[Freeipa-devel] Announcing the release of Dogtag 10.0.2

Ade Lee alee at redhat.com
Fri May 3 02:09:29 UTC 2013

The Dogtag team is proud to announce the second errata build for 
Dogtag v10.0.0. 

Builds are available for Fedora 18 and Fedora 19 in the updates-testing
repo.  Please try it out and provide karma to move them to the F18 and
F19 stable repos.

Daily developer builds for Fedora 17, 18 and 19 are available at

== Build Versions ==

== Highlights since Dogtag v. 10.0.1 ==
* A new Python client framework has been written to connect to the
restful interface on the java subsystems.  This interface was used
for some installation functionality and will continue to be expanded.

* pkispawn and pkidestroy were modified to use the new Python client
framework and the dependency on jython was eliminated.

* The installation interfaces were changed so that most of the
installation interactions take place over the admin interface.

* New command line parameters have been added to pkidestroy to provide
the username and password of the security domain administrator to update
the security domain.  Formerly, no credentials were required because we
used the subsystem certificate of the subsystem for authentication.  The
new method provides better auditing as to exactly who is de-registering
and removing a subsystem.  As such, use of the new options is
recommended, and will be made mandatory in a future release.

* Although it is possible to run Dogtag 9 style instances on Dogtag 10,
these instances do not have the required configuration to expose the
RESTful interface.  A new servlet has been added to return 501 (Not
implemented) on these instances when the REST URLs are accessed.  This
is only applicable on Fedora 18 (See Fedora 19 note below).

* A new interactive mode has been added to pkispawn and pkidestroy.  In
this mode, users are prompted for details in order to set up the most
basic servers.  Any customizations would still need to be done through
configuration files.   Interactive mode is an excellent way for users to
set up a server and become familiar with Dogtag.

* Support has been added for the random generation of serial numbers for
certificates issued.  More details about this feature and how to enable
it can be found here: 

* Nonces are used in Dogtag to prevent cross-site request forgery and
replay attack, but they were stored in a global list.  To prevent
possible collisions with other user's nonces, they are now stored in
each user's session.

* Previously, session IDs were generated using /dev/random, which may
block under certain circumstances, making server startup slow. To avoid
this, the server configuration has been changed to use PKCS11PRNG
provided by JSS.

* A new upgrade framework has been added to allow instances to be
automatically upgraded when new packages are installed.  This framework
will be used to eventually remove the need for migrations between
releases.  The upgrade scripts are invoked by postinstall scriptlets in
the pki-base and pki-server packages.  On completing an upgrade, users
should check the upgrade logs in /var/log/pki/pki-upgrade-*.log
and /var/log/pki/pki-server-upgrade-*.log for any errors.  The upgrade
scripts (pki-upgrade and pki-server-upgrade) can also be run manually.
Additional troubleshooting information can be found at:

* New CLI has been added to simplify client certificate management
including importing and trusting CA certificates.

* Previously, the pki CLI tool used the same parameter (-w) to specify
both user and client certificate database passwords.  The CLI has been
modified to use a new parameter (-c) for the database password, and -w
for the user password.

* Multiple additional fixes to pkispawn, pkidestroy, pki and their man

== Notes on Fedora 19 ==
Fedora 19 does not provide tomcat 6.  Dogtag 9 style instances will
therefore no longer work on Fedora 19.  These instances need to be
migrated to Dogtag 10.

To prevent inadvertently disabling Dogtag instances, code has been added
to prevent upgrades to Fedora 19 if Dogtag 9 instances exist.  Details
on how to upgrade Dogtag 9 instances and workarounds can be found at:

