[PATCH] 360 Added ACL for selftests.
by Endi Sukma Dewata
New ACL has been added to allow only the administrators in each
subsystem to access the selftests.
Ticket #652
--
Endi S. Dewata
11 years, 1 month
Announcing the release of Dogtag 10.1
by Ade Lee
The Dogtag team is proud to announce the release of Dogtag v10.1.0.
This release is being released in conjunction with the GA release of
Fedora 20.
Due to changes in the way tomcat is started in Fedora 20, and the
corresponding changes in the Dogtag init scripts, Dogtag 10.1 will only
be delivered from Fedora 20 upwards. Dogtag 10.0 will continue to be
delivered and supported for Fedora 18 and 19.
== Build Versions ==
pki-core-10.1.0-1.fc20
pki-ra-10.1.0-1.fc20
pki-tps-10.1.0-1.fc20
…
[View More]dogtag-pki-10.1.0-1.fc20
dogtag-pki-theme-10.1.0-1.fc20
pki-console-10.1.0-1.fc20
== Upgrade Notes ==
Upgrade from Dogtag 10.0 to Dogtag 10.1 should be seamless, with all
relevant migration steps performed by upgrade scripts when the packages
are installed. Simply follow the standard procedure for upgrading from
Fedora 19 to Fedora 20. http://fedoraproject.org/wiki/Upgrading
== Highlights since Dogtag v. 10.0 ==
Infrastructure/ Version Changes:
* pylint was added to the build scripts, and any pylint errors
and warnings in the python code were fixed. The build now fails
if any new errors or warnings are generated.
* RESTEasy was updated from version 2.3.2 to 3.0.1. As part of this
transition, some server code (the interceptors) was modified to
implement JAX-RS 2.0.
* In Fedora 20, tomcat has changed to more properly use systemd unit
files to start up, rather than system V init scripts.
(https://bugzilla.redhat.com/show_bug.cgi?id=842346)
As a result, new Dogtag systemd unit files (based on the tomcat unit
files) were required. This change is the primary reason Dogtag 10.1
cannot be deployed in Fedora versions < 20.
New Testing Framework:
A new test framework was added to the upstream git source tree. This
framework can be used to do standalone tests or as part of a continuous
integration testing framework. This framework includes:
* QE tests are added to upstream git as part of this release. These
tests use the beaker libraries to generate results and are run in a
beaker test bed.
* A mechanism for writing JUnit tests, with some sample tests. These
tests can be run through eclipse on a local test environment or run
along with the QE tests on a beaker machine. Customized Suite and
RunNotifier classes are provided to generate the results using beaker
libraries in place of the actual JUnit result.
* The README file in tests/dogtag provides information on how to run
the tests.
REST interface enhancements:
* The interface has been updated to use standard HTTP return codes
under various operations. Paging support has been added to most
search operations.
* New REST interfaces have been added for managing certificate profiles
on the CA. This includes:
* Methods to list, add, remove, edit, enable/disable profiles. These
methods are protected by ACLs that limit authorization to agents or
administrators as appropriate.
* Extensions to the pki CLI tool to perform all the above operations.
* A new method to provide enrollment templates to end-entity users
for specific profiles. An enrollment template is a certificate
request representation that contains all the required inputs for a
given profile. End entity users can list available profiles by
calling GET /certrequests/profiles, and fetch an enrollment
template by navigating to GET /certrequests/profiles/{id}.
DRM Enhancements:
* Audit logging has been added to the REST interfaces for key archival
and recovery.
* REST interface for asymmetric key retrieval provides ability to
submit key recovery requests, approve them, and retrieve keys
approved for recovery.
* Transport Key rotation provides ability to gradually migrate DRM and
connected CAs from a current to a new transport key. It also
provides support for simultaneous use of both transport keys.
New Stand-alone DRM:
* It is now possible to deploy a stand-alone DRM through pkispawn.
