[Pki-devel] Announcing 'Dogtag 10.0.0 (Alpha)'

Thu Mar 15 03:23:50 UTC 2012

The Dogtag team is pleased to announce the availability of an Alpha 
Release of the Dogtag 10.0 code.

This release contains the following features:

1. Extension of the functionality of the DRM to store and retrieve 
symmetric keys and passphrases,
    rather than only asymmetric keys.  This feature allows the DRM to be 
used as a secure
    vault-like storage for essentially any sensitive data.  The data is 
stored using the same
    secure FIPS-compliant storage mechanism used to store PKI keys.
2. The new DRM functionality is exposed through a new REST interface, 
provided by the RESTEasy
    framework.  This provides an intuitive mechanism for writing clients 
to the interface.  Both
    Java (using the RESTEasy client proxy framework) and Python clients 
have been coded.  The
    server uses standard Java libraries to generate and parse XML or 
JSON input and output data.
3. Extracted authentication and authorization code from the individual 
servlets into a standard
    Tomcat authentication realm.  This realm has been configured to 
require client certificate
    authentication, and is being used to secure the new DRM REST 
interface.  In the future, this
    authentication realm could be extended to include other kinds of 
authentication (such as
    Kerberos).  This is part of a push to refactor the code to expose 
the core business
    functionality in the servlets, while extracting the ancillary tasks 
(authentication,
    authorization, XML parsing and generation, etc.) and using standard 
methods and libraries to
    accomplish these tasks.
4. Enhanced Java subsystems so that they could connect to the internal 
database using a
    non-directory manager user, that is authenticated using client 
authentication.  This resolves a
    number of issues with LDAP operations ignoring search limits.  In 
addition, some changes have
    been made to allow integrating the Dogtag database with other 
systems such as IPA.
5. A new package pki-deploy contains the initial framework for a 
Python-based
    installer/de-installer (pkispawn/pkidestroy) that will be used to 
install and configure a
    Dogtag instance.  This will ultimately replace the pki-setup 
installer/de-installer
    (pkicreate, pkidestroy) package, and the pki-silent instance 
configuration (pkisilent) package.
6. Much of the focus of this release was on cleaning up and modernizing 
the Dogtag source code.
    * Dogtag source code has been moved to git.
    * Java coding standards have been revised - and the code has been 
reformatted to match those
      standards.
    * Initially, Eclipse reported about 13000 warnings in the dogtag 
code. Those have been reduced
      to close to 2400.  This included removing dead and unused code, 
replacing calls to deprecated
      functions and replacing raw collections with type-safe generics.
      NOTE:  These numbers currently exclude console code.
    * OSUtil is a package that has certain utilities that were not 
available when the Dogtag code
      was originally written.  These utilities are now available in 
current standard
      libraries - and so this package has been eliminated entirely.
    * Improved handling of short and long lived threads which allow 
threads to exit gracefully on
      shutdown.

The builds can be found at the following links:

    * 
http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc16/RPMS/i686   
- Fedora 16 (32-bit i686)
    * 
http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc16/RPMS/x86_64 
- Fedora 16 (64-bit x86_64)
    * 
http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc16/SRPMS       
- Fedora 16 (Source)
    * 
http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc17/RPMS/i686   
- Fedora 17 (32-bit i686)
    * 
http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc17/RPMS/x86_64 
- Fedora 17 (64-bit x86_64)
    * 
http://pki.fedoraproject.org/pki/download/pki/10.0.0.alpha/fc17/SRPMS       
- Fedora 17 (Source)