[PATCH] 237, 238 - Add python api docs to build
by Ade Lee
Hi,
Patch 237 adds sphinx generated python API docs for the Python client
code to the build. The API docs are generated in HTML and man page
formats.
To see the generated docs, do the following:
man pki-python-client
firefox /usr/share/doc/pki-base/html/index.html
Patch 238 adds a bunch of comments in the right format to many of the
client classes. We're going to need to modify the rest as we go along,
but this is a good start.
Ade
10 years, 3 months
[PATCH] 533 Fixed pylint failure on F21.
by Endi Sukma Dewata
The build failed on F21 due to stricter pylint requirements which
generate new warnings. For now they are marked to be ignored.
--
Endi S. Dewata
10 years, 3 months
jss/tomcatjss release/repos
by Timo Aaltonen
Hi
I was updating tomcatjss for Debian, but turns out that it needs extra
patches to jss to support TLS. The jss version I have is based on 4.3.1
(plus all Fedora patches that apply) while Fedora is based on 4.2.6, and
the new TLS patch didn't apply as-is. Is there hope that the rarther
large bunch of jss patches ever land upstream, and a new release is made?
Also, it would be nice to have a proper git repo for tomcatjss, or at
least I haven't been able to find one..
--
t
10 years, 3 months
Revocation investigation with Shared Tomcat instance
by John Magne
I have managed to take a look at the problems we have seen with configuring revocation checking on incoming
client auth certs for the various subsystems. Here is a recap and some further info.
1. Now that we have shared subsystems we have recommended that configuring OCSP for the shared instance makes no
sense and will not work.
2. The second recommendation was to configure revocation checking within the subsystem. This sort of thing is configured allegedly
as follows for a kra instance:
auths.instance.AgentCertAuth.agentGroup=Certificate Manager Agents
auths.instance.AgentCertAuth.pluginName=AgentCertAuth
auths.instance.TokenAuth.pluginName=TokenAuth
auths.revocationChecking.bufferSize=50
auths.revocationChecking.enabled=true
auths.revocationChecking.kra=kra
auths.instance.AgentCertAuth.checkRevocation=true
The key setting is this one:
auths.revocationChecking.enabled=true
Also cfu had previously recommended that we put this one in:
auths.instance.AgentCertAuth.pluginName=AgentCertAuth
More on this later.
3. Testing and conclusions:
4. Trying this setting on the CA appears to work just fine. After putting the admin cert "On Hold"
the code intervenes and throws some sort of "Invalid credentials" error to the screen when trying to access
the CA's agent page.
The key piece of code that enforces this NOW is in CertUserDBAuthentication.java:
if (mRevocationCheckingEnabled) {
X509CertImpl cert0 = (X509CertImpl) x509Certs[0];
if (cert0 == null) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_NO_CERT"));
throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_NO_CERT"));
}
if (CMS.isRevoked(x509Certs)) {
log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_AUTH_REVOKED_CERT"));
throw new EInvalidCredentials(CMS.getUserMessage("CMS_AUTHENTICATION_INVALID_CREDENTIAL"));
}
}
The routine "CMS.isRevoked works in the CA case.
5. I tried this in the KRA and the routine in question does not return a conclusive status of the certificate, thus fails.
CFU is of the opinion that this used to work and perhaps something was changed along the way. The routine she flagged as a possibility is here:
private ICertificateRepository getCertDB() {
ICertificateRepository certDB = null;
try {
ICertificateAuthority ca = (ICertificateAuthority)
SubsystemRegistry.getInstance().get("ca");
if (ca != null) {
certDB = ca.getCertificateRepository();
}
} catch (Exception e) {
CMS.debug("CMSEngine: " + CMS.getLogMessage("CMSCORE_AUTH_AGENT_CERT_REPO"));
}
return certDB;
}
Since we have a shared instance, the certDB should be found and thus allow the whole thing to work.
Now for some reason this bombs out and we are doomed from this point forward.
Questions:
1. edewata, alee, do you guys know of something that might have changed to have caused this.
