Announcing 'Dogtag 10.0.0 (Alpha)'
by Matthew Harmsen
The Dogtag team is pleased to announce the availability of an Alpha
Release of the Dogtag 10.0 code.
This release contains the following features:
1. Extension of the functionality of the DRM to store and retrieve
symmetric keys and passphrases,
rather than only asymmetric keys. This feature allows the DRM to be
used as a secure
vault-like storage for essentially any sensitive data. The data is
stored using the same
secure FIPS-compliant storage mechanism used to store PKI keys.
2. The new DRM functionality is exposed through a new REST interface,
provided by the RESTEasy
framework. This provides an intuitive mechanism for writing clients
to the interface. Both
Java (using the RESTEasy client proxy framework) and Python clients
have been coded. The
server uses standard Java libraries to generate and parse XML or
JSON input and output data.
3. Extracted authentication and authorization code from the individual
servlets into a standard
Tomcat authentication realm. This realm has been configured to
require client certificate
authentication, and is being used to secure the new DRM REST
interface. In the future, this
authentication realm could be extended to include other kinds of
authentication (such as
Kerberos). This is part of a push to refactor the code to expose
the core business
functionality in the servlets, while extracting the ancillary tasks
(authentication,
authorization, XML parsing and generation, etc.) and using standard
methods and libraries to
accomplish these tasks.
4. Enhanced Java subsystems so that they could connect to the internal
database using a
non-directory manager user, that is authenticated using client
authentication. This resolves a
number of issues with LDAP operations ignoring search limits. In
addition, some changes have
been made to allow integrating the Dogtag database with other
systems such as IPA.
5. A new package pki-deploy contains the initial framework for a
Python-based
installer/de-installer (pkispawn/pkidestroy) that will be used to
install and configure a
Dogtag instance. This will ultimately replace the pki-setup
installer/de-installer
(pkicreate, pkidestroy) package, and the pki-silent instance
configuration (pkisilent) package.
6. Much of the focus of this release was on cleaning up and modernizing
the Dogtag source code.
* Dogtag source code has been moved to git.
* Java coding standards have been revised - and the code has been
reformatted to match those
standards.
* Initially, Eclipse reported about 13000 warnings in the dogtag
code. Those have been reduced
to close to 2400. This included removing dead and unused code,
replacing calls to deprecated
functions and replacing raw collections with type-safe generics.
NOTE: These numbers currently exclude console code.
* OSUtil is a package that has certain utilities that were not
available when the Dogtag code
was originally written. These utilities are now available in
current standard
libraries - and so this package has been eliminated entirely.
* Improved handling of short and long lived threads which allow
threads to exit gracefully on
shutdown.
The builds can be found at the following links:
*
http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc16/RPMS/i686
- Fedora 16 (32-bit i686)
*
http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc16/RPMS/x86_64
- Fedora 16 (64-bit x86_64)
*
http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc16/SRPMS
- Fedora 16 (Source)
*
http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc17/RPMS/i686
- Fedora 17 (32-bit i686)
*
http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc17/RPMS/x86_64
- Fedora 17 (64-bit x86_64)
*
http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc17/SRPMS
- Fedora 17 (Source)
12 years, 1 month
[PATCH] 30 Escape parameter values in search filter.
by Endi Sukma Dewata
The REST interface was vulnerable to injection attack. This has
been fixed by escaping the special characters in parameter values
before using them in the search filter.
Ticket #96
--
Endi S. Dewata
12 years, 1 month
Request to build the following PKI components on Fedora 15, Fedora 16, Fedora 17, and Fedora 18 (Rawhide) . . .
by Matthew Harmsen
Fixes have been made to address the following bugs:
* *Bugzilla Bug #796006*
<https://bugzilla.redhat.com/show_bug.cgi?id=796006> -Get
DOGTAG_9_BRANCH GIT repository in-sync with DOGTAG_9_BRANCH SVN
repository . . .