* Dogtag subsystems such as a DRMs have always required the presence of
a Dogtag Certificate Authority (CA) to be part of a PKI deployment. A
stand-alone DRM uses an external CA to obtain its system
certificates, such that the DRM can be set up without a Dogtag CA in
its PKI deployment. The DRM is not expected to communicate with any
other PKI subsystems (with the exception of its clones, which will be
implemented in a future release).
Potential users of this feature include CA-less IPA installation
and storage of secrets, and possible integration with CloudKeep.
New Java-Based TPS:
* We have begun an effort to re-implement the TPS subsystem (which is
currently written as C/C++ Apache modules) in Java. The new
tomcat-tps will run in a Tomcat server like the other Java
subsystems, either within the same or in a separate Tomcat instance.
There are many steps in this effort, detailed below. As of this
release, steps 1,2 and the design phase of step 3 are complete. The
remaining steps are slated to be delivered in the next major release.
1. Creation of installation/configuration code through pkispawn
(either interactive or non-interactive). In particular, a new
interface has been created to automate the generation and
distribution of the symmetric key that acts as a shared secret
between the TKS and TPS. Currently, this secret is generated and
distributed using tkstool - which is a manual, error-prone
process.
2. Creation of new REST interface and CLI for various TPS resources
and services including tokens, certificates, profiles, users,
groups, self tests, configurations, and logs.
3. Design and implementation of new TPS Web UI for administrators,
operators and agents.
4. Porting of lower level code that interacts with tokens and
other subsystems.
CLI improvements:
* The "pki" CLI commands have been organized according to the target
of the operations: the client, the subsystems, and the security
domain. The client commands provide an interface to manage client
certificates. The subsystem commands provide an interface to access
various services in each subsystem. The security domain commands
provide an interface for managing subsystems. The old-style commands
are still available for backward compatibility.
== Detailed Changes since Dogtag 10.0 ==
akoneru (31):
406712a Updated the tests README with the CI server setup info.
9c2f772 Maintain seperate scripts for task and jobxml creation.
f93635b Update the runtest.sh file with the latest code.
2442de7 Minor changes to the test scripts.
c75ce3c Fixes for review comments
abd6142 Provide build scripts for the Java test classes.
8025dfe README file for setting up and running the tests.
224be61 Added JUnit tests upstream.
b9d125a Provide compose scripts for tests.
bb20c9f Add the QE tests to upstream git.
aa52cb6 Modify output file option for cert-request-review command.
6e700e5 Wrong date in %changelog in pki-core.spec
f630689 Added new packages required for build in pki.core.spec.
23cce97 Adding pylint scan to the build.
25fded8 Minor issue - redundant import in pkispawn
7e1a8b7 Minor changes in Installation Summary.
c1bdf93 Fixes for issues reported by pylint.
9b83091 Fix a defect in upgrade scripts.
bdec940 Fixed pylint warning W0212.
109b9b6 Fixes for issues reported by pylint.
11e7d68 Fix issues reported by pylint.
73be9e5 Fixes for issues reported by pylint.
edca1ee Fixes for issues reported by pylint.
219ec9c Fixes for issues reported by pylint.
8f08b83 Fixes for issues reported by pylint.
0f3cc75 Minor reference fix in selinux-setup.py
c1d4741 Applied PEP8 formatting to python files.
66c34cf Code refactored for global variables and utility classes.
e21bed6 Use 'with' construct for file operations.
d81c8e9 Changes to the displayed installation summary.
3cad342 Do not use sys.exit() after an error.
alee (53):
24727d1 Add migration scripts to fix registry file and ownership
3ce7191 Fix useradd command in pkispawn to not create avc
03944af Cleaned up spec files and update release number for release build
029bf78 fix spec typo
02dcc3b Update spec files for beta build
252848b Revert to allowing security manager
89eebe6 Added checks for CertRequest and Cert Resources
48fb4f1 Fix KeyRequest and Key Resources to return correct exit codes
cbb907a Fix return values in ProfileResource
5e748a5 Modify profile resource to return correct response for create or modify
a42e510 Fixed references to /var/run and /var/lock in spec files for RA and TPS.
