[PATCH] 89 Enabled SSL authenticator and PKI realm.
by Endi Sukma Dewata
The SSL connection has been configured with clientAuth="want" so
users can choose whether to provide a client certificate or username
and password. The authentication and authorization will be handled
by the SSL authenticator with fallback and PKI realm. New access
control rules have been added for users, groups, and certs REST
services.
Ticket #107
--
Endi S. Dewata
12 years, 4 months
[PATCH] 86 Moved REST services into separate URLs.
by Endi Sukma Dewata
To support different access control configurations the
REST services have been moved out of /pki into several
URLs.
The certificate request submission service is now located
under /ee and it does not require authentication. The
configuration service is located under /installer and
it requires service-level authentication using PIN. The
remaining services are located under /agent and /admin.
They require realm authentication using client cert or
basic authentication and also require administrator or
agent access rights. Existing servlets are not affected
by this change.
Ticket #107, #259
--
Endi S. Dewata
12 years, 4 months
[PATCH] 88 Merged pki-jndi-realm.jar into pki-cmscore.jar.
by Endi Sukma Dewata
On Tomcat 7 it's no longer necessary to have a separate package
for the authenticator and realm classes. They are now packaged
in pki-cmscore.jar which is deployed in Tomcat's common/lib.
Ticket #126
--
Endi S. Dewata
12 years, 4 months
[PATCH] 87 Refactored PKI JNDI realm.
by Endi Sukma Dewata
The PKI JNDI realm has been modified to utilize the authentication
and authorization subsystems in PKI engine directly. It's no longer
necessary to define the LDAP connection settings in Tomcat's
configuration files.
Ticket #126
--
Endi S. Dewata
12 years, 4 months
[PATCH] 85 Added SSL authenticator with fallback.
by Endi Sukma Dewata
A custom Tomcat authenticator has been added to authenticate users
using client certificate if provided, otherwise it will fallback to
BASIC/FORM authentication.
The SSL connection has been configured with clientAuth="want" so
users can choose whether to provide a certificate or username and
password.
Ticket #107
Note: The cert-request-submit still needs to be moved out of
/pki/certrequests to allow access by unauthenticated users. Right now it
requires authentication and for some reason not working.
--
Endi S. Dewata
12 years, 4 months
[PATCH] 43 - selinux changes
by Ade Lee
Hi,
Selinux policy has been changed to use standard tomcat ports.
Corresponding changes have been made in the pki-deploy scripts.
Please review.
Ade
12 years, 4 months
[PATCH] PKI Deployment Framework PKI TRAC issues (07/28/2012)
by Matthew Harmsen
This patch documents continued implementation of the PKI Deployment
Framework based upon the revised filesystem layout documented here:
* http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment#CA_.2F_KRA_.2F_...
This patch addresses the following issues:
* TRAC Ticket #263 - Dogtag 10: Fix 'pkidestroy' problem of
sporadically "not" removing "/etc/sysconfig/{pki_instance_id}" . . .
* TRAC Ticket #264 - Dogtag 10: Enable various other subsystems for
configuration . . .
* TRAC Ticket #261 - Dogtag 10: Revisit command-line options of
'pkispawn' and 'pkidestroy' . . .
* TRAC Ticket #268 - Dogtag 10: Create a parameter for optional
restart of configured PKI instance . . .
* TRAC Ticket #270 - Dogtag 10: Add missing parameters to
'pkideployment.cfg' . . .
* TRAC Ticket #265 - Dogtag 10: Provide configurable options for PKI
client information . . .
* TRAC Ticket #275 - Dogtag 10: Add debug information (comments) to
Tomcat 7 "logging.properties"
* TRAC Ticket #276 - Dogtag 10: Relocate all 'pin' data to the
'sensitive' dictionary
* TRAC Ticket #277 - Dogtag 10: Create an 'archive' for 'manifest' and
'pkideployment.cfg' files
*WARNING: Due to some of the changes to the command-line parameters
(mainly the introduction of a dependency on the existence of a new
symlink), instances previously created with the old "pkispawn" will once
again need to be removed by the old "pkidestroy" PRIOR to the
installation of this patch.*
Note: You will definitely need to establish the following "passwords"
in your copy of "pkideployment.cfg" in order to install a "CA":
* pki_admin_password
* pki_client_pkcs12_password
* pki_ds_password
* pki_security_domain_password
I ran the following command: pkispawn -s CA -f
/tmp/pki/pkideployment.cfg -vvv
Unfortunately, for me, out-of-the-box installation failed with the
following problem:
* pkispawn : ERROR ....... port 8080 has invalid selinux
context http_cache_port_t
This error occurred despite downloading the latest SELinux policies
on my 64-bit Fedora 17 box and compiling 'pki-selinux' against them.
