[PATCH] 146 Added ACLInterceptor.
by Endi Sukma Dewata
Previously ACL checking was done in PKIRealm by matching the URL.
This code has been replaced by ACLInterceptor which will intercept
RESTEasy method invocations. This allows more precise mapping of
REST methods to ACL entries in acl.ldif.
Ticket #287
--
Endi S. Dewata
12 years, 1 month
test
by Christina Fu
test
12 years, 1 month
[PATCH] 147 Fixed PrettyPrintCert and PrettyPrintCrl.
by Endi Sukma Dewata
The wrappers for PrettyPrintCert and PrettyPrintCrl has been fixed
to include the class names.
Ticket #381
There's still an exception about missing SHA 256 message digest, but it
will be addressed separately.
--
Endi S. Dewata
12 years, 1 month
Announcing Dogtag 10 Beta 2 Release
by Ade Lee
The Dogtag team is proud to announce version Dogtag v10.0.0 beta 2.
A build is available for Fedora 18 in the updates-testing repo. Please
try it out and provide karma to move it to the F18 stable repo.
Daily developer builds for Fedora 17 and 18 are available at
http://nkinder.fedorapeople.org/dogtag-devel/fedora/
== Build Versions ==
pki-core-10.0.0-0.48.b2.fc18
pki-ra-10.0.0-0.10.b2.fc18
pki-tps-10.0.0-0.10.b2.fc18
dogtag-pki-10.0.0-0.13.b2.fc18
dogtag-pki-theme-10.0.0-0.4.b2.fc18
pki-console-10.0.0-0.10.b2.fc18
== Highlights since Dogtag v. 10.0.0 beta 1 (Oct 9 2012) ==
* Selinux policy moved into system selinux policy. For F18, pki-selinux
will no longer be built and delivered by the dogtag team. The PKI
policy will instead be managed by the selinux base packages team.
* Added option to install schema on a clone, rather than simply
replicating it. This is to resolve an IPA issue when replicating from a
non-merged to a merged database.
* Restricted AJP to allow access from localhost only by default. This
is an IPA reported issue.
* Changes to allow the TPS and RA to install and configure correctly.
* Enabled Tomcat security manager and added mechanism to configure
custom security policy.
* Added CLI tools to obtain security domain information and install
tokens.
* Refactored REST client classes to support multiple operations over
authenticated HTTP session.
* Added automatic recovery to the LDAP modification listener.
* Added login service to protect REST services including certificate
operations, key operations, security domain, TKS and OCSP.
* Added option to pkispawn to exit before configuration, in case the
installer wants to go through the UI configuration panels. In this way,
pkispawn can be operated like pkicreate/pkisilent.
* Removed version numbers from jar files to comply with Fedora packaging
recommendations.
== Notes for F17 ==
* Only developer builds are available for F17.
* F17 tomcat used to have a bug in the way it handles pid files.
https://bugzilla.redhat.com/show_bug.cgi?id=863307. Make sure that you
have at least tomcat-7.0.32-1.fc17.
== Feedback ==
Please provide comments, bugs and other feedback via the pki-devel
mailing list: http://www.redhat.com/mailman/listinfo/pki-devel
== Detailed Changelog ==
akoneru (1):
1485a05 Fix for ticket 384 - Incorrect profiles path referenced
alee (15):
80ac796 Fix symkey build dependency
65c17da Update to b2 release
7c105a6 Restrict AJP to localhost only by default
3908d96 Added obsoletes for pki-selinux
278ee60 changes to remove pki-selinux from f18 build
1c45197 Provide option to install, rather than replicate schema to clone
40bcc2c Reorder VLV indexing for clones to avoid errors
643c089 Fixes to get TPS to configure correctly
d6634a7 Reverted to old interface and httpclient for installation token.
2a43f48 Added net-tools dependency
35eb608 changes to remind folks not to use pkicreate/pkiremove
8a2d342 Update tomcatjss dependency
283af42 Added pki_tomcat_script_t type and rules for upgraded instances
c7c2b6c New selinux interface needed for certmonger directory access
c494bd0 Added pki_tomcat_cert_t type and interface to access it
edewata (16):
c1aa8b2 Enabled authentication for key services.