2e54c85 Fixed logic for setting admin cert signing algorithm
21da33a Fix correct ACL for profile REST interface
cdbfab4 Add upgrade file for auth.properties
dfbc59a fix auth and authz for Profiles REST API
99def30 Add audit logging for new security data operations in kra
1b3f3bd typo in spec file
878a51a Additional fix to remove /var/run and /var/lock
b568daf Remove run and lock files from pki-core for f20
d042f57 Added method to modify connector
3c933d1 Changes to TPSConnectorService based on review
e9c373e Modify TKS self tests and execution to use new shared secret names
6eaf2c0 Add service to generate and retrieve a shared secret
4c17e82 Added interactive install for tomcat TPS
fb32217 Upgrade script to fix JAVA_OPTS
f37ae8f Workaround for resteasy context problem
acee138 Added new link for resteasy dependency
6ba0908 fixing for new tomcat systemd files
8c437a7 Change interceptors to use jaxrs 2.0
04b71d1 Catch all exceptions when checking for status.
8f0218b manager.ldif referenced incorrectly in CS.cfg
4afa12c Provide enrollment template per profile
9c7e89d Add audit logging to profile interface
a90518e Fixed filter code for revocationReason
27ed263 Changed systemd service file so that target starts up correctly
05ff18e Move status marker from CS.cfg to a variable.
27f602d Added TPS installation to the web based install panels for Java
7f829d6 Add TPS profile ID auxilliary object to tps users
5ecf890 Add TPS self tests
4ab7fdc Added ldif files to add VLV indexes to TPS installation
1be39b1 Move security domain session classes to correct package
e6b7428 Initial code to configure a TPS in tomcat
6841782 Fix link parsing code to remove broken symbolic links before replacing
5d5b40f Fixes for profile REST interface from code review.
d4b0d0c Add exceptions to Profile REST service.
ea1d7a7 Fix various issues with Profile Interface
9eb2c35 Add interfaces for managing profiles
b5fd84a Add systemd build requirement to fix build failures in f19
5374817 Bugzilla Bug 973224 - resteasy-base must be split into subpackages
3e1d74f Modify pkispawn to handle case where no subsystemCerts are generated
e02ee21 Make sure only the master keys and certs are imported.
7cf2a47 Modify java-tools startup scripts to use correct JNI path
ad7cb8e Change spec versions to 10.1.0-0.1 for 10.1 development
awnuk (16):
3e41320 REST interface extension
618be8b enable tomcat access log
2b9fcda DRM Transport Key Rotation
bc2df10 Pre-registration of CA cross signing profile
2a58ffc CA cross signing profile
b76fddf Pre-registration of UserSubjectNameConstraint plug-in
0ae2e90 UserSubjectNameConstraint plug-in
8c635c6 CRMFPopClient update
b60f640 PKCS10Client update
a80cb95 Added UTF8 to default encoding order.
27ea2f4 directory and pin profile
e4656ce exportable key
f0f6597 correcting JavaScript inability to handle big numbers
b3316c8 pki-tps various flaws
c90155c Option to include nextUpdate as an offset to thisUpdate
a6ae98f Randomized validity
cfu (3):
4db22ab Bug 1005025 - Unable to view Curve details of ECC Cert request from Agent
9d70b93 Bug 986831 - Some tools are broken for ECC with NSS token alone
d6e987b Bug 952500 - CMCAuth fails with error "CMCAuth: java.security.NoSuchAlgorithm
edewata (106):
b5d353f Replaced auth.properties with acl.properties.
b1a187e Updated requirements for RESTEasy.
10ceea1 Fixed return code on non-existent and duplicate entries.
f223501 Added ACL for TPS profile mapping.
