[PATCH] 78 Updated console build script.
by Endi Sukma Dewata
The console build script has been modified such that it uses the
com.netscape.certsrv.common source code from the common package.
Ticket #113, #62
--
Endi S. Dewata
12 years, 1 month
[PATCH] 77 Updated util and common build scripts.
by Endi Sukma Dewata
The build scripts for util and common packages have been modified
to use the new Java CMake library to automatically find the source
codes and build the binaries.
Ticket #62
--
Endi S. Dewata
12 years, 1 month
[PATCH] 81 Added Javadoc CMake function.
by Endi Sukma Dewata
A new javadoc function has been added into Java CMake script. The
function supports generating Javadoc for Java packages including
all subpackages in it. It also support package exclusion. This way
it's no longer necessary to specify the entire list of packages or
source codes.
Ticket #62
--
Endi S. Dewata
12 years, 2 months
[PATCH] PKI Deployment Framework (20120716) ERRATA
by Matthew Harmsen
*NOTE: Due to the complexity of these patches, and as they are in the
midst of the review process, I would greatly appreciate it if no more
patches are applied to
the 'master' until such time as all of these patches may be
checked in (to avoid any additional merge conflicts).
*
This patch documents continued implementation of the PKI Deployment
Framework based upon the revised filesystem layout documented here:
* http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment#CA_.2F_KRA_.2F_...
This patch must be applied *AFTER* the following three patches (for
convenience, all four patches have been attached to this email):
* [Patch] Port 'tomcatjss' from Tomcat 6 to Tomcat 7 . . .
* [PATCH] PKI Deployment Framework (20120716)
* [PATCH] PKI Deployment Framework Admin Certificate PKCS12 File"
The following patch adds/corrects functionality of the existing PKI
Deployment Framework including (but not limited to):
* In 'catalina.properties', removed commented out jars for each of
the subsystems in the 'common.loader'
* In 'server.xml', removed the line containing a '1'
* Moved all parameters from the [Mandatory] and [Optional] sections
of the 'pkideployment.cfg' file to other more appropriate sections
(e.g. - [Common], [CA], [KRA], etc.), and removed these sections
and all of their associated logic from the 'pki-deploy' package
* Resolved Dogtag TRAC Ticket #225
Dogtag 10: Move "pkispawn"/"pkidestroy" logs
* Removed all security domain references from external CA logic
* Added new 'pki_subsystem_name' parameter to 'pkideployment.cfg'
file, and applied logic throughout 'pki-deploy'
* Added new error message in the case of an unset DNS domain name,
and replaced the log message with a simple print in the case of a
'domainname' exception
To test this patch, follow the procedure documented in "[PATCH] PKI
Deployment Framework Admin Certificate PKCS12 File".
NOTE: All patches listed above have been successfully tested on a
64-bit Fedora 17 host - there is one minor correct that will need to be
made to 'pkidestroy',
as it failed to remove the instance directory under '/var/log/pki'.