2. auths.instance.AgentCertAuth.pluginName=AgentCertAuth setting no longer has an effect because the PKIRealm appears to be
hardcoding the authentication manager to be the above "CertUserDBAuthentication"manager. This is perhaps a side point but worth
asking about?
3. Looking for opinions upon how to deal with this? It may be a case of simply biting the bullet and figuring out why our code
no longer works and filing and completing a ticket for this.
I have not tested the other non CA subs but I am pretty sure the problem will surface there as well.
thanks,
jack
10 years, 4 months
Dogtag 10.2.0 is now in Debian
by Timo Aaltonen
Hi!
I'm happy to announce that Dogtag (version 10.2.0) has finally entered
Debian unstable repository this week. Assuming there won't be any nasty
surprises, the next stable release ("Jessie") will include it. Many
thanks to Ade Lee who did the first pass of packaging the long chain of
dependencies, up to and including RESTEasy.
and next week there should be another announcement..
--
t
10 years, 4 months
non-DFSG free binary files?
by Timo Aaltonen
Hi
The git tree has a number of files Debian is likely unable to distribute
due to the Debian Free Software Guidelines[1], which would mean shipping Dogtag
and what depends on in in non-free:
./dogtag/console-ui/src/CMSAdminRS.properties (application/octet-stream)
./tests/dogtag/shared/generateCRMFRequest.jar (application/jar)
./base/migrate/72ToTxt/classes/CMS72LdifParser.class (application/x-java-applet)
./base/migrate/72ToTxt/classes/Main.class (application/x-java-applet)
./base/migrate/42ToTxt/classes/Main.class (application/x-java-applet)
./base/migrate/42ToTxt/classes/CMS42LdifParser.class (application/x-java-applet)
./base/migrate/TxtTo80/classes/CS80LdifParser.class (application/x-java-applet)
./base/migrate/TxtTo80/classes/Main.class (application/x-java-applet)
./base/migrate/70ToTxt/classes/CMS70LdifParser.class (application/x-java-applet)
./base/migrate/70ToTxt/classes/Main.class (application/x-java-applet)
./base/migrate/kra/RecoverPin.class (application/x-java-applet)
./base/migrate/kra/RecoverKey.class (application/x-java-applet)
./base/migrate/TxtTo73/classes/CMS73LdifParser.class (application/x-java-applet)
./base/migrate/TxtTo73/classes/DummyAuthManager.class (application/x-java-applet)
./base/migrate/TxtTo73/classes/Main.class (application/x-java-applet)
./base/migrate/42SP2ToTxt/classes/CMS42SP2LdifParser.class (application/x-java-applet)
./base/migrate/42SP2ToTxt/classes/Main.class (application/x-java-applet)
./base/migrate/60ToTxt/classes/Main.class (application/x-java-applet)
./base/migrate/60ToTxt/classes/CMS60LdifParser.class (application/x-java-applet)
./base/migrate/45ToTxt/classes/CMS45LdifParser.class (application/x-java-applet)
./base/migrate/45ToTxt/classes/Main.class (application/x-java-applet)
./base/migrate/73ToTxt/classes/CMS73LdifParser.class (application/x-java-applet)
./base/migrate/73ToTxt/classes/Main.class (application/x-java-applet)
./base/migrate/63ToTxt/classes/Main.class (application/x-java-applet)
./base/migrate/63ToTxt/classes/CMS63LdifParser.class (application/x-java-applet)
./base/migrate/41ToTxt/classes/CMS41LdifParser.class (application/x-java-applet)
./base/migrate/41ToTxt/classes/Main.class (application/x-java-applet)
./base/migrate/TxtTo72/classes/DummyAuthManager.class (application/x-java-applet)
./base/migrate/TxtTo72/classes/CMS72LdifParser.class (application/x-java-applet)
./base/migrate/TxtTo72/classes/Main.class (application/x-java-applet)