23c1fa5 Updated pki CLI man page.
94a964a Fixed client-cert-import command.
7893dac Fixed problem with key-find.
88b5bfe Added client-init command.
c73890c Updated ACL and auth method mapping names.
f02987b Added ACL for TPS selftests.
815cdd9 Added ACL for TPS connections.
c694fde Added ACL for TPS configuration.
b7716af Added ACL for TPS authenticators.
0aab0a6 Fixed CLI command parsing.
4d1ec71 Added paging on all find commands.
17a52b6 Added more null parameter checking.
014fdc8 Added null parameter checking.
f74c644 Fixed find commands.
9d30903 Fixed database cleanup issues.
66eabd9 Fixed return code for user and group services.
68897c7 Renamed CLI commands.
89d8716 Added TPS profile resource.
481ee45 Removed duplicate ACL classes.
f2f7f50 Renamed CLI commands.
1cbd519 Fixed problem running GroupMemberProcessor on non-CA.
812ecab Renamed Processor to CAProcessor.
5d8c611 Added mechanism to deprecate CLI commands.
86ef9b6 Backup upgrade tracker.
64a4b12 Fixed tests dependencies.
3b2b7ea Fixed errors during Tomcat shutdown.
6cadca3 Fixed error handling in DoUnrevoke servlet.
bdcfb92 Added access control for TPS token.
533029c Cleaned up CertEnrollmentRequest.
2119f1b Reorganized server packages.
7ca5adf Fixed problems finding user and group sub-resources.
0042318 Renamed client commands.
4566ce7 Reorganized PKIPrincipal.
6dc062e Refactored authentication managers.
dcc0f11 Reorganized PKIRealm class.
0e625c6 Moved EnableSessionInAuthenticator script to 10.0.5.
53ef3a1 Added audit resource.
ae753b2 Fixed problem getting client object.
26f0ac0 Added CA certificate CLI.
f9a4be1 Fixed user and group commands.
634d615 Added selftest resource.
f2a85c0 Fixed pylint issue in pkiparser.py.
a4a492e Fixed CLI authentication issue.
7c0fb95 Added TPS profile mapping resource.
bcf463c Added TPS connection service implementation.
565741c Added TPS authenticator service implementation.
e339952 Refactored TPS configuration resource.
a3ac3ef Refactored CLI framework.
5874cad Added TPS config resource.
4cc8327 Connected TPS certificate database to LDAP.
036ab19 Connected TPS activity database to LDAP.
848887d Connected token database to LDAP.
3567f55 Added LDAPDatabase.
b5796df Fixed dependency issue on RenewableCertificateCollection.
3446e2f Fixed dependency issue on ProfilePolicy.
13de812 Fixed duplicate TPSSubsystem instance.
3be4905 Added TPS authenticator resource.
15e029e Added TPS connection resource.
a847bcb Reorganized TPS classes.
8c101dc Fixed pkispawn blocking during TPS deployment.
510ace9 Added TPS certificate resource.
99c3fc9 Added subsystem group commands.
d2e98fe Added TPS user CLI.
ffb49f1 Added TPS activities resource.
c587da4 Reorganized CLI user commands.
ccb8d71 Refactored CLI framework.
7521662 Refactored client framework.
6d99354 Added generic database.
4a2880f Reorganized interceptors.
eb8fa13 Fixed TPS installation problem.
0b8e4d2 Fixed pylint false positive.
17d6be4 Moved Tomcat-based TPS to separate folder.
74f60e9 Added skeleton for token services.
f999249 Enabled debug log for Tomcat-based TPS.
a532695 Storing authentication info in session.
23ce40f Fixed NullPointerException with external CA.
d5a63e2 Fixed token authentication problem on RHEL.
f038cf0 Added man pages for upgrade tools.
dbf97df Fixed dependency issue on CMSRequest.
4aa89a9 Cleaned up code to install man pages.