Index: src/org/apache/tomcat/util/net/jss/IJSSFactory.java
===================================================================
--- src/org/apache/tomcat/util/net/jss/IJSSFactory.java (revision 229)
+++ src/org/apache/tomcat/util/net/jss/IJSSFactory.java (working copy)
@@ -24,6 +24,6 @@
import java.net.*;
interface IJSSFactory {
- public ServerSocketFactory getSocketFactory();
+ public ServerSocketFactory getSocketFactory(AbstractEndpoint endpoint);
public SSLSupport getSSLSupport(Socket socket);
}
Index: src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java
===================================================================
--- src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java (revision 229)
+++ src/org/apache/tomcat/util/net/jss/JSSSocketFactory.java (working copy)
@@ -31,8 +31,15 @@
import java.net.*;
import java.io.*;
+// Imports required to "implement" Tomcat 7 Interface
+import org.apache.tomcat.util.net.AbstractEndpoint;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+
public class JSSSocketFactory
- extends org.apache.tomcat.util.net.ServerSocketFactory {
+ implements org.apache.tomcat.util.net.ServerSocketFactory,
+ org.apache.tomcat.util.net.SSLUtil {
private static HashMap cipherMap = new HashMap();
static {
@@ -157,6 +164,8 @@
eccCipherMap.put(SSLSocket.TLS_ECDH_ECDSA_WITH_NULL_SHA, "TLS_ECDH_ECDSA_WITH_NULL_SHA");
}
+ private AbstractEndpoint endpoint;
+
static org.apache.commons.logging.Log log =
org.apache.commons.logging.LogFactory.getLog(JSSSocketFactory.class);
@@ -176,8 +185,8 @@
private IPasswordStore mPasswordStore = null;
private boolean mStrictCiphers = false;
- public JSSSocketFactory() {
- super();
+ public JSSSocketFactory (AbstractEndpoint endpoint) {
+ this.endpoint = endpoint;
}
private void debugWrite(String m) throws IOException {
@@ -190,7 +199,7 @@
public void setSSLCiphers(String attr) throws SocketException
{
- String ciphers = (String)attributes.get(attr);
+ String ciphers = (String)endpoint.getAttribute(attr);
StringTokenizer st = new StringTokenizer(ciphers, ",");
while (st.hasMoreTokens()) {
String cipherstr = st.nextToken();
@@ -250,7 +259,7 @@
public void setSSLOptions() throws SocketException
{
- String options = (String)attributes.get("sslOptions");
+ String options = (String)endpoint.getAttribute("sslOptions");
StringTokenizer st = new StringTokenizer(options, ",");
while (st.hasMoreTokens()) {
String option = st.nextToken();
@@ -301,7 +310,7 @@
void init() throws IOException {
try {
- String deb = (String)attributes.get("debug");
+ String deb = (String)endpoint.getAttribute("debug");
if (deb.equals("true")) {
debug = true;
debugFile = new FileWriter("/tmp/tomcatjss.log", true);
@@ -313,8 +322,8 @@
try {
try {
- mPwdPath = (String)attributes.get("passwordFile");
- mPwdClass = (String)attributes.get("passwordClass");
+ mPwdPath = (String)endpoint.getAttribute("passwordFile");
+ mPwdClass = (String)endpoint.getAttribute("passwordClass");
if (mPwdClass != null) {
mPasswordStore = (IPasswordStore)Class.forName(mPwdClass).newInstance();
mPasswordStore.init(mPwdPath);
@@ -328,7 +337,7 @@
throw new IOException("JSSSocketFactory: no passwordFilePath defined");
}
- String certDir = (String)attributes.get("certdbDir");
+ String certDir = (String)endpoint.getAttribute("certdbDir");
CryptoManager.InitializationValues vals =
new CryptoManager.InitializationValues(certDir,
@@ -355,7 +364,7 @@
String st = (String) en.nextElement();
debugWrite("JSSSocketFactory init - tag name="+st+"\n");
pwd = mPasswordStore.getPassword(st);
-
+
if (pwd != null) {
debugWrite("JSSSocketFactory init - got password\n");
pw = new Password(pwd.toCharArray());
@@ -393,10 +402,12 @@
debugWrite("JSSSocketFactory init - no login done\n");
} //mPasswordStore not null
- String clientAuthStr = (String)attributes.get("clientauth");
+ // MUST look for "clientauth" (ALL lowercase) since "clientAuth"
+ // (camel case) has already been processed by Tomcat 7
+ String clientAuthStr = (String)endpoint.getAttribute("clientauth");
File file = null;
try {