./base/migrate/TxtTo71/classes/DummyAuthManager.class (application/x-java-applet)
./base/migrate/TxtTo71/classes/CMS71LdifParser.class (application/x-java-applet)
./base/migrate/TxtTo71/classes/Main.class (application/x-java-applet)
./base/migrate/TxtTo70/classes/DummyAuthManager.class (application/x-java-applet)
./base/migrate/TxtTo70/classes/CMS70LdifParser.class (application/x-java-applet)
./base/migrate/TxtTo70/classes/Main.class (application/x-java-applet)
./base/migrate/71ToTxt/classes/CMS71LdifParser.class (application/x-java-applet)
./base/migrate/71ToTxt/classes/Main.class (application/x-java-applet)
./base/migrate/80/MigrateSecurityDomain.class (application/x-java-applet)
./base/migrate/47ToTxt/classes/CMS47LdifParser.class (application/x-java-applet)
./base/migrate/47ToTxt/classes/Main.class (application/x-java-applet)
./base/migrate/TxtTo61/classes/DummyAuthManager.class (application/x-java-applet)
./base/migrate/TxtTo61/classes/CMS61LdifParser.class (application/x-java-applet)
./base/migrate/TxtTo61/classes/Main.class (application/x-java-applet)
./base/migrate/TxtTo60/classes/DummyAuthManager.class (application/x-java-applet)
./base/migrate/TxtTo60/classes/Main.class (application/x-java-applet)
./base/migrate/TxtTo60/classes/CMS60LdifParser.class (application/x-java-applet)
./base/migrate/TxtTo62/classes/DummyAuthManager.class (application/x-java-applet)
./base/migrate/TxtTo62/classes/CMS62LdifParser.class (application/x-java-applet)
./base/migrate/TxtTo62/classes/Main.class (application/x-java-applet)
./base/migrate/61ToTxt/classes/CMS61LdifParser.class (application/x-java-applet)
./base/migrate/61ToTxt/classes/Main.class (application/x-java-applet)
./base/migrate/62ToTxt/classes/CMS62LdifParser.class (application/x-java-applet)
./base/migrate/62ToTxt/classes/Main.class (application/x-java-applet)
./base/ca/shared/webapps/ca/agent/xenroll.dll (application/x-dosexec)
./base/tps-client/applets/404E4697.ijc (application/octet-stream)
./base/tps-client/applets/402428AD.ijc (application/octet-stream)
./base/tps-client/applets/1.3.42659461.ijc (application/octet-stream)
./base/tps-client/applets/1.4.499dc06c.ijc (application/octet-stream)
./base/tps-client/applets/1.3.427BDDB8.ijc (application/octet-stream)
./base/tps-client/applets/3FD00877.ijc (application/octet-stream)
./base/tps-client/applets/1.2.4122DFB4.ijc (application/octet-stream)
./base/tps-client/applets/1.2.416DA155.ijc (application/octet-stream)
./base/tps-client/applets/1.4.4d40a449.ijc (application/octet-stream)
./base/tps-client/applets/4122DFB4.ijc (application/octet-stream)
./base/tps-client/applets/1.3.42260AFA.ijc (application/octet-stream)
./base/tps-client/applets/4003196C.ijc (application/octet-stream)
./base/tps-client/applets/1.3.4255CC01.ijc (application/octet-stream)
./base/tps-client/applets/1.3.45787308.ijc (application/octet-stream)
./base/tps-client/applets/1.3.44724DDE.ijc (application/octet-stream)
./base/tps/shared/applets/404E4697.ijc (application/octet-stream)
./base/tps/shared/applets/402428AD.ijc (application/octet-stream)
./base/tps/shared/applets/1.3.42659461.ijc (application/octet-stream)
./base/tps/shared/applets/1.4.499dc06c.ijc (application/octet-stream)
./base/tps/shared/applets/1.3.427BDDB8.ijc (application/octet-stream)
./base/tps/shared/applets/3FD00877.ijc (application/octet-stream)
./base/tps/shared/applets/1.2.4122DFB4.ijc (application/octet-stream)
./base/tps/shared/applets/1.2.416DA155.ijc (application/octet-stream)
