[PATCH] 0010..0013 DNP3/IECUserRoles extension support
by Fraser Tweedale
Here is the first (rough) cut of IEC 62351-8 (IECUserRoles)
extension support and a DNP3 profile that makes use of it. This is
to meet (some of) the PKI needs for the "Smart Grid" DNP3 Secure
Authentication v5 (SAv5) standard.
In brief, the SN and all the IECUserRoles params will be given in
profile inputs, and the key is taken from a CertReqInput.
There's still a bit of work to go - notably, some of the
IECUserRoles fields are unimplemented, and some of those that *are*
implemented are not yet read out of the profile input but rather are
hardcoded. The extension *does* appear on the certificate, so I
should get that all completed tomorrow.
Cheers,
Fraser
9 years, 6 months
CLI for editing profiles
by Fraser Tweedale
Along with LDAP profiles, we will be adding modules to the CLI for
adding and editing profiles in the ConfigStore format that was used
for file-based profiles. For more info, see:
http://pki.fedoraproject.org/wiki/LDAP_Profile_Storage#Command-line_utili...
There is an existing CLI for adding and modifying profiles, in the
XML format, e.g. ``pki ca profile add caCustomProfile.xml``. The
XML format carries information including the profile ID and
class_id, but these data must be supplied out-of-band when dealing
with the ConfigStore format.
Because of this, I intend to:
- add new commands to the existing profile CLI for working with the
"raw" (i.e., ConfigStore) format, e.g. "edit-raw", "add-raw".
Where necessary, these commands will take compulsory
``--profile-id`` and/or ``--class-id`` arguments, to account for
the absense of such information in the profile ConfigStore format;
and
- transport this information in the XML format - not in the "raw"
format - so that it will be unnecessary to make changes to
ProfileClient or the ProfileService API.
As usual, I welcome feedback - especially if you feel I am going the
wrong way ^_^
9 years, 8 months
[PATCH] pki-ftweedal-0015-Monitor-database-for-changes-to-LDAP-profiles.patch
by Fraser Tweedale
This is the first cut of the LDAP profile change monitoring. It
depends on patches 0004..0009 and 0014
(https://www.redhat.com/archives/pki-devel/2014-September/msg00052.html).
To summarise the implementation: a separate thread carries out a
persistent LDAP search and calls back into the ProfileSubsystem when
changes occur. I haven't had much experience with persistent
searches or multithreaded programming in Java, so eyeballs familiar
with those areas are needed.
I haven't yet tested with changes replicating between clones (a task
for tomorrow) but I wanted to get the patch on list for feedback as
early as possible.
Cheers,
Fraser
9 years, 8 months
[PATCH] 106, 107 Fixes for tickets 1036 and 1037
by Abhishek Koneru
Please review the attached patches with fixes for tickets 1036(man page
for profile CLI commands) and 1037 (issue in request status on
reject/cancel action on a key request).
-- Abhishek
10 years, 2 months
[PATCH] 236 - fix installation of subca with own security domain
by Ade Lee
This fixes issue 1132 and allows pkispawn to successfully install a
subCA that hosts its own security domain.
This was, in retrospect, a lot harder than I thought it was going to be.
Prior to this patch, we simply did not support this configuration with
pkispawn.
Two new parameters are introduced:
pki_subordinate_create_new_security_domain=False
pki_subordinate_security_domain_name=%(pki_dns_domainname)s Subordinate Security Domain
See man pages for correct usage.
There is only one issue left. When removing the subca using pkidestroy,
removing the entry from the master security domain currently fails due
to authentication. I'll fix that in the next patch.
This is tricky stuff so please review carefully.
Thanks.
Ade
10 years, 2 months
[PATCH] Bug 871171 - Provide Tomcat support for TLS v1.1 and TLS v1.2 (Tomcatjss)
by Christina Fu
This tomcatjss patch is for the following bug:
*Bug 871171* <https://bugzilla.redhat.com/show_bug.cgi?id=871171>
-Provide Tomcat support for TLS v1.1 and TLS v1.2 (Tomcatjss)
It provides the minimum code to support setting the ssl version range
from tomcatjss server.
The tlsv1.1 and 1.2 ciphers are made available as well.
This patch works in conjunction with the JSS patch that was sent out for
review.
Three are three new variables introduced in the server.xml :
sslVersionRangeStream - for stream protocol type. it takes a format of
"min:max" where min/max values can be "ssl3, tls1_0, tls1_1, or tls1_2"
sslVersionRangeDatagram - for datagram protocol type. it takes a format
of "min:max" where min/max values can be "tls1_1, or tls1_2"
sslRangeCiphers - a complete list of ciphers you wish to support
(provided supported by NSS) in such ssl version range.
When the new *range* parameters are set, the old sslOptions parameter is
ignored, as it is obsolete. However, if the *range* parameters are not
specified, the sslOptions will be supported as before.
thanks,
Christina
10 years, 2 months
[PATCH] ipa-pki-theme, old unused UI directories, pki-selinux, and pki-migrate removal
by Matthew Harmsen
Please review the following three patches which address these bugs:
* PKI TRAC Ticket #1136 - Remove ipa-pki-theme component
<https://fedorahosted.org/pki/ticket/1136>
* PKI TRAC Ticket #1139 - Remove 'selinux' code from 'master' branch
<https://fedorahosted.org/pki/ticket/1139>
* PKI TRAC Ticket #1138 - Remove 'migrate' source code from master
branch <https://fedorahosted.org/pki/ticket/1138>
*IMPORTANT: Since the patches alter some of the same files, they must
be installed in the following order:**
*
1. 20140923-Remove-IPA-theme-component-and-old-unused-UI-directories.patch
2. 20140923-Remove-pki-selinux-code.patch
3. 20140923-Remove-pki-migrate-code.patch
These patches were applied, built (using both the compose scripts as
well as Eclipse), installed, and tested on an x86_64 Fedora 20 machine
for the following PKI subsystems and consoles:
* CA
* KRA
* OCSP
* TKS
* TPS
* CA Console
* KRA Console
* OCSP Console
* TKS Console
10 years, 2 months
