[PATCH] Fixes for pki-silent in RHCS 8.1 ECC Errata
by Matthew Harmsen
Please review the attached patch which addresses the following two
'pki-silent' issues in RHCS 8.1:
* *Bugzilla Bug #951891*
<https://bugzilla.redhat.com/show_bug.cgi?id=951891>-'silent_ra_to_ip_port.template'
fails to configure an RA successfully
* *Bugzilla Bug #952392*
<https://bugzilla.redhat.com/show_bug.cgi?id=952392>-Allow RA and
TPS URLs to be specified by pkisilent and utilized by the RA and TPS
servers
This patch has been tested extensively on an IP Port Separated x86_64
machine running RHEL 5.9.
Testing utilized the following deployment scenario:
* CA (security domain)
o Subordinate CA (no security domain)
+ KRA
+ TKS
+ RA
+ TPS
The KRA, RA, and TPS were tested both by signing the subsystems
certificates with the CA and again with the Subordinate CA; this testing
led to the filing of "TRAC Ticket #620 - Ability of a non-security
domain CA to store an "Administration" cert in the NSS client security
database".
11 years, 4 months
Announcement: Branch DOGTAG_10_0_BRANCH has been created
by Ade Lee
In preparation for the new work to be done for Dogtag 10.1, Dogtag 10.0
has now been branched onto a maintenance branch called
DOGTAG_10_0_BRANCH.
All future work going into Dogtag 10.0 should be checked into the
DOGTAG_10_0_BRANCH maintenance branch. We anticipate that this will
include critical and small bug fixes, security fixes etc. We will
release maintenance releases 10.0.X from this branch.
All Dogtag 10.1 feature work should be checked into master.
Thanks,
Ade
11 years, 5 months
[PATCH] 249 Fixed incorrect JNI_JAR_DIR.
by Endi Sukma Dewata
The JNI_JAR_DIR is supposed to be architecture-specific but the
pki-base package is architecture-neutral. So, to ensure it has the
correct value, the variable will be set at post installation.
Also, to simplify the upgrade process, the variable has been moved
from /etc/pki/pki.conf into /usr/share/pki/etc/pki.conf. The build,
deployment, startup, and upgrade scripts have been modified
accordingly.
I've tested this on 64-bit F18. I'm stilling having some issues with F19
so I can't test it there yet. Please help test on other platforms. Thanks!
--
Endi S. Dewata
11 years, 5 months
[PATCH] 132 -- Junit internal class used in TestRunner breaks F19 build
by Ade Lee
runMain() has been changed to private access in latest junit(),
breaking the 19 build. We should not have been using this class in
the first place. Replaced it with the implementation of runMain()
which uses run(classes).
Already pushed to master so that build could proceed, but please review
in case there are changes required.
Ade
11 years, 5 months
[PATCH] 131 - Fix tests in pkispawn to use legacy URLs.
by Ade Lee
Here's the changelog:
When setting up clones or non-CA subsystems, pkispawn checks if
the security domain is accessible and if the user can log in.
These calls invoke REST URIs, which are not available on older
subsystems. To support these subsystems, we need to attempt the
older legacy servlets if the REST APIs are not available.
Ticket #604
This is breaking IPA replica installs because the new URLs are not
exposed through the proxy config. Even if this is fixed, it will be
broken for old servers.
The output of getDomainXML is pretty messed up and I'll open a ticket to
fix it, but given that it appears to be parsed correctly wherever its
being used, we can fix it later when we have time to test everything.
Please review,
Ade
11 years, 5 months
Announcing the release of Dogtag 10.0.2
by Ade Lee
The Dogtag team is proud to announce the second errata build for
Dogtag v10.0.0.
Builds are available for Fedora 18 and Fedora 19 in the updates-testing
repo. Please try it out and provide karma to move them to the F18 and
F19 stable repos.