6f76531 Reorganized deployment tools.
4d49d7e Added option to override compose work directory.
b3fad92 Reorganized server files.
55e4a3d Moved script to remove JNI_JAR_DIR to 10.0.3 folder.
ed2b774 Added support to backup folders during upgrade.
f5db517 Updated Java dependencies to version 1.7.
4798e98 Fixed RA and TPS dependencies on other PKI packages.
34fe36d Fixed library paths for RHEL 7.
99e5dc7 Added TPS servlet.
0812c8d Added Tomcat-based TPS instance.
2b1efa0 Fixed hard-coded server certificate nickname.
f9277f5 Renamed CA_PORT into PKI_CA_PORT.
1bbcc9f Renamed CA_HOST into PKI_CA_HOSTNAME.
f461a86 Replaced PKI_SUBSYSTEM_DIR with PKI_SUBSYSTEM_TYPE.
90d3f20 Renamed PKI_INSTANCE_ID into PKI_INSTANCE_NAME.
d78d744 Renamed SERVER_NAME and PKI_MACHINE_NAME into PKI_HOSTNAME.
1d53a9d Renamed SERVER_ROOT into PKI_INSTANCE_PATH.
3e1b7bd Renamed PORT and UNSECURE_PORT into PKI_UNSECURE_PORT.
8c4d4ae Renamed SECURE_PORT into PKI_SECURE_PORT.
1e25d6e Reorganized CS.cfg.in in RA and TPS.
ae94543 Removing JNI_JAR_DIR from /etc/pki/pki.conf.
aaf6e89 Added support for backup/restore on upgrade.
jmagne (2):
9c3cc5e Patch to get rid of introduced warnings.
0f7fb5d Fix Bug #963073 - rhcs81 tps crash for CN over than 64 bytes
mharmsen (10):
e54785c Fix tpsclient failure
babc511 Stand-alone DRM
47c77a6 Stand-alone DRM
51920f9 TRAC Ticket #707 - Do not "require" the following pkispawn parameters for GUI-based configuration
1094949 TRAC Ticket #641 - Incorrect interface labels in pkidaemon output
f4d5278 converted strings to lists and applied subprocess.check_call():
443bffb By default, disable SSL3_RSA_WITH_DES_CBC_SHA.
bb911f6 Bugzilla Bug #975939 - RHCS 8.1: "END CERTIFICATE" tag is not on it's ow
596808f Bugzilla Bug #971561 - DRM - server-side key generation causes NullPointer
5ae8e72 Updated man pages
nkinder (2):
deb3dfb Ticket 757 - Allow unescaped '%' characters in deployment file password
443159f Ticket 755 - Detect unescaped percent characters in deployment files
[View Less]
11 years, 1 month
Branch DOGTAG_10_1_BRANCH created
by Ade Lee
Hi all,
With the GA build for 10.1 completed, a new branch has been created for
10.1 maintenance. This branch is DOGTAG_10_1_BRANCH.
All subsequent checkins on master will be delivered in 10.2.
Ade
11 years, 1 month
[PATCH] 352 Replaced auth.properties with acl.properties.
by Endi Sukma Dewata
The ACLInterceptor has been modified to use acl.properties instead of
auth.properties to match the interceptor name.
The UpdateAuthzProperties upgrade script has been renamed and modified
to replace the auth.properties in existing instances with acl.properties.
--
Endi S. Dewata
11 years, 1 month
[PATCH] 177 migration scripts
by Ade Lee
Add migration scripts to fix registry file and ownership
Migration scripts have been added to update the registry file
for tomcat instances to use PKI_INSTANCE_NAME instead of PKI_INSTANCE_ID.
File ownership of the registry file and log files is also fixed.
Also removed unused lock file logic in operations startup script.
This is for migration from 10.0 -> 10.1
Ticket 805
Please review,
Thanks, Ade
11 years, 1 month