- mServerCertNickPath = (String)attributes.get("serverCertNickFile");
+ mServerCertNickPath = (String)endpoint.getAttribute("serverCertNickFile");
debugWrite("JSSSocketFactory init - got serverCertNickFile"+
mServerCertNickPath+"\n");
file = new File(mServerCertNickPath);
@@ -430,7 +441,7 @@
throw new IOException("JSSSocketFactory: no serverCertNickFile defined");
}
- //serverCertNick = (String)attributes.get("serverCert");
+ //serverCertNick = (String)endpoint.getAttribute("serverCert");
if (clientAuthStr.equalsIgnoreCase("true") ||
clientAuthStr.equalsIgnoreCase("yes")) {
requireClientAuth = true;
@@ -444,7 +455,7 @@
&& ocspConfigured == false ) {
debugWrite("JSSSocketFactory init - checking for OCSP settings. \n" );
boolean enableOCSP = false;
- String doOCSP = (String) attributes.get("enableOCSP");
+ String doOCSP = (String) endpoint.getAttribute("enableOCSP");
debugWrite("JSSSocketFactory init - doOCSP flag:"+
doOCSP+ " \n");
@@ -457,10 +468,10 @@
enableOCSP+ "\n");
if( enableOCSP == true ) {
- String ocspResponderURL = (String) attributes.get("ocspResponderURL");
+ String ocspResponderURL = (String) endpoint.getAttribute("ocspResponderURL");
debugWrite("JSSSocketFactory init - ocspResponderURL "+
ocspResponderURL+ "\n");
- String ocspResponderCertNickname = (String) attributes.get("ocspResponderCertNickname");
+ String ocspResponderCertNickname = (String) endpoint.getAttribute("ocspResponderCertNickname");
debugWrite("JSSSocketFactory init - ocspResponderCertNickname" + ocspResponderCertNickname + "\n");
if( (ocspResponderURL != null && ocspResponderURL.length() > 0) &&
(ocspResponderCertNickname != null &&
@@ -473,9 +484,9 @@
int ocspMinCacheEntryDuration_i = 3600;
int ocspMaxCacheEntryDuration_i = 86400;
- String ocspCacheSize = (String) attributes.get("ocspCacheSize");
- String ocspMinCacheEntryDuration = (String) attributes.get("ocspMinCacheEntryDuration");
- String ocspMaxCacheEntryDuration = (String) attributes.get("ocspMaxCacheEntryDuration");
+ String ocspCacheSize = (String) endpoint.getAttribute("ocspCacheSize");
+ String ocspMinCacheEntryDuration = (String) endpoint.getAttribute("ocspMinCacheEntryDuration");
+ String ocspMaxCacheEntryDuration = (String) endpoint.getAttribute("ocspMaxCacheEntryDuration");
if (ocspCacheSize != null ||
ocspMinCacheEntryDuration != null ||
@@ -498,7 +509,7 @@
}
// defualt to 60 seconds;
- String ocspTimeout = (String) attributes.get("ocspTimeout");
+ String ocspTimeout = (String) endpoint.getAttribute("ocspTimeout");
if (ocspTimeout != null) {
debugWrite("JSSSocketFactory init - ocspTimeout= \n" + ocspTimeout);
int ocspTimeout_i = Integer.parseInt(ocspTimeout);
@@ -525,7 +536,7 @@
// 12 hours = 43200 seconds
SSLServerSocket.configServerSessionIDCache(0, 43200, 43200, null);
- String strictCiphersStr = (String)attributes.get("strictCiphers");
+ String strictCiphersStr = (String)endpoint.getAttribute("strictCiphers");
if (strictCiphersStr.equalsIgnoreCase("true") ||
strictCiphersStr.equalsIgnoreCase("yes")) {
mStrictCiphers = true;
@@ -539,7 +550,6 @@
}
setSSLOptions();
- setSSLOptions();
debugWrite("SSSocketFactory init - after setSSLOptions\n");
} catch (Exception ex) {
debugWrite("JSSSocketFactory init - exception thrown:"+
@@ -627,4 +637,21 @@
} catch (Exception e) {
}
}
+
+ // Methods required to "implement" Tomcat 7 Interface
+ public SSLContext createSSLContext() throws Exception {
+ return null;
+ }
+
+ public KeyManager[] getKeyManagers() throws Exception {
+ return null;
+ }
+
+ public TrustManager[] getTrustManagers() throws Exception {
+ return null;
+ }
+
+ public void configureSessionContext(javax.net.ssl.SSLSessionContext sslSessionContext) {
+ return;
+ }
}
Index: src/org/apache/tomcat/util/net/jss/JSSImplementation.java
===================================================================
--- src/org/apache/tomcat/util/net/jss/JSSImplementation.java (revision 229)
+++ src/org/apache/tomcat/util/net/jss/JSSImplementation.java (working copy)
@@ -12,7 +12,7 @@
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
- *
+ *
* Copyright (C) 2007 Red Hat, Inc.