* *Bugzilla Bug #747381*
<https://bugzilla.redhat.com/show_bug.cgi?id=747381> -After the
migration (7.1->8.1) CA agent page displays admin cert request with
authtime attribute twice
* *Bugzilla Bug #747019*
<https://bugzilla.redhat.com/show_bug.cgi?id=747019> -Migrated
policy requests from 7.1->8.1 displays issuedcerts and cert_Info
params as base 64 blobs.
* *Bugzilla Bug #757848*
<https://bugzilla.redhat.com/show_bug.cgi?id=757848> -DRM re-key
tool: introduces a blank line in the middle of an ldif entry.
* *Bugzilla Bug #801840*
<https://bugzilla.redhat.com/show_bug.cgi?id=801840>
-pki_silent.template missing opening brace on line 1314 for
ca_external variable
Please build the following components on Fedora 15, Fedora 16, Fedora
17, and Fedora 18 (rawhide) in Koji . . .
* dogtag-pki-theme-9.0.11-1.fc[15,16,17,18].src.rpm (dogtag-pki-theme)
* pki-core-9.0.18-1.fc[15,16,17,18].src.rpm (pki-core)
* pki-kra-9.0.10-1.fc[15,16,17,18].src.rpm (pki-kra)
* pki-ocsp-9.0.9-1.fc[15,16,17,18].src.rpm (pki-ocsp)
* pki-tks-9.0.9-1.fc[15,16,17,18].src.rpm (pki-tks)
* dogtag-pki-9.0.0-10.fc[15,16,17,18].src.rpm (dogtag-pki -
contains NO source tarball as this is a meta-package)
All changes have been checked-in, and the official tarballs (for all
three platforms) have been published to:
* http://pki.fedoraproject.org/pki/sources/dogtag-pki-theme/dogtag-pki-them...
(dogtag-pki-theme)
* http://pki.fedoraproject.org/pki/sources/pki-core/pki-core-9.0.18.tar.gz
(pki-core)
* http://pki.fedoraproject.org/pki/sources/pki-kra/pki-kra-9.0.10.tar.gz
(pki-kra)
* http://pki.fedoraproject.org/pki/sources/pki-ocsp/pki-ocsp-9.0.9.tar.gz
(pki-ocsp)
* http://pki.fedoraproject.org/pki/sources/pki-tks/pki-tks-9.0.9.tar.gz
(pki-tks)
The official spec files (for all three platforms) are located at:
* http://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/FEDORA/dogt...
* http://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/FEDORA/pki-...
* http://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/FEDORA/pki-...
* http://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/FEDORA/pki-...
* http://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/FEDORA/pki-...
* http://alpha.dsdev.sjc.redhat.com/home/mharmsen/kwright/SPECS/FEDORA/dogt...
Thanks,
-- Matt
12 years, 1 month
[PATCH] 29 Replaced daemon threads with executor service.
by Endi Sukma Dewata
The certificate status update and retrieving modifications tasks
have been modified to use the executor service. Unlike daemon
threads, the service will allow existing task to exit gracefully
before shutting down. An abandon operation is used terminate the
persistent search used for retrieving modifications. Some methods
have been moved to CertificateRepository class to simplify
synchronizations.
Ticket #73
This patch should be applied on top of #26 (or they can be squashed).
There are some other threads that can be converted to use executor
service as well, it will be done in separate patches.
--
Endi S. Dewata
12 years, 1 month
[PATCH] 26 Refactored JobsScheduler.
by Endi Sukma Dewata
The JobsScheduler has been modified to stop all jobs on shutdown.
This is done by setting a flag in each job instead of stopping the
job thread abruptly. Long running jobs should check this flag
periodically and then exit gracefully. None of the existing jobs
need to do this since they do not run very long.
Other threads that run background services have been converted into
daemons such that they will terminate automatically when the JVM
exits.
Ticket #73
--
Endi S. Dewata
12 years, 1 month
Resteasy
by Endi Sukma Dewata
Ade,
The resteasy package depends the following packages to build:
* glassfish-fastinfoset instead of glassfish-fi
* jboss-annotations-1.1-api
After fixing the dependencies, it failed to build due to some test
errors. See attachment. There are a bunch of these messages:
MIME map can't be loaded:java.lang.NullPointerException
--
Endi S. Dewata
12 years, 1 month
