From akoneru at redhat.com Tue Apr 2 16:54:15 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Tue, 02 Apr 2013 12:54:15 -0400 Subject: [Pki-devel] [PATCH] 46 Prevent concurrent execution of pkispawn and pkidestroy Message-ID: <1364921655.2218.5.camel@akoneru.redhat.com> Please review the patch which adds a locking mechanism to prevent pkispawn and pkidestroy to execute concurrently. Ticket #470. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0046-Prevent-concurrent-execution-of-pkispawn-pkidestroy.patch Type: text/x-patch Size: 6534 bytes Desc: not available URL: From edewata at redhat.com Tue Apr 2 20:36:04 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 02 Apr 2013 15:36:04 -0500 Subject: [Pki-devel] [PATCH] 45 Remove pki_backup_password from examples in pkispawn man page. Ticket #465 In-Reply-To: <1364495482.30952.6.camel@akoneru.redhat.com> References: <1364495482.30952.6.camel@akoneru.redhat.com> Message-ID: <515B4134.8040904@redhat.com> On 3/28/2013 1:31 PM, Abhishek Koneru wrote: > Please review the patch with a minor change in pkispawn man page. The pki_backup_password should be removed from the sample config files in base/deploy/config as well. Other than that, ACK. -- Endi S. Dewata From cfu at redhat.com Tue Apr 2 20:42:12 2013 From: cfu at redhat.com (Christina Fu) Date: Tue, 02 Apr 2013 13:42:12 -0700 Subject: [Pki-devel] request for review: Bug 929043 serverCert.profile with SAN results in SubjectAltNameExtDefault gname is empty, not added in cert ext in installation wizard Message-ID: <515B42A4.2020206@redhat.com> Please find fix for the bug below: https://bugzilla.redhat.com/show_bug.cgi?id=929043 https://bugzilla.redhat.com/attachment.cgi?id=730947&action=diff with example profile serverCert.profile.exampleWithSAN: https://bugzilla.redhat.com/attachment.cgi?id=730948 please review. thanks! Christina From edewata at redhat.com Tue Apr 2 20:52:55 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 02 Apr 2013 15:52:55 -0500 Subject: [Pki-devel] [PATCH] 46 Prevent concurrent execution of pkispawn and pkidestroy In-Reply-To: <1364921655.2218.5.camel@akoneru.redhat.com> References: <1364921655.2218.5.camel@akoneru.redhat.com> Message-ID: <515B4527.8000201@redhat.com> On 4/2/2013 11:54 AM, Abhishek Koneru wrote: > Please review the patch which adds a locking mechanism to prevent > pkispawn and pkidestroy to execute concurrently. Some comments: 1. This mechanism locks the entire system, so only one pkispawn/pkidestroy can run at any time. Is this the intended behavior? Or should we lock a particular instance only? 2. If another script is already running, the current script will block until the other script is done. Is this the intended behavior? Or should it fail immediately? Or should it wait but show a message saying another script is running? 3. Right now the lock file is called /tmp/pkioperationlock.lck. It might be better to move it into /var/run/pki/pki-deployment.lock or something like that. -- Endi S. Dewata From mharmsen at redhat.com Tue Apr 2 20:54:59 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Tue, 02 Apr 2013 13:54:59 -0700 Subject: [Pki-devel] request for review: Bug 929043 serverCert.profile with SAN results in SubjectAltNameExtDefault gname is empty, not added in cert ext in installation wizard In-Reply-To: <515B42A4.2020206@redhat.com> References: <515B42A4.2020206@redhat.com> Message-ID: <515B45A3.6020601@redhat.com> On 04/02/13 13:42, Christina Fu wrote: > Please find fix for the bug below: > https://bugzilla.redhat.com/show_bug.cgi?id=929043 > > https://bugzilla.redhat.com/attachment.cgi?id=730947&action=diff > > with example profile serverCert.profile.exampleWithSAN: > https://bugzilla.redhat.com/attachment.cgi?id=730948 > > please review. > > thanks! > Christina > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ACK From akoneru at redhat.com Tue Apr 2 21:11:32 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Tue, 02 Apr 2013 17:11:32 -0400 Subject: [Pki-devel] [PATCH] 45 Remove pki_backup_password from examples in pkispawn man page. Ticket #465 In-Reply-To: <515B4134.8040904@redhat.com> References: <1364495482.30952.6.camel@akoneru.redhat.com> <515B4134.8040904@redhat.com> Message-ID: <1364937092.2218.6.camel@akoneru.redhat.com> Removed the entries in sample configuration files. Pushed to master. --Abhishek On Tue, 2013-04-02 at 15:36 -0500, Endi Sukma Dewata wrote: > On 3/28/2013 1:31 PM, Abhishek Koneru wrote: > > Please review the patch with a minor change in pkispawn man page. > > The pki_backup_password should be removed from the sample config files > in base/deploy/config as well. Other than that, ACK. > From akoneru at redhat.com Tue Apr 2 21:13:24 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Tue, 02 Apr 2013 17:13:24 -0400 Subject: [Pki-devel] [PATCH] 44 Change the timeout implementation to be based on time Ticket 563 In-Reply-To: <515B404C.50600@redhat.com> References: <1364493346.30952.4.camel@akoneru.redhat.com> <515B404C.50600@redhat.com> Message-ID: <1364937204.2218.7.camel@akoneru.redhat.com> Addressed all the comments. Pushed to master. --Abhishek On Tue, 2013-04-02 at 15:32 -0500, Endi Sukma Dewata wrote: > On 3/28/2013 12:55 PM, Abhishek Koneru wrote: > > Please review the patch with fixes for ticket 563. > > > > This patch also has a small miscellaneous addition to pkidestroy man > > page SYNOPSIS section, adding the -u and -W option to it. > > Some comments: > > 1. The -u and -W options each take an argument. They should be specified > in the SYNOPSIS as well like -s, -i, and -p. > > 2. The order of the options in SYNOPSIS should match how they are > ordered in the OPTIONS. > > 3. I think we want to keep the sleep(1). It will avoid too many loops in > case the get_instance_status() finishes quickly. > > 4. You could also move (stop_time-start_time) after stop_time = > datetime.today(). This way the line stop_time = start_time is no longer > necessary. > > Other than that it's ACKed. Please fix before push. > From edewata at redhat.com Tue Apr 2 20:32:12 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 02 Apr 2013 15:32:12 -0500 Subject: [Pki-devel] [PATCH] 44 Change the timeout implementation to be based on time Ticket 563 In-Reply-To: <1364493346.30952.4.camel@akoneru.redhat.com> References: <1364493346.30952.4.camel@akoneru.redhat.com> Message-ID: <515B404C.50600@redhat.com> On 3/28/2013 12:55 PM, Abhishek Koneru wrote: > Please review the patch with fixes for ticket 563. > > This patch also has a small miscellaneous addition to pkidestroy man > page SYNOPSIS section, adding the -u and -W option to it. Some comments: 1. The -u and -W options each take an argument. They should be specified in the SYNOPSIS as well like -s, -i, and -p. 2. The order of the options in SYNOPSIS should match how they are ordered in the OPTIONS. 3. I think we want to keep the sleep(1). It will avoid too many loops in case the get_instance_status() finishes quickly. 4. You could also move (stop_time-start_time) after stop_time = datetime.today(). This way the line stop_time = start_time is no longer necessary. Other than that it's ACKed. Please fix before push. -- Endi S. Dewata From edewata at redhat.com Tue Apr 2 22:27:30 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 02 Apr 2013 17:27:30 -0500 Subject: [Pki-devel] [PATCH] 42 Separate python deployment engine source code from python scriptlets code Trac ticket #521 In-Reply-To: <1364316653.2172.3.camel@akoneru.redhat.com> References: <1364316653.2172.3.camel@akoneru.redhat.com> Message-ID: <515B5B52.70902@redhat.com> On 3/26/2013 11:50 AM, Abhishek Koneru wrote: > Please review the attached patch which deals with the trac ticket 521. The patch fixes the location of the files in the repo, but they are still installed into the same location (i.e. /pki/deployment). We probably need to reorganize them into the separate python modules, but that can be done separately. This patch itself is ACKed. Please rebase before push. -- Endi S. Dewata From alee at redhat.com Wed Apr 3 14:52:12 2013 From: alee at redhat.com (Ade Lee) Date: Wed, 03 Apr 2013 10:52:12 -0400 Subject: [Pki-devel] [PATCH] 46 Prevent concurrent execution of pkispawn and pkidestroy In-Reply-To: <1364999794.7867.10.camel@akoneru.redhat.com> References: <1364921655.2218.5.camel@akoneru.redhat.com> <515B4527.8000201@redhat.com> <1364999794.7867.10.camel@akoneru.redhat.com> Message-ID: <1365000732.32061.11.camel@aleeredhat.laptop> On Wed, 2013-04-03 at 10:36 -0400, Abhishek Koneru wrote: > Hi Ade, > > Please share your views on this. It is regarding a ticket to prevent a > concurrent execution of pkispawn/pkidestroy. > > On Tue, 2013-04-02 at 15:52 -0500, Endi Sukma Dewata wrote: > On 4/2/2013 11:54 AM, Abhishek Koneru wrote: > > Please review the patch which adds a locking mechanism to prevent > > pkispawn and pkidestroy to execute concurrently. > > Some comments: > > 1. This mechanism locks the entire system, so only one > pkispawn/pkidestroy can run at any time. Is this the intended behavior? > Or should we lock a particular instance only? > > I think it was decided to allow only one pkispawn/pkidestroy for an > entire system. pkispawn and pkidestroy do selinux operations. Only one set of selinux operations should be done at a time. Not doing this could cause an operation to fail or worse. If you like, you could try to lock this section only, but then you still need to ensure that concurrent oerations do not affect the same data -- for instance, are they touching the same ports? The simplest and easiest solution will be to lock to having one operation per system at a time. > > 2. If another script is already running, the current script will block > until the other script is done. Is this the intended behavior? Or should > it fail immediately? Or should it wait but show a message saying another > script is running? > > Since only the section of code which does spawn()/destroy() are under > lock, all the user details are taken by that time. But the blocked > script will be waiting for some-time. I think showing a message would be > nice as Endi reviewed. > My first thought was that it should fail immediately. But I could see having it wait with the relevant message. The user can then choose to control-C if they want. > 3. Right now the lock file is called /tmp/pkioperationlock.lck. It might > be better to move it into /var/run/pki/pki-deployment.lock or something > like that. > > Will be changed. > > PFA the patch for you convenience. > > --Abhishek > From akoneru at redhat.com Wed Apr 3 15:25:22 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Wed, 03 Apr 2013 11:25:22 -0400 Subject: [Pki-devel] [PATCH] 47 Remove all the occurences of respawn and the -u option in pkispawn scripts Message-ID: <1365002722.7867.12.camel@akoneru.redhat.com> Please review the patch with fixes for ticket 542 which removes all the occurrences of respawn in the deployment scripts. