
      as part of CC interface review
-     Bugzilla Bug #583823 - CC: Auditing issues found as result of
      CC - interface review
-     Bugzilla Bug #519291 - Deleting a CRL Issuing Point after edits throws
      'Internal Server Error'.
-     Bugzilla Bug #586700 - OCSP Server throws fatal error while using
      OCSP console for renewing SSL Server certificate.
-     Bugzilla Bug #621337 - Limit the received senderNonce value to 16 bytes.
-     Bugzilla Bug #621338 - Include a server randomly-generated 16 byte
      senderNonce in all signed SCEP responses.
-     Bugzilla Bug #558100 - host challenge of the Secure Channel needs to be
      generated on TKS instead of TPS.
-     Bugzilla Bug #630121 - OCSP responder lacking option to delete or
      disable a CA that it serves
-     Bugzilla Bug #634663 - CA CMC response default hard-coded to SHA1
-     Bugzilla Bug #621327 - Provide switch disabling algorithm downgrade
      attack in SCEP
-     Bugzilla Bug #621334 - Provide an option to set default hash algorithm
      for signing SCEP response messages.
-     Bugzilla Bug #539781 - rhcs 71 - CRLs Partitioned
      by Reason Code - onlySomeReasons ?
-     Bugzilla Bug #637330 - CC feature: Key Management - provide signature
      verification functions (JAVA subsystems)
-     Bugzilla Bug #555927 - rhcs80 - AgentRequestFilter servlet and port
      fowarding for agent services
-     Bugzilla Bug #524916 - ECC key constraints plug-ins should be based on
      ECC curve names (not on key sizes).
-     Bugzilla Bug #516632 - RHCS 7.1 - CS Incorrectly Issuing Multiple
      Certificates from the Same Request
-     Bugzilla Bug #638242 - Installation Wizard: at SizePanel, fix selection
      of signature algorithm; and for ECC curves
-     Bugzilla Bug #529945 - (Instructions and sample only) CS 8.0 GA
      release -- DRM and TKS do not seem to have CRL checking enabled
-     Bugzilla Bug #609641 - CC: need procedure (and possibly tools) to help
      correctly set up CC environment
-     Bugzilla Bug #509481 - RFE: support sMIMECapabilities extensions in
      certificates (RFC 4262)
-     Bugzilla Bug #651916 - kra and ocsp are using incorrect ports
      to talk to CA and complete configuration in DonePanel
-     Bugzilla Bug #511990 - rhcs 7.3, 8.0 - re-activate missing object
      signing support in RHCS
-     Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml)
-     Bugzilla Bug #489385 - references to rhpki
-     Bugzilla Bug #499494 - change CA defaults to SHA2
-     Bugzilla Bug #623452 - rhcs80 pkiconsole profile policy editor limit
      policy extension to 5 only
-     Bugzilla Bug #649910 - Console: an auditor or agent can be added to
      an administrator group.
-     Bugzilla Bug #632425 - Port to tomcat6
-     Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI
      interface
-     Bugzilla Bug #653576 - tomcat5 does not always run filters on servlets
      as expected
-     Bugzilla Bug #642357 - CC Feature- Self-Test plugins only check for
      validity
-     Bugzilla Bug #643206 - New CMake based build system for Dogtag
-     Bugzilla Bug #661128 - incorrect CA ports used for revoke, unrevoke
      certs in TPS
-     Bugzilla Bug #512496 - RFE rhcs80 - crl updates and scheduling feature 
-     Bugzilla Bug #661196 - ECC(with nethsm) subca configuration fails with
      Key Type RSA Not Matched despite using ECC key pairs for rootCA & subCA.
-     Bugzilla Bug #649343 - Publishing queue should recover from CA crash.
-     Bugzilla Bug #491183 - rhcs rfe - add rfc 4523 support for pkiUser and
      pkiCA, obsolete 2252 and 2256
-     Bugzilla Bug #223346 - Two conflicting ACL list definitions in source
      repository
-     Bugzilla Bug #640710 - Current SCEP implementation does not support HSMs
-     Bugzilla Bug #656733 - Standardize jar install location and jar names
-     Bugzilla Bug #661142 - Verification should fail when
      a revoked certificate is added
-     Bugzilla Bug #668100 - DRM storage cert has OCSP signing extended key
      usage
-     Bugzilla Bug #662127 - CC doc Error: SignedAuditLog expiration time
      interface is no longer available through console
-     Bugzilla Bug #531137 - RHCS 7.1 - Running out of Java Heap Memory
      During CRL Generation
- 'pki-silent'
-     Bugzilla Bug #627309 - pkisilent subca configuration fails.
-     Bugzilla Bug #640091 - pkisilent panels need to match with changed java
      subsystems
-     Bugzilla Bug #527322 - pkisilent ConfigureDRM should configure DRM
      Clone.
-     Bugzilla Bug #643053 - pkisilent DRM configuration fails
-     Bugzilla Bug #583754 - pki-silent needs an option to configure signing
      algorithm for CA certificates
-     Bugzilla Bug #489385 - references to rhpki
-     Bugzilla Bug #638377 - Generate PKI UI components which exclude a GUI
      interface
-     Bugzilla Bug #651977 - turn off ssl2 for java servers (server.xml)
-     Bugzilla Bug #640042 - TPS Installlation Wizard: need to move Module
      Panel up to before Security Domain Panel
-     Bugzilla Bug #643206 - New CMake based build system for Dogtag
-     Bugzilla Bug #588323 - Failed to enable cipher 0xc001
-     Bugzilla Bug #656733 - Standardize jar install location and jar names
-     Bugzilla Bug #645895 - pkisilent: add ability to select ECC curves,
      signing algorithm
-     Bugzilla Bug #658641 - pkisilent doesn't not properly handle passwords
      with special characters
-     Bugzilla Bug #642741 - CS build uses deprecated functions

* Thu Jan 13 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-3
- Bugzilla Bug #668839 - Review Request: pki-core
-   Removed empty "pre" from "pki-ca"
-   Consolidated directory ownership
-   Corrected file ownership within subpackages
-   Removed all versioning from NSS and NSPR packages

* Thu Jan 13 2011 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-2
- Bugzilla Bug #668839 - Review Request: pki-core
-   Added component versioning comments
-   Updated JSS from "4.2.6-10" to "4.2.6-12"
-   Modified installation section to preserve timestamps
-   Removed sectional comments

* Wed Dec 1 2010 Matthew Harmsen <mharmsen@redhat.com> 9.0.0-1
- Initial revision. (kwright@redhat.com & mharmsen@redhat.com)