[PATCH] 0010..0013 DNP3/IECUserRoles extension support
by Fraser Tweedale
Here is the first (rough) cut of IEC 62351-8 (IECUserRoles)
extension support and a DNP3 profile that makes use of it. This is
to meet (some of) the PKI needs for the "Smart Grid" DNP3 Secure
Authentication v5 (SAv5) standard.
In brief, the SN and all the IECUserRoles params will be given in
profile inputs, and the key is taken from a CertReqInput.
There's still a bit of work to go - notably, some of the
IECUserRoles fields are unimplemented, and some of those that *are*
implemented are not yet read out of the profile input but rather are
hardcoded. The extension *does* appear on the certificate, so I
should get that all completed tomorrow.
Cheers,
Fraser
10 years, 8 months
remove RAEnrollProfile.java?
by Fraser Tweedale
The RAEnrollProfile class is not used or referenced anywhere in the
codebase. I presume it was related to the RA, but even immediately
before removal of the RA it did not seem to be used, so it seems
safe to remove it.
Comments?
Fraser
10 years, 8 months
[PATCH] 0026 Add lightweight sub-CA support
by Fraser Tweedale
G'day,
The first major patch for lightweight sub-CAs is attached for
review. Some important features are not yet implemented in this
patch:
- Sub-CA creation
- Caching of sub-CA instances
- Signing key replication for clones
- CRLs (the OCSP servlet works for sub-CAs, however)
- Sub-CA support is possibly missing from some web servlets /
templates. Let me know if you hit any.
Because sub-CA creation is not implemented, if you want to test this
patch you will need to:
1. Use the top-level CA to sign a sub-CA certificate and manually
install it in the NSSDB with the nickname:
"${TOPLEVEL_CA_NICKNAME} ${SUB_CA_HANDLE}"
2. Create the sub-CA certificate repository OU:
"ou=${SUB_CA_HANDLE},ou=certificateRepository,ou=ca,o=pki-tomcat-CA"
3. When submitting requests or other queries via HTTP, edit the
initial link target or form action to include the query parameter:
"?caRef=${SUB_CA_HANDLE}"
(Subsequent pages should not require this intervention.)
I have also updated the design proposal with some refinements and
details of the implementation so far:
http://pki.fedoraproject.org/wiki/Lightweight_sub-CAs
Looking forward to your feedback / bug reports!
Fraser
10 years, 9 months
Fwd: Re: patches to fix pkispawn issues
by Matthew Harmsen
-------- Forwarded Message --------
Subject: Re: [Pki-devel] patches to fix pkispawn issues
Date: Wed, 29 Apr 2015 15:26:48 -0600
From: Matthew Harmsen <mharmsen(a)redhat.com>
To: alee(a)redhat.com
On 04/29/15 13:34, Ade Lee wrote:
> Attached revised patch to address issue found.
> If the port is not found, we will now prompt.
>
> Ade
>
> On Wed, 2015-04-29 at 13:10 -0600, Matthew Harmsen wrote:
>> On 04/29/15 11:58, Ade Lee wrote:
>>
>>> Please review attached patches:
>>>
>>> commit d33caa4c1302ecc1d2fc3c42d85544a2653dd09a
>>> Author: Ade Lee<alee(a)redhat.com>
>>> Date: Wed Apr 29 12:46:19 2015 -0400
>>>
>>> Fix interactive install to not reprompt for ports
>>>
>>> Ports are already set when deploying into an existing instance.
>>> Having a user re-enter these is repetitious and error prone.
>>>
>>> commit f0a5c5c79e9918c362f73103891e11f2f7dc6bbb
>>> Author: Ade Lee<alee(a)redhat.com>
>>> Date: Wed Apr 29 11:11:41 2015 -0400
>>>
>>> Trac Ticket 1196 - serverCertNick.conf is replaced incorrectly
>>>
>>> When second subsystem is installed, serverCertNick.conf and other
>>> top level
>>> tomcat config files should not be replaced.
>>>
>>> commit b0317d50fd302086dd324f69d11647f655ddd9bd
>>> Author: Ade Lee<alee(a)redhat.com>
>>> Date: Wed Apr 29 10:57:09 2015 -0400
>>>
>>> Code cleanup - simplify pkispawn code
>>>
>>> All subsystems are now tomcat instances. Conditionals based on
>>> whether the subsystem is a tomcat instance or not are no longer
>>> required.
>>>
>>>
>>>
>>> _______________________________________________
>>> Pki-devel mailing list
>>> Pki-devel(a)redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-devel
>> NACK
>>
>> Unfortunately, as discussed on IRC, if non-interactive mode was
>> utilized to originally setup your instance, and then further instances
>> utilized interactive mode within that instance, reading directories
>> under /etc/sysconfig/pki/tomcat/pki-tomcat may find a 'deployment.cfg'
>> that only contains the file that was utilized to non-interactively
>> install the original instance. This would return data to make
>> existing_data true, but unfortunately would not contain the fields
>> required.
ACK
CAVEAT: Will change line in set_port() from:
* if existing_data[tag]:
to:
* if tag in existing_data:
10 years, 9 months
patches to fix pkispawn issues
by Ade Lee
Please review attached patches:
commit d33caa4c1302ecc1d2fc3c42d85544a2653dd09a
Author: Ade Lee <alee(a)redhat.com>
Date: Wed Apr 29 12:46:19 2015 -0400
Fix interactive install to not reprompt for ports
Ports are already set when deploying into an existing instance.
Having a user re-enter these is repetitious and error prone.
commit f0a5c5c79e9918c362f73103891e11f2f7dc6bbb
Author: Ade Lee <alee(a)redhat.com>
Date: Wed Apr 29 11:11:41 2015 -0400
Trac Ticket 1196 - serverCertNick.conf is replaced incorrectly
When second subsystem is installed, serverCertNick.conf and other
top level
tomcat config files should not be replaced.
commit b0317d50fd302086dd324f69d11647f655ddd9bd
Author: Ade Lee <alee(a)redhat.com>
Date: Wed Apr 29 10:57:09 2015 -0400
Code cleanup - simplify pkispawn code
All subsystems are now tomcat instances. Conditionals based on
whether the subsystem is a tomcat instance or not are no longer
required.
10 years, 9 months
[PATCH] two more patches for nuxwdog
by Ade Lee
1. Patch 1 allows one to easily enable/disable nuxwdog for a particular
instance. In this case, one would use:
pki-server instance-nuxwdog-enable <instance> OR
pki-server instance-nuxwdog-disable <instance> OR
pki-server nuxwdog-enable/disable (for all instances on system)
2. Documentation will follow in subsequent patches ie. when the man page
for pki-server is created.
3. Patch 2 just amends the pki java security policy to allow the
instance to be started with nuxwdog and java security policy on.
At this point, you still need selinux permissive, although I will be
filing a BZ to add the required rules.
Please review,
Ade
10 years, 9 months