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0047-Remove-the-respawn-logic-in-deploy-scripts.patch Type: text/x-patch Size: 22049 bytes Desc: not available URL: From edewata at redhat.com Wed Apr 3 15:56:42 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 03 Apr 2013 10:56:42 -0500 Subject: [Pki-devel] [PATCH] 46 Prevent concurrent execution of pkispawn and pkidestroy In-Reply-To: <1365000732.32061.11.camel@aleeredhat.laptop> References: <1364921655.2218.5.camel@akoneru.redhat.com> <515B4527.8000201@redhat.com> <1364999794.7867.10.camel@akoneru.redhat.com> <1365000732.32061.11.camel@aleeredhat.laptop> Message-ID: <515C513A.8070101@redhat.com> On 4/3/2013 9:52 AM, Ade Lee wrote: > On Wed, 2013-04-03 at 10:36 -0400, Abhishek Koneru wrote: >> 1. This mechanism locks the entire system, so only one >> pkispawn/pkidestroy can run at any time. Is this the intended behavior? >> Or should we lock a particular instance only? >> >> I think it was decided to allow only one pkispawn/pkidestroy for an >> entire system. > > pkispawn and pkidestroy do selinux operations. Only one set of selinux > operations should be done at a time. Not doing this could cause an > operation to fail or worse. If you like, you could try to lock this > section only, but then you still need to ensure that concurrent > oerations do not affect the same data -- for instance, are they touching > the same ports? > > The simplest and easiest solution will be to lock to having one > operation per system at a time. Is it because the selinux operations in general are not safe to run concurrently? If that's the case what about selinux operations executed by other applications, do we need to be concerned about that? Or is this only a concern when the operations affect the same data (e.g. same instance/ports)? This means running concurrent pkispawn to create two unrelated instances with completely different settings should not be blocked at all. If that's the case, there are two things that can be done: 1. Lock the instance to make sure it's not modified at the same time. 2. Check to make sure different instances don't use conflicting settings (e.g. ports). In general we should be able to assume that people won't use conflicting settings in different instances. But if that happens the above steps should catch that. Does setup-ds.pl lock the entire system? Locking pkispawn/pkidestroy to prevent concurrent execution doesn't really prevent someone from using conflicting settings in a later execution. -- Endi S. Dewata From akoneru at redhat.com Wed Apr 3 17:43:08 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Wed, 03 Apr 2013 13:43:08 -0400 Subject: [Pki-devel] [PATCH] 42 Separate python deployment engine source code from python scriptlets code Trac ticket #521 In-Reply-To: <515B5B52.70902@redhat.com> References: <1364316653.2172.3.camel@akoneru.redhat.com> <515B5B52.70902@redhat.com> Message-ID: <1365010988.7867.14.camel@akoneru.redhat.com> Rebased and pushed to master. But didn't mark the ticket as fixed since the the location after installation hasn't changed. --Abhishek On Tue, 2013-04-02 at 17:27 -0500, Endi Sukma Dewata wrote: > On 3/26/2013 11:50 AM, Abhishek Koneru wrote: > > Please review the attached patch which deals with the trac ticket 521. > > The patch fixes the location of the files in the repo, but they are > still installed into the same location (i.e. lib>/pki/deployment). We probably need to reorganize them into the > separate python modules, but that can be done separately. > > This patch itself is ACKed. Please rebase before push. > From cfu at redhat.com Wed Apr 3 18:26:47 2013 From: cfu at redhat.com (Christina Fu) Date: Wed, 03 Apr 2013 11:26:47 -0700 Subject: [Pki-devel] Request for review: Bug 927545 - Transport Cert signing Algorithm doesn't show ECC Signing Algorithms during DRM configuration with ECC Message-ID: <515C7467.9030302@redhat.com> Please find the patch for fixing *Bug 927545* -Transport Cert signing Algorithm doesn't show ECC Signing Algorithms during DRM configuration with ECC below: https://bugzilla.redhat.com/attachment.cgi?id=731275&action=diff&context=patch&collapsed=&headers=1&format=raw I have received a lightening fast ACK from Ade. Christina -------------- next part -------------- An HTML attachment was scrubbed... URL: From awnuk at redhat.com Wed Apr 3 19:52:02 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Wed, 03 Apr 2013 12:52:02 -0700 Subject: [Pki-devel] [Patch] Cloning of CA with random serial number enabled Message-ID: <515C8862.1010401@redhat.com> This patch provides ability to clone CA with random serial number enabled. Bug: 920816. -------------- next part -------------- Index: pki/base/common/src/com/netscape/cmscore/dbs/Repository.java =================================================================== --- pki/base/common/src/com/netscape/cmscore/dbs/Repository.java (revision 2533) +++ pki/base/common/src/com/netscape/cmscore/dbs/Repository.java (working copy) @@ -290,7 +290,10 @@ String increment = mDB.getIncrementConfig(mRepo); String lowWaterMark = mDB.getLowWaterMarkConfig(mRepo); - CMS.debug("Repository: minSerial " + mMinSerial + " maxSerial: " + mMaxSerial); + CMS.debug("Repository: minSerial:" + mMinSerial + " maxSerial: " + mMaxSerial); + CMS.debug("Repository: nextMinSerial: " + ((mNextMinSerial == null)?"":mNextMinSerial) + + " nextMaxSerial: " + ((mNextMaxSerial == null)?"":mNextMaxSerial)); + CMS.debug("Repository: increment:" + increment + " lowWaterMark: " + lowWaterMark); if(mMinSerial != null) mMinSerialNo = new BigInteger(mMinSerial,mRadix); @@ -423,7 +426,7 @@ } CMS.debug("Repository: checkRange mLastSerialNo="+mLastSerialNo); if (mLastSerialNo.compareTo( mMaxSerialNo ) > 0 || - (randomLimit != null && mCounter.compareTo(randomLimit) > 0)) { + ((!CMS.isPreOpMode()) && randomLimit != null && mCounter.compareTo(randomLimit) > 0)) { if (mDB.getEnableSerialMgmt()) { CMS.debug("Reached the end of the range. Attempting to move to next range"); Index: pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java =================================================================== --- pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java (revision 2533) +++ pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java (working copy) @@ -376,7 +376,7 @@ if (count.compareTo(BigInteger.ZERO) > 0) { counter = counter.add(count); } - } else if (s.equals("-2")) { + } else if (s.equals("-2") || (c.equals("-1") && CMS.isPreOpMode())) { count = getInRangeCount(t, minSerialNo, maxSerialNo); if (count.compareTo(BigInteger.ZERO) >= 0) { counter = count; From mharmsen at redhat.com Wed Apr 3 19:56:49 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 03 Apr 2013 12:56:49 -0700 Subject: [Pki-devel] [Patch] Cloning of CA with random serial number enabled In-Reply-To: <515C8862.1010401@redhat.com> References: <515C8862.1010401@redhat.com> Message-ID: <515C8981.60203@redhat.com> On 04/03/13 12:52, Andrew Wnuk wrote: > This patch provides ability to clone CA with random serial number > enabled. > > Bug: 920816. > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ACK I received a demo of this patch. -------------- next part -------------- An HTML attachment was scrubbed... URL: From akoneru at redhat.com Thu Apr 4 16:35:54 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Thu, 04 Apr 2013 12:35:54 -0400 Subject: [Pki-devel] [PATCH] 48 Show some more information after installation Message-ID: <1365093354.11755.6.camel@akoneru.redhat.com> Please review the patch that print the command to check status and the URL of the installed subsystem. The actual ticket also says to remove the extra console output if there is no -v option specified. The console log level is already set to WARNING, rather than INFO. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0048-Show-some-more-information-after-installing-a-subsys.patch Type: text/x-patch Size: 2432 bytes Desc: not available URL: From alee at redhat.com Thu Apr 4 17:24:37 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 04 Apr 2013 13:24:37 -0400 Subject: [Pki-devel] [PATCH] in place upgrade migration changes for 8.1 branch Message-ID: <1365096277.6468.5.camel@localhost.localdomain> Attached are changes for in-place upgrade for the latest errata for the 8.1 branch. This only affects 8.1 - although some of the changes will be merged into d10 as part of the upgrade framework very soon. They will be reviewed separately. These scripts will be tested again once Matt's changes are in, to ensure that everything is caught. Its expected that there will be additional issues to address. I will update spec files then. Matt, please review. Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: upgrade-base.patch Type: text/x-patch Size: 20553 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: upgrade-redhat.patch Type: text/x-patch Size: 14661 bytes Desc: not available URL: From awnuk at redhat.com Thu Apr 4 18:27:20 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Thu, 04 Apr 2013 11:27:20 -0700 Subject: [Pki-devel] [Patch] CA clone restart during configuration change Message-ID: <515DC608.4050606@redhat.com> This patch provides ability to restart CA clone during configuration change to random serial numbers. Bug: 922264. -------------- next part -------------- Index: pki/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java =================================================================== --- pki/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java (revision 2550) +++ pki/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java (working copy) @@ -1563,7 +1563,7 @@ mCA.getDBSubsystem().setEnableSerialMgmt(Boolean.valueOf(value)); //mCA.getCertificateRepository().setEnableSerialMgmt(Boolean.valueOf(value)); } else if (key.equals(Constants.PR_RANDOM_SN)) { - mCA.getCertificateRepository().setEnableRandomSerialNumbers(Boolean.valueOf(value), true); + mCA.getCertificateRepository().setEnableRandomSerialNumbers(Boolean.valueOf(value), true, false); } } Index: pki/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java =================================================================== --- pki/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java (revision 2550) +++ pki/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java (working copy) @@ -532,8 +532,9 @@ * * @param random "true" sets random serial number management, "false" sequential * @param updateMode "true" updates "description" attribute in certificate repository + * @param forceModeChange "true" forces certificate repository mode change */ - public void setEnableRandomSerialNumbers(boolean random, boolean updateMode); + public void setEnableRandomSerialNumbers(boolean random, boolean updateMode, boolean forceModeChange); public void shutdown(); } Index: pki/base/common/src/com/netscape/cmscore/dbs/Repository.java =================================================================== --- pki/base/common/src/com/netscape/cmscore/dbs/Repository.java (revision 2550) +++ pki/base/common/src/com/netscape/cmscore/dbs/Repository.java (working copy) @@ -418,10 +418,12 @@ // check if we have reached the end of the range // if so, move to next range BigInteger randomLimit = null; + BigInteger rangeLength = null; if ((this instanceof ICertificateRepository) && mDB.getEnableSerialMgmt() && mEnableRandomSerialNumbers) { - randomLimit = mMaxSerialNo.subtract(mMinSerialNo).add(BigInteger.ONE); - randomLimit = randomLimit.subtract(mLowWaterMarkNo.shiftRight(1)); + rangeLength = mMaxSerialNo.subtract(mMinSerialNo).add(BigInteger.ONE); + randomLimit = rangeLength.subtract(mLowWaterMarkNo.shiftRight(1)); + CMS.debug("Repository: checkRange rangeLength="+rangeLength); CMS.debug("Repository: checkRange randomLimit="+randomLimit); } CMS.debug("Repository: checkRange mLastSerialNo="+mLastSerialNo); @@ -430,15 +432,20 @@ if (mDB.getEnableSerialMgmt()) { CMS.debug("Reached the end of the range. Attempting to move to next range"); + if ((mNextMinSerialNo == null) || (mNextMaxSerialNo == null)) { + if (rangeLength != null && mCounter.compareTo(rangeLength) < 0) { + return; + } else { + throw new EDBException(CMS.getUserMessage("CMS_DBS_LIMIT_REACHED", + mLastSerialNo.toString())); + } + } mMinSerialNo = mNextMinSerialNo; mMaxSerialNo = mNextMaxSerialNo; mLastSerialNo = mMinSerialNo; mNextMinSerialNo = null; mNextMaxSerialNo = null; - if ((mMaxSerialNo == null) || (mMinSerialNo == null)) { - throw new EDBException(CMS.getUserMessage("CMS_DBS_LIMIT_REACHED", - mLastSerialNo.toString())); - } + mCounter = BigInteger.ZERO; // persist the changes mDB.setMinSerialConfig(mRepo, mMinSerialNo.toString(mRadix)); Index: pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java =================================================================== --- pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java (revision 2550) +++ pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java (working copy) @@ -106,8 +106,9 @@ return mEnableRandomSerialNumbers; } - public void setEnableRandomSerialNumbers(boolean random, boolean updateMode) { - if (mEnableRandomSerialNumbers ^ random) { + public void setEnableRandomSerialNumbers(boolean random, boolean updateMode, boolean forceModeChange) { + CMS.debug("CertificateRepository: setEnableRandomSerialNumbers random="+random+" updateMode="+updateMode); + if (mEnableRandomSerialNumbers ^ random || forceModeChange) { mEnableRandomSerialNumbers = random; CMS.debug("CertificateRepository: setEnableRandomSerialNumbers switching to " + ((random)?PROP_RANDOM_MODE:PROP_SEQUENTIAL_MODE) + " mode"); @@ -294,12 +295,14 @@ boolean modeChange = (mEnableRandomSerialNumbers && crMode != null && crMode.equals(PROP_SEQUENTIAL_MODE)) || ((!mEnableRandomSerialNumbers) && crMode != null && crMode.equals(PROP_RANDOM_MODE)); + CMS.debug("CertificateRepository: updateCounter mEnableRandomSerialNumbers="+mEnableRandomSerialNumbers); + CMS.debug("CertificateRepository: updateCounter CertificateRepositoryMode ="+crMode); CMS.debug("CertificateRepository: updateCounter modeChange="+modeChange); if (modeChange) { if (mForceModeChange) { - setEnableRandomSerialNumbers(mEnableRandomSerialNumbers, true); + setEnableRandomSerialNumbers(mEnableRandomSerialNumbers, true, mForceModeChange); } else { - setEnableRandomSerialNumbers(!mEnableRandomSerialNumbers, false); + setEnableRandomSerialNumbers(!mEnableRandomSerialNumbers, false, mForceModeChange); } } else if (mEnableRandomSerialNumbers && mCounter != null && mCounter.compareTo(BigInteger.ZERO) >= 0) { @@ -476,6 +479,10 @@ ((serial.compareTo(serial_upper_bound) == 0) || (serial.compareTo(serial_upper_bound) == -1) )) { CMS.debug("getLastSerialNumberInRange returning: " + serial); + if (modeChange && mEnableRandomSerialNumbers) { + mCounter = serial.subtract(serial_low_bound).add(BigInteger.ONE); + CMS.debug("getLastSerialNumberInRange mCounter: " + mCounter); + } return serial; } } else { @@ -489,6 +496,10 @@ ret = ret.subtract(BigInteger.ONE); CMS.debug("CertificateRepository:getLastCertRecordSerialNo: returning " + ret); + if (modeChange && mEnableRandomSerialNumbers) { + mCounter = BigInteger.ZERO; + CMS.debug("getLastSerialNumberInRange mCounter: " + mCounter); + } return ret; } From mharmsen at redhat.com Thu Apr 4 18:30:32 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Thu, 04 Apr 2013 11:30:32 -0700 Subject: [Pki-devel] [Patch] CA clone restart during configuration change In-Reply-To: <515DC608.4050606@redhat.com> References: <515DC608.4050606@redhat.com> Message-ID: <515DC6C8.2010107@redhat.com> On 04/04/13 11:27, Andrew Wnuk wrote: > This patch provides ability to restart CA clone during configuration > change to random serial numbers. > > Bug: 922264. > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ACK I received a demo of this fix. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mharmsen at redhat.com Thu Apr 4 19:21:45 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Thu, 04 Apr 2013 12:21:45 -0700 Subject: [Pki-devel] [PATCH] in place upgrade migration changes for 8.1 branch In-Reply-To: <1365096277.6468.5.camel@localhost.localdomain> References: <1365096277.6468.5.camel@localhost.localdomain> Message-ID: <515DD2C9.90208@redhat.com> On 04/04/13 10:24, Ade Lee wrote: > Attached are changes for in-place upgrade for the latest errata for the > 8.1 branch. This only affects 8.1 - although some of the changes will > be merged into d10 as part of the upgrade framework very soon. They > will be reviewed separately. > > These scripts will be tested again once Matt's changes are in, to ensure > that everything is caught. Its expected that there will be additional > issues to address. I will update spec files then. > > Matt, please review. > > Ade > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From akoneru at redhat.com Fri Apr 5 14:59:32 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Fri, 05 Apr 2013 10:59:32 -0400 Subject: [Pki-devel] [PATCH] 48 Show some more information after installation In-Reply-To: <1365093354.11755.6.camel@akoneru.redhat.com> References: <1365093354.11755.6.camel@akoneru.redhat.com> Message-ID: <1365173972.9176.5.camel@akoneru.redhat.com> Some more changes added to the patch. Please ignore the previous post. Please review the attached patch. --Abhishek On Thu, 2013-04-04 at 12:35 -0400, Abhishek Koneru wrote: > Please review the patch that print the command to check status and the > URL of the installed subsystem. > > The actual ticket also says to remove the extra console output if there > is no -v option specified. The console log level is already set to > WARNING, rather than INFO. > > --Abhishek > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0048-Show-some-more-information-after-installing-a-subsys.patch Type: text/x-patch Size: 3070 bytes Desc: not available URL: From edewata at redhat.com Fri Apr 5 20:39:44 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 05 Apr 2013 15:39:44 -0500 Subject: [Pki-devel] [PATCH] 221 Added upgrade framework. In-Reply-To: <514B6C2F.20709@redhat.com> References: <514B6C2F.20709@redhat.com> Message-ID: <515F3690.2050505@redhat.com> On 3/21/2013 3:23 PM, Endi Sukma Dewata wrote: > A new Python module has been added to provide a framework for upgrade > scriplets. A new tool called pkirespawn has been added to execute the > scriptlets. Upgrade tracker and command-line options will be added > separately. > > The pki.conf has been moved from pki-server to pki-base. > > Ticket #544, #553 Added tracking and error handling. Rebased on top of #224-1. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0221-1-Added-upgrade-framework.patch Type: text/x-patch Size: 29662 bytes Desc: not available URL: From edewata at redhat.com Fri Apr 5 20:40:19 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 05 Apr 2013 15:40:19 -0500 Subject: [Pki-devel] [PATCH] 222 Added upgrade script for random number generator. In-Reply-To: <514B6C31.9060301@redhat.com> References: <514B6C31.9060301@redhat.com> Message-ID: <515F36B3.4090805@redhat.com> On 3/21/2013 3:23 PM, Endi Sukma Dewata wrote: > An upgrade script has been added to update the context.xml to > configure the random number generator. > > Ticket #545 Rebased on top of #221-1. Please apply the patches in the following order: #225, #224-1, #221-1, #222-1. Thanks. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0222-1-Added-upgrade-script-for-random-number-generator.patch Type: text/x-patch Size: 6269 bytes Desc: not available URL: From edewata at redhat.com Fri Apr 5 20:39:00 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 05 Apr 2013 15:39:00 -0500 Subject: [Pki-devel] [PATCH] 224 Updated version number to 10.0.2-0.1. In-Reply-To: <515345A7.8090401@redhat.com> References: <515345A7.8090401@redhat.com> Message-ID: <515F3664.7050601@redhat.com> On 3/27/2013 2:16 PM, Endi Sukma Dewata wrote: > The compose scripts and RPM specs have been updated to use version > 10.0.2-0.1. Rebased on top of #225. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0224-1-Updated-version-number-to-10.0.2-0.1.patch Type: text/x-patch Size: 15446 bytes Desc: not available URL: From edewata at redhat.com Fri Apr 5 20:38:51 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 05 Apr 2013 15:38:51 -0500 Subject: [Pki-devel] [PATCH] 225 Renamed base/deploy to base/server. Message-ID: <515F365B.8080903@redhat.com> The base/deploy folder has been renamed to base/server to match the package name. The pki.conf has been moved into pki-base package. Ticket #553, #564 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0225-Renamed-base-deploy-to-base-server.patch Type: text/x-patch Size: 15936 bytes Desc: not available URL: From akoneru at redhat.com Mon Apr 8 14:22:48 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Mon, 08 Apr 2013 10:22:48 -0400 Subject: [Pki-devel] [PATCH] 49 Retry setting selinux contexts incase of concurrent pkispawn/pkidestroy execution on a machine - Ticket 470 Message-ID: <1365430968.4393.4.camel@akoneru.redhat.com> Please review the patch which adds a retry mechanism if a semanage transaction lock could not be acquired by a pkispawn/pkidestroy execution. Normally, if a process does not get SELinux transaction lock it throws an error and quits. This patch allows pkispawn/pkidestroy to retry 10 times with a 5 second interval between each try. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0049-pkispawn-pkidestroy-retry-setting-selinux-contexts.patch Type: text/x-patch Size: 13010 bytes Desc: not available URL: From edewata at redhat.com Mon Apr 8 18:25:42 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 08 Apr 2013 13:25:42 -0500 Subject: [Pki-devel] [PATCH] 48 Show some more information after installation In-Reply-To: <1365173972.9176.5.camel@akoneru.redhat.com> References: <1365093354.11755.6.camel@akoneru.redhat.com> <1365173972.9176.5.camel@akoneru.redhat.com> Message-ID: <51630BA6.4040004@redhat.com> On 4/5/2013 9:59 AM, Abhishek Koneru wrote: > Some more changes added to the patch. Please ignore the previous post. > Please review the attached patch. Some comments: 1. There's a typo: PKI_CHECK_STATUS_MESSAGE = "COmmand... 2. Please also show the following information: - Admin username - Location of client database - Client certificate nickname This way the admin knows the parameters needed to use the CLI. 3. Could we move these messages before 'Installation complete'? If the messages are long it will be more difficult to see the result of the installation. 4. Some trailing whitespaces. -- Endi S. Dewata From edewata at redhat.com Mon Apr 8 18:26:45 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 08 Apr 2013 13:26:45 -0500 Subject: [Pki-devel] [PATCH] 49 Retry setting selinux contexts incase of concurrent pkispawn/pkidestroy execution on a machine - Ticket 470 In-Reply-To: <1365430968.4393.4.camel@akoneru.redhat.com> References: <1365430968.4393.4.camel@akoneru.redhat.com> Message-ID: <51630BE5.4080505@redhat.com> On 4/8/2013 9:22 AM, Abhishek Koneru wrote: > Please review the patch which adds a retry mechanism if a semanage > transaction lock could not be acquired by a pkispawn/pkidestroy > execution. Normally, if a process does not get SELinux transaction lock > it throws an error and quits. > > This patch allows pkispawn/pkidestroy to retry 10 times with a 5 second > interval between each try. Some comments: 1. Is there any document describing that the SELinux transaction would throw an exception instead of blocking? Or did you already confirm this with someone? 2. Do you have the link of the ticket that handles this issue in DS? Please put it in ticket #470 as a reference. 3. Is there a reliable way to test this? 4. The comment for adding SELinux contexts incorrectly says: # A maximum of 10 tries to delete the SELinux contexts 5. The code checks the type of error based on error message: if error_message.find("Could not start semanage transaction") The problem is that the error message might change or be translated so it would not match. Can we check using the exception class or error code? 6. The timeOut variable is used as a counter for number of tries. It might be better to use the following variable names for better clarity: counter = 1 max_tries = 10 7. There's a bug in the patch. Suppose it fails to start transaction when timeOut is 9, it will enter the exception handling code, then timeOut is incremented to 10. Since timeOut is not bigger than 10 it doesn't throw an exception: if timeOut > 10: raise Then it goes back to the loop, but since timeOut is not less than 10 the loop now will terminate: while timeOut < 10: So the code will continue without throwing an error. I think it would be better to check the timeOut in just one location instead of in two places to avoid bugs like this. 8. Some trailing whitespaces. -- Endi S. Dewata From edewata at redhat.com Mon Apr 8 20:03:51 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 08 Apr 2013 15:03:51 -0500 Subject: [Pki-devel] [PATCH] 226 Automatic upgrade on RPM upgrade. Message-ID: <516322A7.1050104@redhat.com> The spec has been modified to run pki-upgrade on post server installation. Ticket #544 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0226-Automatic-upgrade-on-RPM-upgrade.patch Type: text/x-patch Size: 1583 bytes Desc: not available URL: From alee at redhat.com Mon Apr 8 20:38:17 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 08 Apr 2013 16:38:17 -0400 Subject: [Pki-devel] [PATCH] in place migration for 8.1 Message-ID: <1365453497.20775.2.camel@aleeredhat.laptop> Attached are changes to the 8.1 in-place migration scripts to handle changes due to IP separation changes. This is only for 8.1. Please review. Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: foo.base.patch Type: text/x-patch Size: 6155 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: foo.redhat.patch Type: text/x-patch Size: 1409 bytes Desc: not available URL: From mharmsen at redhat.com Tue Apr 9 00:02:20 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Mon, 08 Apr 2013 17:02:20 -0700 Subject: [Pki-devel] [PATCH] RHCS 8.1 - SAN Multi-Host Patches (preliminary) Message-ID: <51635A8C.1060202@redhat.com> Please perform an initial code review on the attached patches (only applicable for RHCS 8.1 on RHEL 5). The following two patches address: * 'pkicreate' now does three types of port configuration: o IP Port Separation o Port Separation o Shared Ports (deprecated) * security manager issue was fixed * new security domain schema is complete * the security domain has been implementedto comply with this new schema * generated a multi-host CA complete with an SSL Server Certificate containing SAN information (utilizes profile framework) * generated a multi-host KRA complete with an SSL Server Certificate containing SAN information (utilizes name/value pairs passed in via the enrollment URL which are processed via the profile framework) * addressed 'TokenAuthenticate' SSL_ForceHandshake issue by utilizing DNSName instead of DirectoryName attributes in the SSL Server certificate SAN extensions * applied the checkIP() feature described in 'Bugzilla Bug #708075 -Clone installation does not work over NAT' * applied substitution of raw IP addresses from 'pkicreate' into the 'server.xml' to support the new IP Port Separation mode Development test info: * pki-ip-host (installation host - RHEL 5.9 x86_64) o pki-ca-agent (CA agent interface - virtual IP) o pki-ca-ee (CA EE interface- virtual IP) o pki-ca-ee-ca (CA EE clientauth interface- virtual IP) o pki-ca-admin (CA admin interface- virtual IP) o pki-kra-agent (KRA agent interface- virtual IP) o pki-kra-ee (KRA EE interface- virtual IP) o pki-kra-admin (KRA admin interface- virtual IP) * pki-rhel6 (RHDS 9.1 - RHEL 6.3 x86_64 which uses a different domain) Thus far, only the following tests have been run against these patches: * successfully tested regression case of CA and KRA installed using Port Separation * successfully tested sanity case of CA and KRA installed using IP Port Separation * successfully tested mixed mode deployment case of a CA installed using Port Separation and a KRA installed using IP Port Separation * successfully tested mixed mode deployment case of a CA installed using IP Port Separation and a KRA installed using Port Separation * successfully tested miscellaneous case of specifying a CA with four virtual IPs (none of which belonged to the host that the server was being installed upon) using IP Port Separation * successfully tested miscellaneous case of CA and KRA installed using IP Port Separation utilizing unique IP addresses for each interface (none of which specified the installation host IP), but specifying the same HTTP/HTTPS port numbers (e. g. - 19080/19443) and unique ports for Tomcat (9701/10701) o NOTE: I managed to successfully test this case with SELinux in Enforcing mode -- this is because the only ports that would be labeled are the Tomcat ports which exist on the installation machine (which do not in this case, as they are the default cases for pki_ca_port_t and pki_kra_port_t). In this test case, since none of the interfaces refer to the installation machine IP, none of these ports are labeled by SELinux. The 'pkicreate' executable enforces unique entries. While