Daily developer builds for Fedora 17, 18 and 19 are available at
http://nkinder.fedorapeople.org/dogtag-devel/fedora/
== Build Versions ==
pki-core-10.0.2-2
pki-ra-10.0.2-2
pki-tps-10.0.2-2
dogtag-pki-10.0.2-1
dogtag-pki-theme-10.0.2-1
pki-console-10.0.2-2
== Highlights since Dogtag v. 10.0.1 ==
* A new Python client framework has been written to connect to the
restful interface on the java subsystems. This interface was used
for some installation functionality and will continue to be expanded.
* pkispawn and pkidestroy were modified to use the new Python client
framework and the dependency on jython was eliminated.
* The installation interfaces were changed so that most of the
installation interactions take place over the admin interface.
* New command line parameters have been added to pkidestroy to provide
the username and password of the security domain administrator to update
the security domain. Formerly, no credentials were required because we
used the subsystem certificate of the subsystem for authentication. The
new method provides better auditing as to exactly who is de-registering
and removing a subsystem. As such, use of the new options is
recommended, and will be made mandatory in a future release.
* Although it is possible to run Dogtag 9 style instances on Dogtag 10,
these instances do not have the required configuration to expose the
RESTful interface. A new servlet has been added to return 501 (Not
implemented) on these instances when the REST URLs are accessed. This
is only applicable on Fedora 18 (See Fedora 19 note below).
* A new interactive mode has been added to pkispawn and pkidestroy. In
this mode, users are prompted for details in order to set up the most
basic servers. Any customizations would still need to be done through
configuration files. Interactive mode is an excellent way for users to
set up a server and become familiar with Dogtag.
* Support has been added for the random generation of serial numbers for
certificates issued. More details about this feature and how to enable
it can be found here:
http://pki.fedoraproject.org/wiki/Random_Certificate_Serial_Numbers
* Nonces are used in Dogtag to prevent cross-site request forgery and
replay attack, but they were stored in a global list. To prevent
possible collisions with other user's nonces, they are now stored in
each user's session.
* Previously, session IDs were generated using /dev/random, which may
block under certain circumstances, making server startup slow. To avoid
this, the server configuration has been changed to use PKCS11PRNG
provided by JSS.
* A new upgrade framework has been added to allow instances to be
automatically upgraded when new packages are installed. This framework
will be used to eventually remove the need for migrations between
releases. The upgrade scripts are invoked by postinstall scriptlets in
the pki-base and pki-server packages. On completing an upgrade, users
should check the upgrade logs in /var/log/pki/pki-upgrade-*.log
and /var/log/pki/pki-server-upgrade-*.log for any errors. The upgrade
scripts (pki-upgrade and pki-server-upgrade) can also be run manually.
Additional troubleshooting information can be found at:
http://pki.fedoraproject.org/wiki/Upgrade
* New CLI has been added to simplify client certificate management
including importing and trusting CA certificates.
* Previously, the pki CLI tool used the same parameter (-w) to specify
both user and client certificate database passwords. The CLI has been
modified to use a new parameter (-c) for the database password, and -w
for the user password.
* Multiple additional fixes to pkispawn, pkidestroy, pki and their man
pages.
== Notes on Fedora 19 ==
Fedora 19 does not provide tomcat 6. Dogtag 9 style instances will
therefore no longer work on Fedora 19. These instances need to be
migrated to Dogtag 10.
To prevent inadvertently disabling Dogtag instances, code has been added
to prevent upgrades to Fedora 19 if Dogtag 9 instances exist. Details
on how to upgrade Dogtag 9 instances and workarounds can be found at:
http://pki.fedoraproject.org/wiki/Migrating_Dogtag_9_Instances_to_Dogtag_10
== Detailed Changes since Dogtag v. 10.0.1 ==
akoneru (23):
#191 Map REST exceptions to HTTP status codes
#217 CLI should display message on operations that complete with error
#290 Add hints to option descriptions for cert-find cli command
#383 Extend coverity tests to scan other subsystems (TPS, etc.)