* All rights reserved.
* END COPYRIGHT BLOCK */
@@ -21,8 +21,10 @@
import java.net.Socket;
import java.io.*;
+import org.apache.tomcat.util.net.AbstractEndpoint;
import org.apache.tomcat.util.net.SSLImplementation;
import org.apache.tomcat.util.net.SSLSupport;
+import org.apache.tomcat.util.net.SSLUtil;
import org.apache.tomcat.util.net.ServerSocketFactory;
public class JSSImplementation extends SSLImplementation
@@ -38,7 +40,7 @@
public JSSImplementation() throws ClassNotFoundException {
Class.forName(SSLSocketClass);
-
+
try {
Class factcl = Class.forName(JSSFactory);
factory = (JSSFactory)factcl.newInstance();
@@ -52,8 +54,9 @@
return "JSS";
}
- public ServerSocketFactory getServerSocketFactory() {
- ServerSocketFactory ssf = factory.getSocketFactory();
+ public ServerSocketFactory getServerSocketFactory(AbstractEndpoint endpoint)
+ {
+ ServerSocketFactory ssf = factory.getSocketFactory(endpoint);
return ssf;
}
@@ -85,7 +88,13 @@
*
* Once this abstract method is removed from SSLImplementation in a
* future release we can remove this stub.
+ *
+ * NOTE: This method has NOT yet been deprecated in Tomcat 7!
*/
return null;
}
+
+ public SSLUtil getSSLUtil(AbstractEndpoint endpoint) {
+ return null;
+ }
}
Index: src/org/apache/tomcat/util/net/jss/JSSFactory.java
===================================================================
--- src/org/apache/tomcat/util/net/jss/JSSFactory.java (revision 229)
+++ src/org/apache/tomcat/util/net/jss/JSSFactory.java (working copy)
@@ -27,8 +27,8 @@
JSSFactory() {
}
- public ServerSocketFactory getSocketFactory() {
- return new JSSSocketFactory();
+ public ServerSocketFactory getSocketFactory(AbstractEndpoint endpoint) {
+ return new JSSSocketFactory(endpoint);
}
public SSLSupport getSSLSupport(Socket socket) {
Index: README
===================================================================
--- README (revision 229)
+++ README (working copy)
@@ -3,7 +3,7 @@
tomcatjss defines a number of attributes for a Connector including:
-clientAuth: specify if client authentication is required in the connector (or
+clientauth: specify if client authentication is required in the connector (or
port), it can be true or false. If true then client authentication is required.
sslOptions: specify a comma-delimited list of ssl options to pass into the ssl
@@ -16,6 +16,9 @@
ssl3Ciphers: specifies a list of SSL3 ciphers that tomcatjss should accept
or reject from the client. You can use + to denote "accept", - means "reject".
+tlsCiphers: specifies a list of TLS ciphers that tomcatjss should accept
+or reject from the client. You can use + to denote "accept", - means "reject".
+
serverCertNickFile: a file in which specify the nickname of the
server certificate. The file should contain a single line that contains
the nickname.