== Detailed Changes since Dogtag v. 10.0.1 ==

akoneru (23):
#191 Map REST exceptions to HTTP status codes
#217 CLI should display message on operations that complete with error
#290 Add hints to option descriptions for cert-find cli command
#383 Extend coverity tests to scan other subsystems (TPS, etc.)
#452 Dogtag 10: Fix minor RA and TPS Configuration Wizard Panel issues
#465 Verify 'pki_backup_keys=True' if 'pki_backup_password'is set
#470 Prevent concurrent execution of pkispawn/pkidestroy
#471 Update man pages for interactive pkispawn/pkidestroy
#493 interpolation in pkispawn scripts should not apply to passwords
#502 Change pkidestroy "-w" option to require a password file
#507 Mark pki.conf as configuration file in RPM spec
#509 man page for pkispawn should be modified to specify 
     pki_ca_signing_subject_dn when setting up subordinate CA
#514 Clean up pkispawn output
#521 Separate python deployment engine from python deployment 
     scriptlets source code
#525 Incorrect info in pkispawn man page
#536 Catch keyboard interrupt
#542 Remove all "respawn()" logic from "pkispawn"
#543 Incorrect user-show usage.
#549 PKCS10Client tool throws java exception NoClassDefFoundError
#563 Use timeout in configuration script
#566 Mask sensitive parameters in archived config
#592 pkispawn not reporting the error message when exceptions are thrown
#593 Error caused by JSON Configuration result decoding when installing 
     CA clone

alee (9):
#232 add python binding for pkispawn/ pkidestroy
#419 REST interface for cert requests
#532 refactor pkispawn to use new python client
#546 Upgrade script for clone installation
#564 Rename base/deploy to base/server
#589 dependency needed for java-atk-wrapper in f19
#578 Rest API does not work on d9 -> d10 upgrade instances
#590 pki-base needs to deliver /var/log/pki
#597 Create 10.0.2 builds

awnuk (7):
#569 Port support for random certificate serial numbers to Dogtag 10
#570 Port patch allowing to support random certificate serial numbers  
     for system certificates to Dogtag 10
#579 Port patch allowing to clone CA with random serial number enabled.
#580 Port patch allowing to restart CA clone during configuration 
     change to random serial numbers.
#584 Port patch including system certificates with random serial 
     numbers in the certificate counter.
BZ 955784 - Correct Javascript inability to handle big numbers
BZ 951501 - Coorects key IDs miscalculated by Javascript

cfu (6):
BZ 929043 - serverCert.profile with SAN results in
BZ 927545 - Transport Cert signing Algorithm doesn't show ECC Signing
BZ 904289 - Add ECC Support to Certificate Profiles
BZ 902952 - RFE: Revocation routing with TPS and multiple non-cloned CAs
BZ 903401 - TMS: RSA token enrollment failed : public key decode error
#362 CMC ECC 

edewata (24)
#190 REST interface for user-group membership.
#291 Fix forma of validityUnit option in cert-find command
#380 default install: part 2
#472 pkispawn should test DS info
#473 pkispawn should test security domain info
#474 Session-based nonces
#476 Limit username & password authentication
#477 Annotation for authentication methods
#491 Prompt CLI user on certificate warnings.
#497 Date format for cert-find
#498 [RFE] Add dates to cert-find output
#500 validityCount option returns 500 error
#501 Add cert status option to cert-find
#503 Dogtag 10: Security Domain Issues
#511 Add cert-request-show command.
#520 CLI returns 0 on error
#523 Add CLI option to capture HTTP data
#524 Tomcat blocks during startup
#535 python-requests compatibility problem
#541 Use FQDN instead of localhost in CLI
#544 Implement upgrade framework
#545 Upgrade script for random number generator
#553 pki.conf needs to be delivered by pki-base
#598 Upgrade script for JNI_JAR_DIR

jmagne (1):
#587 ipa-server-install crashes due to sslget error

mharmsen (7):
#409 Add pkispawn option to not copy the UI pieces (gifs, templates).
#488 Dogtag 10: Fix cli 'cert-find' clientAuth issue
#517 Clean up theme dependencies
#518 Remove UI dependencies from pkispawn
#602 pkiconsole cannot find 'jss4.jar' on Fedora 19
BZ 947524 - Clone installation does not work over NAT
BZ 919476 - pkispawn crashes due to dangling symlink to jss4.jar

More information about the Freeipa-devel mailing list