[PATCH] 0010..0013 DNP3/IECUserRoles extension support
by Fraser Tweedale
Here is the first (rough) cut of IEC 62351-8 (IECUserRoles)
extension support and a DNP3 profile that makes use of it. This is
to meet (some of) the PKI needs for the "Smart Grid" DNP3 Secure
Authentication v5 (SAv5) standard.
In brief, the SN and all the IECUserRoles params will be given in
profile inputs, and the key is taken from a CertReqInput.
There's still a bit of work to go - notably, some of the
IECUserRoles fields are unimplemented, and some of those that *are*
implemented are not yet read out of the profile input but rather are
hardcoded. The extension *does* appear on the certificate, so I
should get that all completed tomorrow.
Cheers,
Fraser
9 years, 6 months
CLI for editing profiles
by Fraser Tweedale
Along with LDAP profiles, we will be adding modules to the CLI for
adding and editing profiles in the ConfigStore format that was used
for file-based profiles. For more info, see:
http://pki.fedoraproject.org/wiki/LDAP_Profile_Storage#Command-line_utili...
There is an existing CLI for adding and modifying profiles, in the
XML format, e.g. ``pki ca profile add caCustomProfile.xml``. The
XML format carries information including the profile ID and
class_id, but these data must be supplied out-of-band when dealing
with the ConfigStore format.
Because of this, I intend to:
- add new commands to the existing profile CLI for working with the
"raw" (i.e., ConfigStore) format, e.g. "edit-raw", "add-raw".
Where necessary, these commands will take compulsory
``--profile-id`` and/or ``--class-id`` arguments, to account for
the absense of such information in the profile ConfigStore format;
and
- transport this information in the XML format - not in the "raw"
format - so that it will be unnecessary to make changes to
ProfileClient or the ProfileService API.
As usual, I welcome feedback - especially if you feel I am going the
wrong way ^_^
9 years, 8 months
[PATCH] pki-ftweedal-0015-Monitor-database-for-changes-to-LDAP-profiles.patch
by Fraser Tweedale
This is the first cut of the LDAP profile change monitoring. It
depends on patches 0004..0009 and 0014
(https://www.redhat.com/archives/pki-devel/2014-September/msg00052.html).
To summarise the implementation: a separate thread carries out a
persistent LDAP search and calls back into the ProfileSubsystem when
changes occur. I haven't had much experience with persistent
searches or multithreaded programming in Java, so eyeballs familiar
with those areas are needed.
I haven't yet tested with changes replicating between clones (a task
for tomorrow) but I wanted to get the patch on list for feedback as
early as possible.
Cheers,
Fraser
9 years, 8 months
[PATCH] 531 Moved web application deployment locations.
by Endi Sukma Dewata
Currently web applications are deployed into Host's appBase (i.e.
<instance>/webapps). To allow better control of individual
subsystem deployments, the web applications have to be moved out
of the appBase so that the autoDeploy can work properly later.
This patch moves the common web applications to <instance>/
common/webapps and subsystem web applications to <instance>/
<subsystem>/webapps. An upgrade script has been added to update
existing deployments.
https://fedorahosted.org/pki/ticket/1183
--
Endi S. Dewata
9 years, 10 months
[PATCH] 0017 Enable Authority Key Identifier CRL extension
by Fraser Tweedale
This patch enables the Authority Key Identifier CRL Extension, which
is REQUIRED by RFC 5280, by default.
Should existing instances be left alone or should I also look at an
upgrade script that offers to upgrade CS.cfg to be conformant?
Fraser
9 years, 11 months
[PATCH] Remove legacy multilib JNI_JAR_DIR logic
by Matthew Harmsen
Please review the attached patch which addresses the following bug:
* Bugzilla Bug #1165351 - Errata TPS test fails due to dependent
packages not found <https://bugzilla.redhat.com/show_bug.cgi?id=1165351>
At one point in time, there was a effort to try to support multilib
JNI. This patch removes that legacy code and attempts to add support to
allow a user the ability to override this variable.
The patch has been successfully tested:
* Upgrade
* Verify (this used to fail due to the multilib code; now that the
problematic code is not present, this test passes)
* Downgrade
NOTE: Obviously, if 'Verify' is run on the 'pki-base' package after
Downgrade, the verification will most likely fail
since the downgraded package will probably still contain
the problematic 'multilib' code.
10 years, 1 month