a second instance (e. g. - KRA) could be installed re-using the entries specified (e. g. - CA), the two instances could not be started simultaneously due to an inability to bind (java.net.BindException: Address already in use) - see 'netstat -a | grep ' or 'netstat -a | grep '. * successfully tested miscellaneous case of installing a CA using IP Port Separation which was configured using a customized SAN 'serverCert.profile' which included two additional SAN entries on top of the entries computed for IP Port Separation The following issues are still actively being addressed: * failure of java security manager to allow server to start when specifying non-installation host ports 80/443 (SELinux in permissive mode) results in (java.net.BindException: Permission denied:80) - (i. e. - see http://www.jvmhost.com/articles/java-net-bindexception-permisssion-denied-operation-not-permitted) * failure of pkisilent to successfully configure a PKI instance * reported concerns regarding the ability to install/configure an RA/TPS instance which uses the existing code changes requiredfor interaction with the revised security domain -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20130408_redhat_san_multi_host.patch Type: text/x-patch Size: 5015 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20130408_san_multi_host.patch Type: text/x-patch Size: 242564 bytes Desc: not available URL: From alee at redhat.com Tue Apr 9 03:26:15 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 08 Apr 2013 23:26:15 -0400 Subject: [Pki-devel] [PATCH] 225 Renamed base/deploy to base/server. In-Reply-To: <515F365B.8080903@redhat.com> References: <515F365B.8080903@redhat.com> Message-ID: <1365477975.20775.3.camel@aleeredhat.laptop> ACK. On Fri, 2013-04-05 at 15:38 -0500, Endi Sukma Dewata wrote: > The base/deploy folder has been renamed to base/server to match the > package name. The pki.conf has been moved into pki-base package. > > Ticket #553, #564 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Tue Apr 9 03:30:15 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 08 Apr 2013 23:30:15 -0400 Subject: [Pki-devel] [PATCH] 224 Updated version number to 10.0.2-0.1. In-Reply-To: <515F3664.7050601@redhat.com> References: <515345A7.8090401@redhat.com> <515F3664.7050601@redhat.com> Message-ID: <1365478215.20775.4.camel@aleeredhat.laptop> ACK On Fri, 2013-04-05 at 15:39 -0500, Endi Sukma Dewata wrote: > On 3/27/2013 2:16 PM, Endi Sukma Dewata wrote: > > The compose scripts and RPM specs have been updated to use version > > 10.0.2-0.1. > > Rebased on top of #225. > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Tue Apr 9 13:44:36 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 09 Apr 2013 08:44:36 -0500 Subject: [Pki-devel] [PATCH] 225 Renamed base/deploy to base/server. In-Reply-To: <1365477975.20775.3.camel@aleeredhat.laptop> References: <515F365B.8080903@redhat.com> <1365477975.20775.3.camel@aleeredhat.laptop> Message-ID: <51641B44.4070307@redhat.com> On 4/8/2013 10:26 PM, Ade Lee wrote: > ACK. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Apr 9 13:45:33 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 09 Apr 2013 08:45:33 -0500 Subject: [Pki-devel] [PATCH] 224 Updated version number to 10.0.2-0.1. In-Reply-To: <1365478215.20775.4.camel@aleeredhat.laptop> References: <515345A7.8090401@redhat.com> <515F3664.7050601@redhat.com> <1365478215.20775.4.camel@aleeredhat.laptop> Message-ID: <51641B7D.6060005@redhat.com> On 4/8/2013 10:30 PM, Ade Lee wrote: > ACK Pushed to master. -- Endi S. Dewata From akoneru at redhat.com Tue Apr 9 15:51:18 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Tue, 09 Apr 2013 11:51:18 -0400 Subject: [Pki-devel] [PATCH] 49 Retry setting selinux contexts incase of concurrent pkispawn/pkidestroy execution on a machine - Ticket 470 In-Reply-To: <51630BE5.4080505@redhat.com> References: <1365430968.4393.4.camel@akoneru.redhat.com> <51630BE5.4080505@redhat.com> Message-ID: <1365522678.2168.10.camel@akoneru.redhat.com> Please review the patch with fixes for comments given by Endi. --Abhishek On Mon, 2013-04-08 at 13:26 -0500, Endi Sukma Dewata wrote: > On 4/8/2013 9:22 AM, Abhishek Koneru wrote: > > Please review the patch which adds a retry mechanism if a semanage > > transaction lock could not be acquired by a pkispawn/pkidestroy > > execution. Normally, if a process does not get SELinux transaction lock > > it throws an error and quits. > > > > This patch allows pkispawn/pkidestroy to retry 10 times with a 5 second > > interval between each try. > > Some comments: > > 1. Is there any document describing that the SELinux transaction would > throw an exception instead of blocking? Or did you already confirm this > with someone? > > 2. Do you have the link of the ticket that handles this issue in DS? > Please put it in ticket #470 as a reference. -- Added the reference in the comments section of #470 > > 3. Is there a reliable way to test this? Tested the scenario using the following script. #! /usr/bin/python import selinux if selinux.is_selinux_enabled(): print 'SELinux is enabled' import seobject try: trans = seobject.semanageRecords("targeted") trans.start() portRecords = seobject.portRecords() portRecords.add('8492', "tcp", "s0", 'http_port_t') trans.finish() except ValueError as e: s = str(e) if s.find('Could not start the semanage transaction') != 1: print (s) Executed the same script simultaneously in two terminals. Only one script completed the transaction, and the other failed throwing a ValueError. libsemanage.semanage_get_lock: Could not get direct transaction lock at /etc/selinux/targeted/modules/semanage.trans.LOCK. (Resource temporarily unavailable). ValueError: Could not start semanage transaction > > > 4. The comment for adding SELinux contexts incorrectly says: > > # A maximum of 10 tries to delete the SELinux contexts > -- Rectified > 5. The code checks the type of error based on error message: > > if error_message.find("Could not start semanage transaction") > > The problem is that the error message might change or be translated so > it would not match. Can we check using the exception class or error code? > The methods in classes in seobject throw just the ValueErrors if there is an exception during execution. No error codes returned. Since the retry has to be done only when the transaction could not begin without getting the lock, a check on the error message is done. > 6. The timeOut variable is used as a counter for number of tries. It > might be better to use the following variable names for better clarity: > > counter = 1 > max_tries = 10 > -- Changed the variable names > 7. There's a bug in the patch. Suppose it fails to start transaction > when timeOut is 9, it will enter the exception handling code, then > timeOut is incremented to 10. Since timeOut is not bigger than 10 it > doesn't throw an exception: > > if timeOut > 10: > raise > > Then it goes back to the loop, but since timeOut is not less than 10 the > loop now will terminate: > > while timeOut < 10: > > So the code will continue without throwing an error. I think it would be > better to check the timeOut in just one location instead of in two > places to avoid bugs like this. -- Fixed. Modified the check in catch clause to, counter == max_tries > > 8. Some trailing whitespaces. > Fixed. -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0049-2-pkispawn-pkidestroy-retry-setting-selinux-contexts.patch Type: text/x-patch Size: 12971 bytes Desc: not available URL: From akoneru at redhat.com Tue Apr 9 17:08:26 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Tue, 09 Apr 2013 13:08:26 -0400 Subject: [Pki-devel] [PATCH] 50 Remove [OPTIONS] in the usage text, when there are no options for the CLI #543 Message-ID: <1365527306.2168.13.camel@akoneru.redhat.com> Please review the patch which fixes ticket #543 and a similar occurrence of the issue in other cli commands. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0050-Remove-OPTIONS-from-usage-in-commands-with-no-options.patch Type: text/x-patch Size: 10518 bytes Desc: not available URL: From edewata at redhat.com Tue Apr 9 18:21:58 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 09 Apr 2013 13:21:58 -0500 Subject: [Pki-devel] [PATCH] 47 Remove all the occurences of respawn and the -u option in pkispawn scripts In-Reply-To: <1365002722.7867.12.camel@akoneru.redhat.com> References: <1365002722.7867.12.camel@akoneru.redhat.com> Message-ID: <51645C46.2060608@redhat.com> On 4/3/2013 10:25 AM, Abhishek Koneru wrote: > Please review the patch with fixes for ticket 542 which removes all the > occurrences of respawn in the deployment scripts. ACK. I was able to apply it with git am -3. -- Endi S. Dewata From akoneru at redhat.com Tue Apr 9 18:31:36 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Tue, 09 Apr 2013 14:31:36 -0400 Subject: [Pki-devel] [PATCH] 47 Remove all the occurences of respawn and the -u option in pkispawn scripts In-Reply-To: <51645C46.2060608@redhat.com> References: <1365002722.7867.12.camel@akoneru.redhat.com> <51645C46.2060608@redhat.com> Message-ID: <1365532296.13185.1.camel@akoneru.redhat.com> Pushed to master. On Tue, 2013-04-09 at 13:21 -0500, Endi Sukma Dewata wrote: > On 4/3/2013 10:25 AM, Abhishek Koneru wrote: > > Please review the patch with fixes for ticket 542 which removes all the > > occurrences of respawn in the deployment scripts. > > ACK. I was able to apply it with git am -3. > From akoneru at redhat.com Tue Apr 9 20:03:53 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Tue, 09 Apr 2013 16:03:53 -0400 Subject: [Pki-devel] [PATCH] 48-2 Fixes for [Patch] 48 Show some more information after installation In-Reply-To: <51630BA6.4040004@redhat.com> References: <1365093354.11755.6.camel@akoneru.redhat.com> <1365173972.9176.5.camel@akoneru.redhat.com> <51630BA6.4040004@redhat.com> Message-ID: <1365537833.20292.3.camel@akoneru.redhat.com> Please review the patch with fixes for the review comments for patch 48 On Mon, 2013-04-08 at 13:25 -0500, Endi Sukma Dewata wrote: > On 