#452 Dogtag 10: Fix minor RA and TPS Configuration Wizard Panel issues
#465 Verify 'pki_backup_keys=True' if 'pki_backup_password'is set
#470 Prevent concurrent execution of pkispawn/pkidestroy
#471 Update man pages for interactive pkispawn/pkidestroy
#493 interpolation in pkispawn scripts should not apply to passwords
#502 Change pkidestroy "-w" option to require a password file
#507 Mark pki.conf as configuration file in RPM spec
#509 man page for pkispawn should be modified to specify
pki_ca_signing_subject_dn when setting up subordinate CA
#514 Clean up pkispawn output
#521 Separate python deployment engine from python deployment
scriptlets source code
#525 Incorrect info in pkispawn man page
#536 Catch keyboard interrupt
#542 Remove all "respawn()" logic from "pkispawn"
#543 Incorrect user-show usage.
#549 PKCS10Client tool throws java exception NoClassDefFoundError
#563 Use timeout in configuration script
#566 Mask sensitive parameters in archived config
#592 pkispawn not reporting the error message when exceptions are thrown
#593 Error caused by JSON Configuration result decoding when installing
CA clone
alee (9):
#232 add python binding for pkispawn/ pkidestroy
#419 REST interface for cert requests
#532 refactor pkispawn to use new python client
#546 Upgrade script for clone installation
#564 Rename base/deploy to base/server
#589 dependency needed for java-atk-wrapper in f19
#578 Rest API does not work on d9 -> d10 upgrade instances
#590 pki-base needs to deliver /var/log/pki
#597 Create 10.0.2 builds
awnuk (7):
#569 Port support for random certificate serial numbers to Dogtag 10
#570 Port patch allowing to support random certificate serial numbers
for system certificates to Dogtag 10
#579 Port patch allowing to clone CA with random serial number enabled.
#580 Port patch allowing to restart CA clone during configuration
change to random serial numbers.
#584 Port patch including system certificates with random serial
numbers in the certificate counter.
BZ 955784 - Correct Javascript inability to handle big numbers
BZ 951501 - Coorects key IDs miscalculated by Javascript
cfu (6):
BZ 929043 - serverCert.profile with SAN results in
SubjectAltNameException
BZ 927545 - Transport Cert signing Algorithm doesn't show ECC Signing
Algorithm
BZ 904289 - Add ECC Support to Certificate Profiles
BZ 902952 - RFE: Revocation routing with TPS and multiple non-cloned CAs
BZ 903401 - TMS: RSA token enrollment failed : public key decode error
#362 CMC ECC
edewata (24)
#190 REST interface for user-group membership.
#291 Fix forma of validityUnit option in cert-find command
#380 default install: part 2
#472 pkispawn should test DS info
#473 pkispawn should test security domain info
#474 Session-based nonces
#476 Limit username & password authentication
#477 Annotation for authentication methods
#491 Prompt CLI user on certificate warnings.
#497 Date format for cert-find
#498 [RFE] Add dates to cert-find output
#500 validityCount option returns 500 error
#501 Add cert status option to cert-find
#503 Dogtag 10: Security Domain Issues
#511 Add cert-request-show command.
#520 CLI returns 0 on error
#523 Add CLI option to capture HTTP data
#524 Tomcat blocks during startup
#535 python-requests compatibility problem
#541 Use FQDN instead of localhost in CLI
#544 Implement upgrade framework
#545 Upgrade script for random number generator
#553 pki.conf needs to be delivered by pki-base
#598 Upgrade script for JNI_JAR_DIR
jmagne (1):
#587 ipa-server-install crashes due to sslget error
mharmsen (7):
#409 Add pkispawn option to not copy the UI pieces (gifs, templates).
#488 Dogtag 10: Fix cli 'cert-find' clientAuth issue
#517 Clean up theme dependencies
#518 Remove UI dependencies from pkispawn
#602 pkiconsole cannot find 'jss4.jar' on Fedora 19
BZ 947524 - Clone installation does not work over NAT
BZ 919476 - pkispawn crashes due to dangling symlink to jss4.jar
11 years, 5 months