[PATCH] 89 Enabled SSL authenticator and PKI realm.
by Endi Sukma Dewata
The SSL connection has been configured with clientAuth="want" so
users can choose whether to provide a client certificate or username
and password. The authentication and authorization will be handled
by the SSL authenticator with fallback and PKI realm. New access
control rules have been added for users, groups, and certs REST
services.
Ticket #107
--
Endi S. Dewata
11 years, 8 months
[PATCH] 86 Moved REST services into separate URLs.
by Endi Sukma Dewata
To support different access control configurations the
REST services have been moved out of /pki into several
URLs.
The certificate request submission service is now located
under /ee and it does not require authentication. The
configuration service is located under /installer and
it requires service-level authentication using PIN. The
remaining services are located under /agent and /admin.
They require realm authentication using client cert or
basic authentication and also require administrator or
agent access rights. Existing servlets are not affected
by this change.
Ticket #107, #259
--
Endi S. Dewata
11 years, 8 months
[PATCH] PKI Deployment Framework PKI TRAC issues (08/01/2012)
by Matthew Harmsen
This patch documents continued implementation of the PKI Deployment
Framework based upon the revised filesystem layout documented here:
* http://pki.fedoraproject.org/wiki/PKI_Instance_Deployment#CA_.2F_KRA_.2F_...
This patch addresses the following issues:
* PKI TRAC Ticket #279 - Dogtag 10: Fix remaining 'cloning' issues in
'pkispawn' . . .
* PKI TRAC Ticket #280 - Dogtag 10: Fix remaining issues in
'pkidestroy' related to deletion of more than one instance . . .
* PKI TRAC Ticket #281 - Dogtag 10: Fix 'pkidaemon'/'operations' issue
to handle individual instance . . .
It has been tested and proven to work successfully on a 64-bit Fedora 17
machine (using the appropriate 'tomcatjss.jar').
P. S. -- Ade, as you are the most probable reviewer of this patch,
please feel free to 'push' it to 'master' if you find it in order.
11 years, 8 months
[PATCH] 88 Merged pki-jndi-realm.jar into pki-cmscore.jar.
by Endi Sukma Dewata
On Tomcat 7 it's no longer necessary to have a separate package
for the authenticator and realm classes. They are now packaged
in pki-cmscore.jar which is deployed in Tomcat's common/lib.
Ticket #126
--
Endi S. Dewata
11 years, 8 months
[PATCH] 87 Refactored PKI JNDI realm.
by Endi Sukma Dewata
The PKI JNDI realm has been modified to utilize the authentication
and authorization subsystems in PKI engine directly. It's no longer
necessary to define the LDAP connection settings in Tomcat's
configuration files.
Ticket #126
--
Endi S. Dewata
11 years, 8 months
[PATCH] 85 Added SSL authenticator with fallback.
by Endi Sukma Dewata
A custom Tomcat authenticator has been added to authenticate users
using client certificate if provided, otherwise it will fallback to
BASIC/FORM authentication.
The SSL connection has been configured with clientAuth="want" so
users can choose whether to provide a certificate or username and
password.
Ticket #107
Note: The cert-request-submit still needs to be moved out of
/pki/certrequests to allow access by unauthenticated users. Right now it
requires authentication and for some reason not working.
--
Endi S. Dewata
11 years, 8 months
