May 2015 - Pki-devel - Dogtag Pki List Archives

[PATCH] 596 Fixed problem redeploying subsystem.

by Endi Sukma Dewata

The pki-server subsystem-enable CLI has been modified to deploy the subsystem from a custom location if available, or from the default location otherwise. https://fedorahosted.org/pki/ticket/1381 -- Endi S. Dewata

9 years, 2 months

2
2
0 / 0

[PATCH] 595 Added key-show option.

by Endi Sukma Dewata

The key-show CLI has been modified to provide an option to find the active key info using the client key ID. -- Endi S. Dewata

9 years, 2 months

2
2
0 / 0

[PATCH] establish contents of serverCertNick.conf

by Matthew Harmsen

Please review the attached patch which addresses the following ticket: * PKI TRAC Ticket #1370 - pkispawn: installation with HSM from external CA should hold off prepending token name in serverCertNick.conf till phase 2 <https://fedorahosted.org/pki/ticket/1370> The code was successfully tested on a machine with an attached HSM.

9 years, 2 months

2
1
0 / 0

[PATCH] pki-cfu-0058-Ticket-1160-audit-logging-needed-REST-API-auth-authz.patch

by Christina Fu

Please review. This patch address the missing REST API auth/authz auditing part of the ticket https://fedorahosted.org/pki/ticket/1160 The kra for getKeyInfo will come as a separate patch after this. here are sample signed audit log messages resulted from my test cases: pki -d . -c netscape -h kraHost -p 28443 -P https -n "PKI Administrator for kraHost" key-find --maxResults -5 == case when running the above request as a kraadmin with valid cert == 0.http-bio-28443-exec-1 - [07/May/2015:14:30:26 EDT] [14] [6] [AuditEvent=AUTH_SUCCESS][SubjectID=kraadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success 0.http-bio-28443-exec-1 - [07/May/2015:14:30:27 EDT] [14] [6] [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=login][Info=AccountResource.login] authorization success 0.http-bio-28443-exec-2 - [07/May/2015:14:30:27 EDT] [14] [6] [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=null][Op=null][Info=ACL mapping not found; OK:SystemCertResource.getTransportCert] authorization success 0.http-bio-28443-exec-3 - [07/May/2015:14:30:28 EDT] [14] [6] [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.keys][Op=execute][Info=KeyResource.listKeys] authorization success 0.http-bio-28443-exec-4 - [07/May/2015:14:30:28 EDT] [14] [6] [AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=logout][Info=AccountResource.logout] authorization success == case when running the above request as a caadmin with ca admin cert == 0.http-bio-28443-exec-6 - [07/May/2015:14:31:24 EDT] [14] [6] [AuditEvent=AUTH_FAIL][SubjectID=CN=PKI Administrator, EMAILADDRESS=caadmin(a)idm.lab.bos.redhat.com, O=idm.lab.bos.redhat.com Security Domain][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=$Unidentified$] authentication failure == case when creating a caadmin in the kra user db but not given any group privilege == 0.http-bio-28443-exec-18 - [07/May/2015:14:48:31 EDT] [14] [6] [AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success 0.http-bio-28443-exec-18 - [07/May/2015:14:48:31 EDT] [14] [6] [AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.kra.account][Op=login][Info=AccountResource.login] authorization success 0.http-bio-28443-exec-19 - [07/May/2015:14:48:31 EDT] [14] [6] [AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=null][Op=null][Info=ACL mapping not found; OK:SystemCertResource.getTransportCert] authorization success 0.http-bio-28443-exec-2 - [07/May/2015:14:48:32 EDT] [14] [6] [AuditEvent=AUTHZ_FAIL][SubjectID=caadmin][Outcome=Failure][aclResource=certServer.kra.keys][Op=execute][Info=Authorization Error] authorization failure 0.http-bio-28443-exec-3 - [07/May/2015:14:48:32 EDT] [14] [6] [AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.kra.account][Op=logout][Info=AccountResource.logout] authorization success thanks, Christina

9 years, 2 months

2
5
0 / 0

[PATCH] - modify spec file requires for tomcatjss and nuxwdog

by Ade Lee

Please review. Ade

9 years, 2 months

2
2
0 / 0

[PATCH] 594 Refactored upgrade scripts.

by Endi Sukma Dewata

The upgrade scripts have been modified to use the uid and gid provided by PKIInstance object. https://fedorahosted.org/pki/ticket/1341 -- Endi S. Dewata

9 years, 2 months

1
0
0 / 0

[PATCH] 591 Added options for internal token and replication passwords.

by Endi Sukma Dewata

The installation code has been modified such that it provides several options for internal token and replication passwords: * reuse the same admin/database passwords (default) * specify new psaswords * generate new random passwords https://fedorahosted.org/pki/ticket/1354 -- Endi S. Dewata

9 years, 2 months

1
1
0 / 0

[PATCH] patch to pki-core for nuxwdog systemd support

by Ade Lee

Patches to get nuxwdog working with systemd This patch adds some new unit files and targets for starting instances with nuxwdog, as well as logic within the pki-server nuxwdog module to switch to/from the old and new systemd unit files. It also corrects some issues found in additional testing of the nuxwdog change scripts. To use nuxwdog to start the instance, a user needs to do the following: 1. Create an instance normally. 2. Run: pki-server instance-nuxwdog-enable <instance_name> 3. Start the instance using: systemctl start pki-tomcatd-nuxwdog@<instance_name>.service To revert the instance, simply do the following: 1. Run: pki-server instance-nuxwdog-disable <instance_name> 2. Start the instance using: systemctl start pki-tomcatd@<instance_name>.service To do all this, you need the latest nuxwdog (with the patches I just posted). Whats missing: 1. documentation. That will come next. 2. right now -- under nuxwdog, java runs as root. We will need to change this. 3. Not integrated with pkispawn. Basically, if you want to add a new subsystem to an nuxwdog-ed instance, you will need to revert to a non-nuxwdog instance first. Ade

9 years, 2 months

2
4
0 / 0

[PATCH] 593 Fixed installation logs.

by Endi Sukma Dewata

To help troubleshooting installation failures the pkihelper.py has been modified to display the error code returned by the server before parsing the error message. If there is a parsing error, the unparsed message will now be displayed. The redundant 'raise' and 'return' statements have been removed. -- Endi S. Dewata

9 years, 2 months

2
2
0 / 0

Using Dog Tag as SCEP Server for iOS MDM Profile Installation

by Amruta Agnihotri

Hi, I am planning to explore Dog Tag to use as a SCEP Server and CA for the process of MDM profile installation on iOS Devices. Could you please let me know if Dog Tag supports this feature? Can Dog Tag be used by iOS devices to directly request certificates from it? -Thanks, Amruta Agnihotri

9 years, 2 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Pki-devel May 2015