4/5/2013 9:59 AM, Abhishek Koneru wrote: > > Some more changes added to the patch. Please ignore the previous post. > > Please review the attached patch. > > Some comments: > > 1. There's a typo: > > PKI_CHECK_STATUS_MESSAGE = "COmmand... > > 2. Please also show the following information: > - Admin username > - Location of client database > - Client certificate nickname > Added these details. > This way the admin knows the parameters needed to use the CLI. > > 3. Could we move these messages before 'Installation complete'? If the > messages are long it will be more difficult to see the result of the > installation. Information is printed above the 'Installation complete' message. > > 4. Some trailing whitespaces. Fixed. > --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0048-2-Show-some-more-information-after-installing-a-subsys.patch Type: text/x-patch Size: 4687 bytes Desc: not available URL: From edewata at redhat.com Tue Apr 9 21:18:31 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 09 Apr 2013 16:18:31 -0500 Subject: [Pki-devel] [PATCH] 221 Added upgrade framework. In-Reply-To: <515F3690.2050505@redhat.com> References: <514B6C2F.20709@redhat.com> <515F3690.2050505@redhat.com> Message-ID: <516485A7.60300@redhat.com> On 4/5/2013 3:39 PM, Endi Sukma Dewata wrote: > On 3/21/2013 3:23 PM, Endi Sukma Dewata wrote: >> A new Python module has been added to provide a framework for upgrade >> scriplets. A new tool called pkirespawn has been added to execute the >> scriptlets. Upgrade tracker and command-line options will be added >> separately. >> >> The pki.conf has been moved from pki-server to pki-base. >> >> Ticket #544, #553 > > Added tracking and error handling. Rebased on top of #224-1. Revision based on review: 1. Replaced sign variable with delimiter. 2. Fixed parsing format in comments into ": ". 3. Removed extra backslash in get_tracker(). 4. Added comments in get_current_version(). 5. Renamed --version param into --scriplet-version. 6. Renamed --scriptlet param into --scriplet-index. 7. Fixed pki-upgrade usage messages. 8. Added warning for advanced usage. To be addressed separately: 9. Automatic backup and rollback feature. 10. Manual page for pki-upgrade. ACKed by Ade. Pushed to master. -- Endi S. Dewata From mharmsen at redhat.com Tue Apr 9 22:18:31 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Tue, 09 Apr 2013 15:18:31 -0700 Subject: [Pki-devel] [PATCH] in place migration for 8.1 In-Reply-To: <1365453497.20775.2.camel@aleeredhat.laptop> References: <1365453497.20775.2.camel@aleeredhat.laptop> Message-ID: <516493B7.90905@redhat.com> On 04/08/13 13:38, Ade Lee wrote: > Attached are changes to the 8.1 in-place migration scripts to handle > changes due to IP separation changes. > > This is only for 8.1. > Please review. > > Ade > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ACK with caveat: In the following section, remove the line '($secure_port == $ee_secure_client_auth_port) &&' as this condition only applies to CA subsystems, and doesn't change the correctness of the conditional if it is simply removed: ############################################################## # Version subroutines ############################################################## @@ -626,6 +664,32 @@ $agentMachineName=$cfg->{'adminMachineName'}; } + #ip addresses + my $agent_ip_addr = get_IP_address_from_FQDN($agentMachineName); + my $ee_ip_addr = get_IP_address_from_FQDN($eeMachineName); + my $ee_client_auth_ip_addr = get_IP_address_from_FQDN($eecaMachineName); + my $admin_ip_addr = get_IP_address_from_FQDN($adminMachineName); + + # port configuration mode + my $port_configuration_mode = ""; + if (exists $cfg->{'service.portConfigurationMode'} and \ + defined $cfg->{'service.portConfigurationMode'}) { + $port_configuration_mode = $cfg->{'service.portConfigurationMode'}; + } else { + if ($subsystem_type eq $RA) { + $port_configuration_mode = "RA Ports"; + } elsif ($subsystem_type eq $TPS) { + $port_configuration_mode = "TPS Ports"; + } elsif (($secure_port == $ee_secure_port) && *+ ($secure_port == $ee_secure_client_auth_port) &&* + ($secure_port == $admin_secure_port) && + ($secure_port == $agent_secure_port)) { + $port_configuration_mode = "Shared Ports"; + } else { + $port_configuration_mode = "Port Separation"; + } + } + -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Wed Apr 10 14:00:33 2013 From: alee at redhat.com (Ade Lee) Date: Wed, 10 Apr 2013 10:00:33 -0400 Subject: [Pki-devel] [PATCH] in place migration for 8.1 In-Reply-To: <516493B7.90905@redhat.com> References: <1365453497.20775.2.camel@aleeredhat.laptop> <516493B7.90905@redhat.com> Message-ID: <1365602433.27622.0.camel@aleeredhat.laptop> fixed and pushed to 8.1.errata and 8.x branch. On Tue, 2013-04-09 at 15:18 -0700, Matthew Harmsen wrote: > On 04/08/13 13:38, Ade Lee wrote: > > > Attached are changes to the 8.1 in-place migration scripts to handle > > changes due to IP separation changes. > > > > This is only for 8.1. > > Please review. > > > > Ade > > > > > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > ACK with caveat: > > In the following section, remove the line '($secure_port == > $ee_secure_client_auth_port) &&' as this condition only applies to CA > subsystems, and doesn't change the correctness of the conditional if > it is simply removed: > ############################################################## > # Version subroutines > ############################################################## > @@ -626,6 +664,32 @@ > $agentMachineName=$cfg->{'adminMachineName'}; > } > > + #ip addresses > + my $agent_ip_addr = get_IP_address_from_FQDN($agentMachineName); > + my $ee_ip_addr = get_IP_address_from_FQDN($eeMachineName); > + my $ee_client_auth_ip_addr = get_IP_address_from_FQDN($eecaMachineName); > + my $admin_ip_addr = get_IP_address_from_FQDN($adminMachineName); > + > + # port configuration mode > + my $port_configuration_mode = ""; > + if (exists $cfg->{'service.portConfigurationMode'} and \ > + defined $cfg->{'service.portConfigurationMode'}) { > + $port_configuration_mode = $cfg->{'service.portConfigurationMode'}; > + } else { > + if ($subsystem_type eq $RA) { > + $port_configuration_mode = "RA Ports"; > + } elsif ($subsystem_type eq $TPS) { > + $port_configuration_mode = "TPS Ports"; > + } elsif (($secure_port == $ee_secure_port) && > + ($secure_port == $ee_secure_client_auth_port) && > + ($secure_port == $admin_secure_port) && > + ($secure_port == $agent_secure_port)) { > + $port_configuration_mode = "Shared Ports"; > + } else { > + $port_configuration_mode = "Port Separation"; > + } > + } > + > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From akoneru at redhat.com Wed Apr 10 20:31:08 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Wed, 10 Apr 2013 16:31:08 -0400 Subject: [Pki-devel] [PATCH] 51 Remove sensitive parameters from the archived configuration file. Ticket #566 Message-ID: <1365625868.4458.2.camel@akoneru.redhat.com> Please review the patch which removes storing the sensitive parameters in the archived deployment configuration file. (Ticket #566) --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0051-Remove-sensitive-parameters-from-archived-deployment.patch Type: text/x-patch Size: 2744 bytes Desc: not available URL: From awnuk at redhat.com Wed Apr 10 22:37:59 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Wed, 10 Apr 2013 15:37:59 -0700 Subject: [Pki-devel] certificate counter improvement Message-ID: <5165E9C7.9040103@redhat.com> This patch includes system certificates with random serial numbers in the certificate counter. Bug: 922121. -------------- next part -------------- Index: pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java =================================================================== --- pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java (revision 2551) +++ pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java (working copy) @@ -370,16 +370,25 @@ } else { c = s; } - CMS.debug("CertificateRepository: getInRangeCounter: c=" + c + ((t != null)?(" t="+t):"")); + CMS.debug("CertificateRepository: getInRangeCounter: c=" + c + ((t != null)?(" t="+t):"null")); BigInteger counter = new BigInteger(c); BigInteger count = BigInteger.ZERO; - if (t != null) { + if (CMS.isPreOpMode()) { + CMS.debug("CertificateRepository: getInRangeCounter: CMS.isPreOpMode"); + counter = new BigInteger("-2"); + mDBConfig.putString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, "-2"); + try { + CMS.getConfigStore().commit(false); + } catch (Exception e) { + CMS.debug("CertificateRepository: updateCounter Exception committing ConfigStore="+e.getMessage()); + } + } else if (t != null) { count = getInRangeCount(t, minSerialNo, maxSerialNo); if (count.compareTo(BigInteger.ZERO) > 0) { counter = counter.add(count); } - } else if (s.equals("-2") || (c.equals("-1") && CMS.isPreOpMode())) { + } else if (s.equals("-2")) { count = getInRangeCount(t, minSerialNo, maxSerialNo); if (count.compareTo(BigInteger.ZERO) >= 0) { counter = count; From mharmsen at redhat.com Wed Apr 10 22:44:37 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 10 Apr 2013 15:44:37 -0700 Subject: [Pki-devel] certificate counter improvement In-Reply-To: <5165E9C7.9040103@redhat.com> References: <5165E9C7.9040103@redhat.com> Message-ID: <5165EB55.9090800@redhat.com> On 04/10/13 15:37, Andrew Wnuk wrote: > This patch includes system certificates with random serial numbers in > the certificate counter. > > Bug: 922121. > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ACK I received a demo of this fix. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mharmsen at redhat.com Thu Apr 11 03:37:08 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Wed, 10 Apr 2013 20:37:08 -0700 Subject: [Pki-devel] [PATCH] RHCS 8.1 - SAN Multi-Host Patches (preliminary) [UPDATE 20130410] In-Reply-To: <51635A8C.1060202@redhat.com> References: <51635A8C.1060202@redhat.com> Message-ID: <51662FE4.6060205@redhat.com> On 04/08/13 17:02, Matthew Harmsen wrote: > Please perform an initial code review on the attached patches (only > applicable for RHCS 8.1 on RHEL 5). > Three new patches (two which are revisions to the previous patches, and one which represents a simple recursive diffs between the two 'pki' trees which contain the code changes) have been attached with address the following issues raised during code review (also see inline comments regarding other issues): * base/common/src/com/netscape/cms/authentication/TokenAuthentication.java: o remove CMS.debug("TokenAuthentication: givenHost=" + givenHost); * base/common/src/com/netscape/cms/servlet/csadmin/*Panel.java: o rename 'buildSANsslserverURLextension' to 'buildSANSSLserverURLExtension' o fix preop.ca.hostname (be explicit as to which host this refers to) * base/common/src/com/netscape/cms/servlet/csadmin/ImportAdminCertPanel.java: o try to make them all use EE host and EE port (which did not work as the EE connection is unavailable during installation of a CA) o since that did not work for all cases, fixed all cases to utilize Admin host and Admin port as requested * base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java: o break line CMS.debug("WizardPanelBase updateDomainXML start hostname=" + hostname + " port=" + port + " url=" + servlet + " content=" + uri); o change 'Vector v_admin_host = parser.getValuesFromContainer( nodeList.item(i), "Host" );' to 'Vector v_admin_host = parser.getValuesFromContainer( nodeList.item(i), "AdminHost" );' * base/pkisilent/templates: o fixed failure of pkisilent to successfully configure a PKI instance o New IP Port Separation pkisilent templates have been created for CA, KRA, OCSP, and TKS o New pkisilent templates for CA and KRA utilizing IP Port Separation were successfully executed * base/setup/pkicommon: o make 'addr' a local variable rather than global variable o used join() for SAN uniqueness routine o renamed 'IsPortConfigurationModeValid' to 'get_port_configuration_mode' and changed it to return strings rather than integers o added logic to check for unlabeled ports being defined on installation host primarily to support IP Separation (e. g. - all interfaces distinguishable by unique IPs using a common port) The lone remaining item that MUST be addressed (besides any additional feedback associated with these revised patches) is: * reported concerns regarding the ability to install/configure an RA/TPS instance which uses the existing code changes requiredfor interaction with the revised security domain * will be investigated starting on 4/11/2013 The new patches do not address the following items from the previous code review, and may not be addressed due to schedule and resources: * base/setup/pkiremove: o revive 'use strict' - was removed since 'pkiremove' now references variables from the 'require pkicommon' file; this was probably the cause for 'use strict' not being a part of 'pkicreate' o in pkiremove, in the function where is is determined which selinux ports to remove, the $i variable is used to track the index of the array - no need to do that -- just use append() * base/setup/pkicommon: o modularization of IsPortConfigurationModeValid() - e. g. - uniqueness helper functions to replace large conditional blocks o refactor IsPortConfigurationModeValid() - rejected as it was discussed that since the code has been tested numerous times, and while this may help with maintainability, this code is only used for the 8.1 code base errata process o standardize coding style - rejected for the 8.1 code base -- this has already been addressed in the Dogtag 10 code base -- Matt > The following two patches address: > > * 'pkicreate' now does three types of port configuration: > o IP Port Separation > o Port Separation > o Shared Ports (deprecated) > * security manager issue was fixed > * new security domain schema is complete > * the security domain has been implementedto comply with this new schema > * generated a multi-host CA complete with an SSL Server Certificate > containing SAN information (utilizes profile framework) > * generated a multi-host KRA complete with an SSL Server Certificate > containing SAN information (utilizes name/value pairs passed in > via the enrollment URL which are processed via the profile framework) > * addressed 'TokenAuthenticate' SSL_ForceHandshake issue by > utilizing DNSName instead of DirectoryName attributes in the SSL > Server certificate SAN extensions > * applied the checkIP() feature described in 'Bugzilla Bug #708075 > -Clone installation does not work over NAT' > * applied substitution of raw IP addresses from 'pkicreate' into the > 'server.xml' to support the new IP Port Separation mode > > Development test info: > > * pki-ip-host (installation host - RHEL 5.9 x86_64) > o pki-ca-agent (CA agent interface - virtual IP) > o pki-ca-ee (CA EE interface- virtual IP) > o pki-ca-ee-ca (CA EE clientauth interface- virtual IP) > o pki-ca-admin (CA admin interface- virtual IP) > o pki-kra-agent (KRA agent interface- virtual IP) > o pki-kra-ee (KRA EE interface- virtual IP) > o pki-kra-admin (KRA admin interface- virtual IP) > * pki-rhel6 (RHDS 9.1 - RHEL 6.3 x86_64 which uses a different domain) > > Thus far, only the following tests have been run against these patches: > > * successfully tested regression case of CA and KRA installed using > Port Separation > * successfully tested sanity case of CA and KRA installed using IP > Port Separation > * successfully tested mixed mode deployment case of a CA installed > using Port Separation and a KRA installed using IP Port Separation > * successfully tested mixed mode deployment case of a CA installed > using IP Port Separation and a KRA installed using Port Separation > * successfully tested miscellaneous case of specifying a CA with > four virtual IPs (none of which belonged to the host that the > server was being installed upon) using IP Port Separation > * successfully tested miscellaneous case of CA and KRA installed > using IP Port Separation utilizing unique IP addresses for each > interface (none of which specified the installation host IP), but > specifying the same HTTP/HTTPS port numbers (e. g. - 19080/19443) > and unique ports for Tomcat (9701/10701) > o NOTE: I managed to successfully test this case with SELinux > in Enforcing mode -- this is because the only ports that would > be labeled are the Tomcat ports which exist on the > installation machine (which do not in this case, as they are > the default cases for pki_ca_port_t and pki_kra_port_t). In > this test case, since none of the interfaces refer to the > installation machine IP, none of these ports are labeled by > SELinux. The 'pkicreate' executable enforces unique > entries. While a second instance (e. g. - > KRA) could be installed re-using the entries > specified (e. g. - CA), the two instances could not be started > simultaneously due to an inability to bind > (java.net.BindException: Address already in use) - see > 'netstat -a | grep ' or 'netstat -a | grep '. > * successfully tested miscellaneous case of installing a CA using IP > Port Separation which was configured using a customized SAN > 'serverCert.profile' which included two additional SAN entries on > top of the entries computed for IP Port Separation > > The following issues are still actively being addressed: > > * failure of java security manager to allow server to start when > specifying non-installation host ports 80/443 (SELinux in > permissive mode) results in (java.net.BindException: Permission > denied:80) - (i. e. - see > http://www.jvmhost.com/articles/java-net-bindexception-permisssion-denied-operation-not-permitted) > This issue will be documented, and does not block the release of this patch. > > * > * failure of pkisilent to successfully configure a PKI instance > Fixed -- new pkisilent templates for CA and KRA utilizing IP Port Separation were successfully executed. New IP Port Separation pkisilent templates have been created for CA, KRA, OCSP, and TKS. > > * reported concerns regarding the ability to install/configure an > RA/TPS instance which uses the existing code changes requiredfor > interaction with the revised security domain > > This last remaining issue will be investigated starting on 4/11/2013. > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20130410_redhat_san_multi_host.patch Type: text/x-patch Size: 3821 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20130410_san_multi_host.patch Type: text/x-patch Size: 355150 bytes Desc: not available URL: -------------- next part -------------- diff -r 20130408/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java 20130410/pki/base/common/src/com/netscape/cms/authentication/TokenAuthentication.java 149d148 < CMS.debug("TokenAuthentication: givenHost=" + givenHost); diff -r 20130408/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java 20130410/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminAuthenticatePanel.java 246a247,251 > // preop.ca.hostname = CA EE Hostname > // > // preop.ca.list= > // Certificate Authority - https://:, > // ...,External CA diff -r 20130408/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminPanel.java 20130410/pki/base/common/src/com/netscape/cms/servlet/csadmin/AdminPanel.java 291,292c291,292 < String ca_hostname = null; < int ca_port = -1; --- > String ca_ee_hostname = null; > int ca_ee_port = -1; 301,302c301,302 < ca_hostname = config.getString("preop.ca.hostname"); < ca_port = config.getInteger("preop.ca.httpsport"); --- > ca_ee_hostname = config.getString("preop.ca.hostname"); > ca_ee_port = config.getInteger("preop.ca.httpsport"); 307,308c307,310 < ca_hostname = config.getString("securitydomain.eehost", ""); < ca_port = config.getInteger("securitydomain.httpseeport"); --- > ca_ee_hostname = config.getString( > "securitydomain.eehost", ""); > ca_ee_port = config.getInteger( > "securitydomain.httpseeport"); 313c315,316 < submitRequest(ca_hostname, ca_port, request, response, context); --- > submitRequest(ca_ee_hostname, ca_ee_port, request, response, > context); 433c436 < private void submitRequest(String