@@ -30,29 +33,41 @@
sslProtocol: needs to be SSL
-SSLImplementation: Needs to be org.apache.tomcat.util.net.jss.JSSImplementation
+sslImplementationName: MUST be org.apache.tomcat.util.net.jss.JSSImplementation
in order to use the plugin
Here is an example of a secure connector:
-<Connector port="9443"
+<Connector port="8443"
+ protocol="HTTP/1.1"
+ SSLEnabled="true"
+ sslProtocol="SSL"
+ scheme="https"
+ secure="true"
+ keyStoreType="PKCS11"
maxHttpHeaderSize="8192"
+ acceptCount="100"
maxThreads="150"
minSpareThreads="25"
- maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
- acceptCount="100"
- scheme="https"
- secure="true"
- clientAuth="false"
- sslProtocol="SSL"
+ sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation"
+ enableOCSP="false"
+ ocspResponderURL="http://pkilinux.sjc.redhat.com:9080/ca/ocsp"
+ ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
+ ocspCacheSize="1000"
+ ocspMinCacheEntryDuration="60"
+ ocspMaxCacheEntryDuration="120"
+ ocspTimeout="10"
+ strictCiphers="false"
+ clientAuth="agent"
+ clientauth="agent"
sslOptions="ssl2=true,ssl3=true,tls=true"
ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
- ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,+TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"
- SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation"
- serverCertNickFile="/var/lib/rhpki-ca/conf/serverCertNick.conf"
- passwordFile="/var/lib/rhpki-ca/conf/password.conf"
+ ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
+ tlsCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
+ serverCertNickFile="/var/lib/pki/redhat.com-foobar/conf/serverCertNick.conf"
+ passwordFile="/var/lib/pki/redhat.com-foobar/conf/password.conf"
passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
- certdbDir="/var/lib/rhpki-ca/alias"
+ certdbDir="/var/lib/pki/redhat.com-foobar/alias"
/>
Index: build.xml
===================================================================
--- build.xml (revision 229)
+++ build.xml (working copy)
@@ -37,8 +37,8 @@
<property name="Name" value="Tomcat JSS"/>
<property name="name" value="tomcatjss"/>
- <property name="version" value="6.0.2"/>
- <property name="manifest-version" value="6.0.2"/>
+ <property name="version" value="7.0.0"/>
+ <property name="manifest-version" value="7.0.0"/>
<!--
Set the properties that control various build options
@@ -98,7 +98,7 @@
-->
<property name="jar.home" value="/usr/share/java" />
<property name="commons-logging.jar" value="${jar.home}/commons-logging-api.jar" />
- <property name="tomcat.lib" value="${jar.home}/tomcat6" />
+ <property name="tomcat.lib" value="${jar.home}/tomcat" />
<property name="tomcat-coyote.jar" value="${tomcat.lib}/tomcat-coyote.jar" />
<property name="jss.home" value="${jnidir}" />
<!-- This property is set to '/dirsec' when built on rhel4 -->
Index: tomcatjss.spec
