[PATCH] DRM Transport Key Rotation
by Andrew Wnuk
This patch provides basic support for DRM transport key rotation
described
in http://pki.fedoraproject.org/wiki/DRM_Transport_Key_Rotation
This patch provides implementation for tickets:
- 729 - CA to include transport certificate when submitting
archival request to DRM
- 730 - DRM to detect presence of transport certificate attribute
in submitted archival
request and validate transport certificate against DRM's
transport key list
- 731 - DRM to provide handling for alternative transport key
based on detected
and validated transport certificate arriving as a part of
extended archival request
10 years, 6 months
[PATCH] 159, 160 - allow for automated generation of shared secrets for TKS/TPS connectors
by Ade Lee
Patch 159:
Add service to generate and retrieve a shared secret
A new REST service has been added to the TKS to manage shared secrets.
The shared secret is tied to the TKS-TPS connector, and is created at the
end of the TPS configuration. At this point, the TPS contacts the TKS and
requests that the shared secret be generated. The secret is returned to the
TPS, wrapped using the subsystem certificate of the TPS.
The TPS should then decrypt the shared secret and store it in its certificate
database. This operations requires JSS changes, though, and so will be deferred
to a later patch. For now, though, if the TPS and TKS share the same certdb, then
it is sufficient to generate the shared secret.
Clients and CLI are also provided. The CLI in particular is used to remove the
TPSConnector entries and the shared secret when the TPS is pkidestroyed.
Note: Patch 159 does have some code to remove the connector and shared
secret on pkidestroy. This code works fine, but I plan to refactor it
in a subsequent patch.
Specifically, I plan to write an old legacy style servlet
(DeregisterSystem.java) that will perform the operations needed to
deregister a system. For instance, for a TPS deregistering on a TKS,
the TKS needs to remove the TPS system user and remove the shared
secret. For a TPS deregistering from a KRA, the system user needs to be
removed. For a KRA deregistering from a CA, the system user and KRA
connector needs to be removed.
Why an old style legacy server? Because the new REST servlets do not as
yet support token auth as an authentication mechanism, and to be able to
support older legacy systems which do not have REST.
Patch 160:
Modify TKS self tests and execution to use new shared secret names
The self tests and TokenServlet are modified to use the new shared secret
names. A parameter has been added to allow legacy systems to continue running
as-is. With a new system, the TKS self test will not fail on startup if
no shared secret keys are configured. It will fail, however, if the keys are
configured, but the ComputeSessionKey operation fails.
10 years, 6 months
[PATCH] DRM Transport Key Rotation - update
by Andrew Wnuk
This patch provides basic support for DRM transport key rotation
described
in http://pki.fedoraproject.org/wiki/DRM_Transport_Key_Rotation
This patch provides implementation for tickets:
- 729 - CA to include transport certificate when submitting
archival request to DRM
- 730 - DRM to detect presence of transport certificate attribute
in submitted archival
request and validate transport certificate against DRM's
transport key list
- 731 - DRM to provide handling for alternative transport key
based on detected
and validated transport certificate arriving as a part of
extended archival request
10 years, 6 months
[PATCH] 301 Added TPS config resource.
by Endi Sukma Dewata
A new REST service and clients have been added to read and update the
TPS configuration in CS.cfg. When the configuration is updated, the
previous configuration will be stored as a backup.
Ticket #652
--
Endi S. Dewata
10 years, 7 months
[PATCH] 157 migration script for f20
by Ade Lee
JAVA_OPTS can only be on one line in the new f20 config, and cannot
parse $JAVA_OPTS. This migration script will fix existing F19 instances
that do not have any customizations in them.
Ade
10 years, 7 months
[PATCH] 155, 156 - more patches to get dogtag up on f20
by Ade Lee
Patch 155:
Added new link for resteasy dependency
Resteasy 3.0.1 uses apache-commons-io. Also fixed PKIErrorInterceptor
with correct method call and reformatted the interceptors.
Patch 156:
Workaround for resteasy context problem
Resteasy 3.0.1 is not populating the @Context parameters if they are
defined in a super class. This is a workaround until that problem is fixed.
See https://issues.jboss.org/browse/RESTEASY-952
With these two patches (to be layered on top of 153 and 154), all should be working on 10.1
in F20.
What is still needed:
1. Migration script to fix parameter in /etc/sysconfig/<instance_name>
2. Fix for security manager - some more rules are needed. For now, I have disabled the security manager.
Ade
10 years, 7 months
[PATCH] 153, 154 - Patches to get dogtag 10 working on f20
by Ade Lee
There were two big changes in F20.
1. Change resteasy from 2.3.4 to 3.0.1
2. Change in tomcat to use systemd unit files.
Change 1 resulted in failed compilation. I fixed the compilation issues
so now it will compile and deploy, even though there are still issues.
In particular,
a) the new interceptors appear to work exactly as expected.
b) the method getStringHeaders() is not implemented in 3.0.1. Neither
is getStringHeader(foo) , so we'll have to do some ugly casting or
something. Will fix in another patch. This affects client side
wrapping of exceptions.
c) We still have a problem in which @Context parameters are not set.
Change 2 basically broke the way we started. The simplest solution is
for us to change our unit file to match what tomcat has.
Notes:
a) We will need a migration script to make some changes to the property
file in /etc/sysconfig/<instance_name> for JAVA_OPTS for existing
instances. Will add in subsequent patch.
b) tomcat now logs to /var/log/messages (and journald) rather than
catalina.out. We can ask them to change this and support old
catalina.out, but not sure if we want to do this.
To see the logs, you can now do
journalctl -u pki-tomcatd(a)pki-tomcat.service
for example. Open to suggestions on this.
Ade
10 years, 7 months