The work-around that I used was to edit
"/usr/lib/python2.7/site-packages/pki/deployment/initialization.py"
and comment out the call to
"util.configuration_file.verify_selinux_ports()" in the 'spawn()'
method.
Re-running the command 'pkispawn -s CA -f /tmp/pki/pkideployment.cfg
-vvv' now produces the following error:
pkispawn : INFO ... populating 'pki.deployment.selinux_setup'
Traceback (most recent call last):
File "/bin/pkispawn", line 225, in <module>
main(sys.argv)
File "/bin/pkispawn", line 212, in main
rv = instance.spawn()
File
"/usr/lib/python2.7/site-packages/pki/deployment/selinux_setup.py",
line 69, in spawn
port1.add(port, "tcp", "s0", config.PKI_PORT_SELINUX_CONTEXT)
File "/usr/lib64/python2.7/site-packages/seobject.py", line
1045, in add
self.__add(port, proto, serange, type)
File "/usr/lib64/python2.7/site-packages/seobject.py", line
1002, in __add
raise ValueError(_("Port %s/%s already defined") % (proto,
port))
ValueError: Port tcp/8080 already defined
My work-around to fix to this error is to remove the symlinks which
call the 'selinux_setup.py' scriptlet for both 'pkispawn' and
'pkidestroy':
* rm /usr/share/pki/deployment/spawn/*/035_selinux_setup
* rm /usr/share/pki/deployment/destroy/*/985_selinux_setup
Unfortunately, at this stage, sufficient installation has been made
which prevents a new installation, and 'pkidestroy' in its current
incarnation
will be unable to completely remove the instance. Therefore,
presuming an instance name of 'pki-tomcat', run the following commands:
* rm -rf /var/lib/pki
* rm -rf /etc/pki/pki-tomcat/
* rm -rf /etc/sysconfig/pki
* rm -rf /var/log/pki
* rm /etc/sysconfig/pki-tomcat (this command will fail, as it has
not yet been created)
Re-running the command 'pkispawn -s CA -f /tmp/pki/pkideployment.cfg
-vvv'should now run to successful completion!
To test this patch, run the test instructions documented in earlier
patches for installing the Admin Cert.
Note that the 'ca_admin_cert.p12' file is now located under
'/var/lib/pki/{pki-instance-id}/conf/alias/ca_admin_cert.p12', and
since a browser may not
have the appropriate permissions to traverse past the '/var/lib/pki'
directory, the administrator will need to make this file available
(i. e. - copy it to /tmp).
*Please note, that although KRA, OCSP, and TKS installations will
run to completion, at the present time, a crash occurs in the
invocation of the java configuration
client (quite possibly due to the specification of
incorrect/incomplete parameters for these subsystems).*
Thanks,
-- Matt
12 years, 4 months
[PATCH] 83 Added support for basic authentication.
by Endi Sukma Dewata
The CMSRestClient has been modified to support basic authentication
and handle HTTP redirection. The basic authentication can be used as
follows:
pki -U <server uri> -u <username> -w <password> user-find
Some protected REST services might require secure connection. If the
user tries to call these services over HTTP the CLI will handle the
redirection automatically to an HTTPS port.
Ticket #107
--
Endi S. Dewata
12 years, 4 months
[PATCH] 82 Added ClientConfig.
by Endi Sukma Dewata
A new ClientConfig class has been added to encapsulate client
configuration parameters. These parameters include server URI,
certificate database, certificate nickname, and password.
Ticket #107
--
Endi S. Dewata
12 years, 4 months