===================================================================
--- tomcatjss.spec (revision 229)
+++ tomcatjss.spec (working copy)
@@ -1,5 +1,5 @@
Name: tomcatjss
-Version: 6.0.2
+Version: 7.0.0
Release: 1%{?dist}
Summary: JSSE implementation using JSS for Tomcat
URL: http://pki.fedoraproject.org/
@@ -13,41 +13,17 @@
# jpackage-utils requires versioning to meet both build and runtime requirements
# jss requires versioning to meet both build and runtime requirements
-# tomcat6 requires versioning to meet both build and runtime requirements
+# tomcat requires versioning to meet both build and runtime requirements
BuildRequires: ant
-BuildRequires: java-devel >= 1:1.6.0
-%if 0%{?fedora} >= 16
-BuildRequires: jpackage-utils >= 0:1.7.5-10
-BuildRequires: jss >= 4.2.6-19.1
-BuildRequires: tomcat6 >= 6.0.32-16
-%else
-%if 0%{?fedora} >= 15
-BuildRequires: jpackage-utils
-BuildRequires: jss >= 4.2.6-17
-BuildRequires: tomcat6 >= 6.0.30-6
-%else
-BuildRequires: jpackage-utils
-BuildRequires: jss >= 4.2.6-17
-BuildRequires: tomcat6
-%endif
-%endif
+BuildRequires: java-devel
+BuildRequires: jpackage-utils >= 0:1.7.5-15
+BuildRequires: jss >= 4.2.6-24
+BuildRequires: tomcat >= 7.0.27
-Requires: java >= 1:1.6.0
-%if 0%{?fedora} >= 16
-Requires: jpackage-utils >= 0:1.7.5-10
-Requires: jss >= 4.2.6-19.1
-Requires: tomcat6 >= 6.0.32-16
-%else
-%if 0%{?fedora} >= 15
-Requires: jpackage-utils
-Requires: jss >= 4.2.6-17
-Requires: tomcat6 >= 6.0.30-6
-%else
-Requires: jpackage-utils
-Requires: jss >= 4.2.6-17
-Requires: tomcat6
-%endif
-%endif
+Requires: java
+BuildRequires: jpackage-utils >= 0:1.7.5-15
+BuildRequires: jss >= 4.2.6-24
+BuildRequires: tomcat >= 7.0.27
# The 'tomcatjss' package conflicts with the 'tomcat-native' package
# because it uses an underlying NSS security model rather than the
@@ -100,6 +76,9 @@
%{_javadir}/*
%changelog
+* Wed Jun 06 2012 Matthew Harmsen <mharmsen(a)redhat.com> 7.0.0-1
+- Bugzilla Bug #819554 - tomcatjss: Please migrate from tomcat6 to tomcat7
+
* Thu Sep 22 2011 Matthew Harmsen <mharmsen(a)redhat.com> 6.0.2-1
- Bugzilla Bug #734590 - Refactor JNI libraries for Fedora 16+ . . . (mharmsen)
- Bugzilla Bug #699809 - Convert CS to use systemd (alee)
12 years, 2 months
[PATCH] PKI Deployment Framework Admin Certificate PKCS12 File
by Matthew Harmsen
This patch documents continued implementation of the PKI Deployment
Framework based upon the revised filesystem layout documented here:
* http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment#CA_.2F_KRA_.2F_...
This patch must be applied AFTER "[PATCH] PKI Deployment Framework
(20120716)".
The following patch adds/corrects functionality of the existing PKI
Deployment Framework including (but not limited to):
Saved Admin Certificate, imported it into NSS client security
databases, and
exported it to a PKCS #12 file such that it may be imported into a
browser.
