[PATCH] 595 Added key-show option.
by Endi Sukma Dewata
The key-show CLI has been modified to provide an option to find
the active key info using the client key ID.
--
Endi S. Dewata
9 years, 4 months
[PATCH] pki-cfu-0058-Ticket-1160-audit-logging-needed-REST-API-auth-authz.patch
by Christina Fu
Please review. This patch address the missing REST API auth/authz
auditing part of the ticket https://fedorahosted.org/pki/ticket/1160
The kra for getKeyInfo will come as a separate patch after this.
here are sample signed audit log messages resulted from my test cases:
pki -d . -c netscape -h kraHost -p 28443 -P https -n "PKI Administrator
for kraHost" key-find --maxResults -5
== case when running the above request as a kraadmin with valid cert ==
0.http-bio-28443-exec-1 - [07/May/2015:14:30:26 EDT] [14] [6]
[AuditEvent=AUTH_SUCCESS][SubjectID=kraadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr]
authentication success
0.http-bio-28443-exec-1 - [07/May/2015:14:30:27 EDT] [14] [6]
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=login][Info=AccountResource.login]
authorization success
0.http-bio-28443-exec-2 - [07/May/2015:14:30:27 EDT] [14] [6]
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=null][Op=null][Info=ACL
mapping not found; OK:SystemCertResource.getTransportCert] authorization
success
0.http-bio-28443-exec-3 - [07/May/2015:14:30:28 EDT] [14] [6]
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.keys][Op=execute][Info=KeyResource.listKeys]
authorization success
0.http-bio-28443-exec-4 - [07/May/2015:14:30:28 EDT] [14] [6]
[AuditEvent=AUTHZ_SUCCESS][SubjectID=kraadmin][Outcome=Success][aclResource=certServer.kra.account][Op=logout][Info=AccountResource.logout]
authorization success
== case when running the above request as a caadmin with ca admin cert ==
0.http-bio-28443-exec-6 - [07/May/2015:14:31:24 EDT] [14] [6]
[AuditEvent=AUTH_FAIL][SubjectID=CN=PKI Administrator,
EMAILADDRESS=caadmin(a)idm.lab.bos.redhat.com, O=idm.lab.bos.redhat.com
Security
Domain][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=$Unidentified$]
authentication failure
== case when creating a caadmin in the kra user db but not given any
group privilege ==
0.http-bio-28443-exec-18 - [07/May/2015:14:48:31 EDT] [14] [6]
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr]
authentication success
0.http-bio-28443-exec-18 - [07/May/2015:14:48:31 EDT] [14] [6]
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.kra.account][Op=login][Info=AccountResource.login]
authorization success
0.http-bio-28443-exec-19 - [07/May/2015:14:48:31 EDT] [14] [6]
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=null][Op=null][Info=ACL
mapping not found; OK:SystemCertResource.getTransportCert] authorization
success
0.http-bio-28443-exec-2 - [07/May/2015:14:48:32 EDT] [14] [6]
[AuditEvent=AUTHZ_FAIL][SubjectID=caadmin][Outcome=Failure][aclResource=certServer.kra.keys][Op=execute][Info=Authorization
Error] authorization failure
0.http-bio-28443-exec-3 - [07/May/2015:14:48:32 EDT] [14] [6]
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.kra.account][Op=logout][Info=AccountResource.logout]
authorization success
thanks,
Christina
9 years, 4 months
[PATCH] patch to pki-core for nuxwdog systemd support
by Ade Lee
Patches to get nuxwdog working with systemd
This patch adds some new unit files and targets for starting instances
with nuxwdog, as well as logic within the pki-server nuxwdog module to
switch to/from the old and new systemd unit files.
It also corrects some issues found in additional testing of the nuxwdog
change scripts.
To use nuxwdog to start the instance, a user needs to do the following:
1. Create an instance normally.
2. Run: pki-server instance-nuxwdog-enable <instance_name>
3. Start the instance using:
systemctl start pki-tomcatd-nuxwdog@<instance_name>.service
To revert the instance, simply do the following:
1. Run: pki-server instance-nuxwdog-disable <instance_name>
2. Start the instance using:
systemctl start pki-tomcatd@<instance_name>.service
To do all this, you need the latest nuxwdog (with the patches I just posted).
Whats missing:
1. documentation. That will come next.
2. right now -- under nuxwdog, java runs as root. We will need to change this.
3. Not integrated with pkispawn. Basically, if you want to add a new subsystem to an nuxwdog-ed instance,
you will need to revert to a non-nuxwdog instance first.
Ade
9 years, 4 months
[PATCH] 593 Fixed installation logs.
by Endi Sukma Dewata
To help troubleshooting installation failures the pkihelper.py has
been modified to display the error code returned by the server before
parsing the error message. If there is a parsing error, the unparsed
message will now be displayed.
The redundant 'raise' and 'return' statements have been removed.
--
Endi S. Dewata
9 years, 4 months
Using Dog Tag as SCEP Server for iOS MDM Profile Installation
by Amruta Agnihotri
Hi,
I am planning to explore Dog Tag to use as a SCEP Server and CA for the
process of MDM profile installation on iOS Devices. Could you please let me
know if Dog Tag supports this feature?
Can Dog Tag be used by iOS devices to directly request certificates from it?
-Thanks,
Amruta Agnihotri
9 years, 4 months