748605a Fixed synchronization problem in CertificateRepository.
5eab7fe Enabled Tomcat security manager.
9c17ef4 Refactored GetDomainXML servlet.
5bb7933 Added REST interface to get domain info.
6359021 Enabled account service for TKS and OCSP.
8687740 Added conditions for security domain REST service.
7ec6c91 Fixed error handling in RetrieveModificationsTask.
2d3d561 Fixed KRA test.
c1f9b39 Enabled realm authentication for certificate requests.
1723a2e Added REST account service.
98ad9c1 Added PKIPrincipal.
4300459 Added PKIConnection.
8973480 Refactored GetCookie servlet.
168d954 Enabled authentication for security domain REST interface.
212ab82 Return to d9 behavior for RetrieveModificationsTask
mharmsen (2):
a957a3d Allow a PKI instance to be installed/configured independently
8d77b52 Removal of version numbers from jar file names
12 years, 1 month
[PATCH] Allow a PKI instance to be installed/configured independently
by Matthew Harmsen
The attached patch addresses the following PKI issue:
* TRAC Ticket #286 - Dogtag 10: Create parameter for optionally
allowing a user to skip configuration . . .
This patch was tested successfully with the following new parameter
specifications:
1. standard 'pkispawn' combined installation/configuration:
* pki_skip_configuration=False
* pki_skip_installation=False
2. legacy 'pkispawn' run like 'pkicreate'/'browser UI configuration:
* pki_skip_configuration=True
* pki_skip_installation=False
3. run 'pkispawn' skipping installation and configuration (do nothing)
* pki_skip_configuration=True
* pki_skip_installation=True
The patch was not tested for running 'pkispawn' first for installation
only (2), and then again only for configuration (which may or may not work).
12 years, 1 month
[PATCH] Removal of version numbers from jar file names
by Matthew Harmsen
The attached patch addresses the following PKI issue:
* TRAC Ticket #350 - Dogtag 10: Remove version numbers from PKI jar
files . . .
This patch was checked against the following PKI services
(CA/KRA/OCSP/TKS as a single merged instance):
* The Dogtag 10 versions of 'dogtag-pki-theme', 'pki-core', and
'pki-console' were all built, installed, and tested on a 64-bit
Fedora 17 machine
* None of the java jars under /usr/share/java/pki contain any embedded
versions in their names, and there are no more symbolic links
* The JNI 'symkey.jar' is a file and contains no embedded version in
its name
* CA
o after reporting the previously encountered 'certutil -a' problem
on the admin cert, and manually correcting it, I successfully
requested, approved, and issued a certificate using the 'Maual
User Dual-Use Certificate Enrollment' profile
* KRA
o after launching a standalone browser profile (since the KRA
admin certificate will not be prompted for since it is running
on the same port), the keys were successfully archived using the
'Manual User Signing and Encryption Certificates Enrollment'
profile<https://dogtag17-clone.usersys.redhat.com:8443/ca/ee/ca/profileSelect?pro...>
* OCSP
o after launching another standalone browser profile (since the
KRA admin certificate will not be prompted for since it is
running on the same port), the command 'OCSPClient
server.example.com 8080 /var/lib/pki/pki-tomcat/alias/
"ocspSigningCert cert-pki-tomcat" 23 22.res 1 /ocsp/ee/ocsp' was
executed from the command line while performing a 'tail -f
/var/log/pki/pki-tomcat/ocsp/debug' which showed communication
with the OCSP server
* TKS
o I successfully launched the URL
'http://server.example.com:8080/tks/services' from a browser
* PKI Console
o No GUI was presented for the PKI console when invoking
'pkiconsole https://server.example.com:8443/ca', but this
appeared to be a display issue, not a problem with the newly
named jars
If this patch is found to be acceptable in its current incarnation,
please feel free to push it to the 'master' branch so that it may be
included in the upcoming Beta 2 builds.
-- Matt
12 years, 1 month
[PATCH] 145 Enabled authentication for key services.
by Endi Sukma Dewata
The web.xml in KRA has been modified to enable the authentication
for key and key request services. Some tools have been added to
access the services via command-line.
Ticket #376
--
Endi S. Dewata
12 years, 1 month