TRAC Ticket #221
Dogtag 10: Create a PKCS #12 file containing the Admin Certificate
(https://fedorahosted.org/pki/ticket/221)
To test this patch (presumes a Fedora 17 machine with a pre-installed
directory server and PKI packages with these two patches installed):
As 'root' on 'example.fedora.org':
# (if necessary) pkidestroy -s CA -v -d fedora.org -i foobar
--http_port 8080 --https_port 8443 --ajp_port 8005
# pkispawn -s CA -f /tmp/pki/pkideployment.cfg -vvv -d fedora.org -i
foobar --http_port 8080 --https_port 8443 --ajp_port 8005
# systemctl restart pki-tomcatd(a)fedora.org-foobar.service
# mkdir -p /tmp/pki
# cp /usr/share/pki/deployment/config/pkideployment.cfg /tmp/pki
# cd /tmp/pki
# Edit pkideployment.cfg and add the desired passwords to the
following variables:
* pki_admin_password=
* pki_backup_password= (THIS CAN BE SKIPPED)
* pki_client_pkcs12_password=
* pki_ds_password=
* pki_pkcs12_password=
* pki_security_domain_password=
If necessary, change the default ports on the directory server to
match the installed version
As 'user' on 'example.fedora.org':
* firefox -ProfileManager -no-remote &
* New Profile: example
* http://example.fedora.org:8080/ca/services
* Launches browser tab entitled 'CA Services'
* Select 'SSL End Users Services' in new tab
* Trust this Connection
* Launches browser tab entitled 'CA End-Entity'
* Select "Retrieval" tab
* Select "Import CA Certificate Chain"
* Select "Import the CA certificate chain into your browser"
* Press Submit
* Check all three Trust checkboxes and press OK
* From the Browser's Menu:
* Select Edit | Preferences
* Highlight the Advanced icon
* Select the Encryption tab
* Press the View Certificates button
* Select the "Your Certificates" tab
* Press the Import button
* Go to File System | tmp | fedora.org-foobar_client
* Highlight ca_admin_cert.p12
* Press the Open button
* Type in the PKCS #12 password
* Dismiss the "Success" pop-up by pressing OK
* Dismiss the Encryption tab by pressing OK
* Close Preferences by pressing Close
* From the 'CA Services' tab, select 'Agent Services' in a new tab
* Select the proper cert from the pulldown menu and press OK
* Launches browser tab entitled 'CA Agent'
* Re-select 'CA End-Entity' tab in browser
* Select 'Enrollment/Renewal' tab
* Select Manual User Dual-Use Certificate Enrollment
* Type test in UID field
* Press Submit button
* Re-select 'CA Agent' tab in browser
* Select 'List Requests' on left-hand menu
* Press Find
* Select the cert (e. g. - '7') from the Request Queue
* Scroll to the bottom and press the submit button
* Select 'List Certificates' on left-hand menu
* Press Find
* The new certificate (e. g. - '7') should be displayed
12 years, 2 months
[PATCH] 76 Added Java CMake library.
by Endi Sukma Dewata
New Java CMake library has been added to find the source
codes automatically so it's no longer necessary to maintain
the list of source codes in the build script. The library
also provides separate functions to compile, package, and
create symbolic links allowing more flexibility over the
build process.
Ticket #62
--
Endi S. Dewata
12 years, 2 months
[PATCH] 75 Merged changes in com.netscape.certsrv.common.
by Endi Sukma Dewata
Due to packaging issue the source code in com.netscape.certsrv.common
were duplicated into common and console packages and over time they
have become out-of-sync. This patch merges the changes such that they
are now identical. When the packaging issue is fixed later the
duplicate copy can be removed.
Ticket #113
--
Endi S. Dewata
12 years, 2 months
[PATCH] PKI Deployment Framework (20120716)
by Matthew Harmsen
This patch documents continued implementation of the PKI Deployment
Framework based upon the revised filesystem layout documented here:
* http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment#CA_.2F_KRA_.2F_...
The following patch adds/corrects functionality of the existing PKI
Deployment Framework including (but not limited to):
* Integration of Tomcat 7
* Introduction of dependency upon tomcatjss 7.0
* Removal of http filtering configuration mechanisms
* Introduction of additional slot substitution to support revised
filesystem layout
* Addition of 'pkiuser' uid:gid creation methods
* Inclusion of per instance '*.profile' files
* Introduction of configurable 'configurationRoot' parameter
* Introduction of default configuration of 'log4j' mechanism (alee)
* Modify web.xml to use new Application classes to bootstrap servers
(alee)
* Introduction of "Wrapper" logic to support Tomcat 6 --> Tomcat 7 API
change (jmagne)
* Added jython helper function to allow attaching a remote java
debugger (e. g. - eclipse)
Additionally, this patch has been re-based against the current 'master'
and has been successfully executed to completion with regards to
installing a CA, enrolling for a certificate, and accepting a
certificate on a 64-bit Fedora 17 installation.
-- Matt
12 years, 2 months