./base/tps/shared/applets/1.4.4d40a449.ijc (application/octet-stream)
./base/tps/shared/applets/4122DFB4.ijc (application/octet-stream)
./base/tps/shared/applets/1.3.42260AFA.ijc (application/octet-stream)
./base/tps/shared/applets/4003196C.ijc (application/octet-stream)
./base/tps/shared/applets/1.3.4255CC01.ijc (application/octet-stream)
./base/tps/shared/applets/1.3.45787308.ijc (application/octet-stream)
./base/tps/shared/applets/1.3.44724DDE.ijc (application/octet-stream)
./base/server/share/webapps/pki/fonts/OpenSans-Regular-webfont.woff (application/octet-stream)
./base/server/share/webapps/pki/fonts/OpenSans-Bold-webfont.woff (application/octet-stream)
./base/server/share/webapps/pki/fonts/OpenSans-Semibold-webfont.woff (application/octet-stream)
./base/server/share/webapps/pki/fonts/OpenSans-Light-webfont.woff (application/octet-stream)
./base/server/share/webapps/pki/fonts/glyphicons-halflings-regular.woff (application/octet-stream)
./base/server/share/webapps/pki/fonts/OpenSans-Italic-webfont.woff (application/octet-stream)
./base/server/share/webapps/pki/fonts/OpenSans-BoldItalic-webfont.woff (application/octet-stream)
./base/server/share/webapps/pki/fonts/fontawesome-webfont.woff (application/octet-stream)
which ones are critical to have in order for the software to work,
and which ones can be safely deleted?
[1] https://www.debian.org/doc/debian-policy/ch-archive.html#s-dfsg #2
--
t
10 years, 4 months
Re: [Pki-devel] [Freeipa-users] strange error from EL 7 install?
by Fraser Tweedale
On Mon, Oct 13, 2014 at 09:52:40AM -0700, Janelle wrote:
> After further investigation - it looks like the PKI base was altered/updated
> because even on a running server a yum update produces same error:
>
> # yum check-update
> Loaded plugins: fastestmirror, product-id, subscription-manager, versionlock
> Loading mirror speeds from cached hostfile
> * base: linux.mirrors.es.net
> * extras: mirrors.usinternet.com
> * updates: centos.host-engine.com
>
> pki-base.noarch 10.2.0-3.el7.centos freeipa
> pki-ca.noarch 10.2.0-3.el7.centos freeipa
> pki-server.noarch 10.2.0-3.el7.centos freeipa
> pki-tools.x86_64 10.2.0-3.el7.centos freeipa
> slapi-nis.x86_64 0.54-1.el7.centos freeipa
>
> and: if you select yes:
>
> ---> Package pki-base.noarch 0:10.2.0-3.el7.centos will be an update
> --> Processing Dependency: jackson-jaxrs-json-provider for package:
> pki-base-10.2.0-3.el7.centos.noarch
> --> Finished Dependency Resolution
> Error: Package: pki-base-10.2.0-3.el7.centos.noarch (freeipa)
> Requires: jackson-jaxrs-json-provider
> You could try using --skip-broken to work around the problem
>
Hi Janelle,
Looks like the COPR moved from Dogtag 10.1 to 10.2 on 8 Oct, and
10.2 declares a dependency on Jackson which is not in EPEL. The
dependency causing the probelm (jackson-jaxrs-json-provider) was
introduced at commit 32d71bb. I'm not sure on the right approach to
fixing this but I've copied pki-devel who will be able to help.
Fraser
>
>
> On 10/13/14 9:18 AM, Janelle wrote:
> >Happy Monday everyone...
> >
> >Wondering if anyone else is seeing this error since this weekend? Trying
> >to add in a new IPA replica, which of course requires the software
> >installed -- this is in CentOS 7 using COPR repo and :
> >
> >--> Finished Dependency Resolution
> >Error: Package: pki-base-10.2.0-3.el7.centos.noarch (ipa)
> > Requires: jackson-jaxrs-json-provider
> >
> >and yet, I have never had that issue until this weekend. :-(
> >
> >Any help?
> >Janelle
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
10 years, 4 months