ca_hostname, int ca_port, HttpServletRequest request, --- > private void submitRequest(String ca_ee_hostname, int ca_ee_port, HttpServletRequest request, 466c469 < httpclient.connect(ca_hostname, ca_port); --- > httpclient.connect(ca_ee_hostname, ca_ee_port); diff -r 20130408/pki/base/common/src/com/netscape/cms/servlet/csadmin/AgentAuthenticatePanel.java 20130410/pki/base/common/src/com/netscape/cms/servlet/csadmin/AgentAuthenticatePanel.java 182,183c182,183 < String host = ""; < int httpsport = -1; --- > String ca_ee_host = ""; > int ca_ee_httpsport = -1; 185c185 < host = config.getString("preop.ca.hostname"); --- > ca_ee_host = config.getString("preop.ca.hostname"); 188,189c188,189 < context.put("errorString", "Missing hostname"); < throw new IOException("Missing hostname"); --- > context.put("errorString", "Missing CA EE hostname"); > throw new IOException("Missing CA EE hostname"); 193c193 < httpsport = config.getInteger("preop.ca.httpsport"); --- > ca_ee_httpsport = config.getInteger("preop.ca.httpsport"); 196,197c196,197 < context.put("errorString", "Missing port"); < throw new IOException("Missing port"); --- > context.put("errorString", "Missing Secure CA EE port"); > throw new IOException("Missing Secure CA EE port"); 203c203,204 < boolean authenticated = authenticate(host, httpsport, true, --- > boolean authenticated = authenticate(ca_ee_host, ca_ee_httpsport, > true, diff -r 20130408/pki/base/common/src/com/netscape/cms/servlet/csadmin/AuthenticatePanel.java 20130410/pki/base/common/src/com/netscape/cms/servlet/csadmin/AuthenticatePanel.java 151,152c151,152 < String host = ""; < int httpsport = -1; --- > String ca_ee_host = ""; > int ca_ee_httpsport = -1; 154c154 < host = config.getString("preop.ca.hostname"); --- > ca_ee_host = config.getString("preop.ca.hostname"); 157,158c157,158 < context.put("errorString", "Missing hostname"); < throw new IOException("Missing hostname"); --- > context.put("errorString", "Missing CA EE hostname"); > throw new IOException("Missing CA EE hostname"); 162c162 < httpsport = config.getInteger("preop.ca.httpsport"); --- > ca_ee_httpsport = config.getInteger("preop.ca.httpsport"); 165,166c165,166 < context.put("errorString", "Missing port"); < throw new IOException("Missing port"); --- > context.put("errorString", "Missing Secure CA EE port"); > throw new IOException("Missing Secure CA EE port"); 169c169,170 < boolean authenticated = authenticate(host, httpsport, true, --- > boolean authenticated = authenticate(ca_ee_host, ca_ee_httpsport, > true, diff -r 20130408/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java 20130410/pki/base/common/src/com/netscape/cms/servlet/csadmin/CertUtil.java 384c384 < // "buildSANsslserverURLextension()" --- > // "buildSANSSLserverURLExtension()" 389c389 < public static String buildSANsslserverURLextension(IConfigStore config) --- > public static String buildSANSSLserverURLExtension(IConfigStore config) 394c394 < CMS.debug("CertUtil: buildSANsslserverURLextension() " + --- > CMS.debug("CertUtil: buildSANSSLserverURLExtension() " + 401c401 < CMS.debug("CertUtil: buildSANsslserverURLextension() processing " + --- > CMS.debug("CertUtil: buildSANSSLserverURLExtension() processing " + 411c411 < CMS.debug("CertUtil: buildSANsslserverURLextension() " + "placed " + --- > CMS.debug("CertUtil: buildSANSSLserverURLExtension() " + "placed " + diff -r 20130408/pki/base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java 20130410/pki/base/common/src/com/netscape/cms/servlet/csadmin/CreateSubsystemPanel.java 257a258,266 > CMS.debug("CreateSubsystemPanel: update " + > "cstype=" + cstype + > " EE host (preop.master.hostname)=" + host + > " EE port (preop.master.hostname)=" + > String.valueOf(https_ee_port) + > " Admin host (preop.master.httpsadminhost)=" + > https_admin_host + > " Admin port (preop.master.httpsadminport)=" + > https_admin_port); diff -r 20130408/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java 20130410/pki/base/common/src/com/netscape/cms/servlet/csadmin/DonePanel.java 221c221 < String ca_host = ""; --- > String ca_ee_host = ""; 227c227 < ca_host = cs.getString("preop.ca.hostname", ""); --- > ca_ee_host = cs.getString("preop.ca.hostname", ""); 231c231 < if (ca_host.equals("")) --- > if (ca_ee_host.equals("")) 447c447 < if (type.equals("KRA") && !ca_host.equals("")) { --- > if (type.equals("KRA") && !ca_ee_host.equals("")) { 464c464 < if (type.equals("OCSP") && !ca_host.equals("")) { --- > if (type.equals("OCSP") && !ca_ee_host.equals("")) { 566a567 > // preop.ca.hostname = CA EE Hostname 575a577,579 > // preop.ca.list= > // Certificate Authority - https://:, > // ...,External CA 660,661c664,665 < String cahost = ""; < int caport = -1; --- > String ca_ee_host = ""; > int ca_ee_port = -1; 666,667c670,671 < cahost = config.getString("preop.ca.hostname", ""); < caport = config.getInteger("preop.ca.httpsport", -1); --- > ca_ee_host = config.getString("preop.ca.hostname", ""); > ca_ee_port = config.getInteger("preop.ca.httpsport", -1); 679c683 < updateOCSPConfig(cahost, caport, true, content, response); --- > updateOCSPConfig(ca_ee_host, ca_ee_port, true, content, response); 752,753c756,757 < String host = ""; < int port = -1; --- > String ca_ee_host = ""; > int ca_ee_port = -1; 755,756c759,760 < host = cs.getString("preop.ca.hostname", ""); < port = cs.getInteger("preop.ca.httpsport", -1); --- > ca_ee_host = cs.getString("preop.ca.hostname", ""); > ca_ee_port = cs.getInteger("preop.ca.httpsport", -1); 760c764 < return "CA-" + host + "-" + port; --- > return "CA-" + ca_ee_host + "-" + ca_ee_port; 770a775 > // preop.ca.url=https://: diff -r 20130408/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportAdminCertPanel.java 20130410/pki/base/common/src/com/netscape/cms/servlet/csadmin/ImportAdminCertPanel.java 130,131c130,131 < String caHost = ""; < String caPort = ""; --- > String ca_admin_host = ""; > String ca_admin_port = ""; 137,142c137,145 < // this is a non-CA system that has elected to have its certificates < // signed by a CA outside of the security domain. < // in this case, we submitted the cert request for the admin cert to < // the security domain EE host and EE port. < caHost = cs.getString("securitydomain.eehost", ""); < caPort = cs.getString("securitydomain.httpseeport", ""); --- > // This is a non-CA system that has elected to have its > // certificates signed by a CA outside of the security > // domain. In this case, we submitted the cert request > // for the admin cert to the security domain Admin host > // and Admin port. > ca_admin_host = cs.getString( > "securitydomain.adminhost", ""); > ca_admin_port = cs.getString( > "securitydomain.httpsadminport", ""); 144c147,148 < "caHost=" + caHost + " caPort=" + caPort); --- > "ca_admin_host=" + ca_admin_host + > " ca_admin_port=" + ca_admin_port); 148,153c152,167 < // this is a non-CA system that submitted its certs to a CA < // within the security domain. In this case, we submitted the cert < // request for the admin cert to this CA < // (via the CA EE host and CA EE port) < caHost = cs.getString("preop.ca.hostname", ""); < caPort = cs.getString("preop.ca.httpsport", ""); --- > // This is a non-CA system that submitted its certs to > // a CA within the security domain. In this case, we > // submitted the cert request for the admin cert to > // this CA via the CA Admin host and CA Admin port > // after using the associated CA EE host and CA EE port > // to look them up in the security domain. > String ca_ee_host = cs.getString("preop.ca.hostname", ""); > String ca_ee_port = cs.getString("preop.ca.httpsport", ""); > ca_admin_host = getSecurityDomainAdminHost(cs, > ca_ee_host, > ca_ee_port, > "CA"); > ca_admin_port = getSecurityDomainAdminPort(cs, > ca_ee_host, > ca_ee_port, > "CA"); 155c169,172 < "caHost=" + caHost + " caPort=" + caPort); --- > "ca_ee_host=" + ca_ee_host + > " ca_ee_port=" + ca_ee_port + > " ca_admin_host=" + ca_admin_host + > " ca_admin_port=" + ca_admin_port); 160c177,179 < // send our own connection details --- > // send our own connection details which must utilize > // the CA Admin Host and CA Admin Port since the EE > // connection for this CA is not yet available 162,163c181,182 < caHost = cs.getString("service.adminMachineName", ""); < caPort = cs.getString("pkicreate.admin_secure_port", ""); --- > ca_admin_host = cs.getString("service.adminMachineName", ""); > ca_admin_port = cs.getString("pkicreate.admin_secure_port", ""); 165c184,185 < "caHost=" + caHost + " caPort=" + caPort); --- > "ca_admin_host=" + ca_admin_host + > " ca_admin_port=" + ca_admin_port); 176,177c196,197 < context.put("caHost", caHost); < context.put("caPort", caPort); --- > context.put("caHost", ca_admin_host); > context.put("caPort", ca_admin_port); diff -r 20130408/pki/base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java 20130410/pki/base/common/src/com/netscape/cms/servlet/csadmin/NamePanel.java 299a300,302 > // preop.ca.list= > // Certificate Authority - https://:, > // ...,External CA 495,496c498,499 < String ca_hostname = ""; < int ca_port = -1; --- > String ca_ee_hostname = ""; > int ca_ee_port = -1; 498,499c501,504 < ca_hostname = config.getString("preop.ca.hostname", ""); < ca_port = config.getInteger("preop.ca.httpsport", -1); --- > ca_ee_hostname = config.getString( > "preop.ca.hostname", ""); > ca_ee_port = config.getInteger( > "preop.ca.httpsport", -1); 514c519 < CertUtil.buildSANsslserverURLextension(config); --- > CertUtil.buildSANSSLserverURLExtension(config); 518,519c523,524 < cert = CertUtil.createRemoteCert(ca_hostname, ca_port, < content, response, this); --- > cert = CertUtil.createRemoteCert(ca_ee_hostname, > ca_ee_port, content, response, this); 716a722,724 > // preop.ca.list= > // Certificate Authority - https://:, > // ...,External CA 763a772 > // preop.ca.url=https://: 803a813 > // preop.ca.url=https://: 890,891c900,902 < private void updateCloneSDCAInfo(HttpServletRequest request, Context context, String hostname, String httpsPortStr) throws IOException { < CMS.debug("NamePanel updateCloneSDCAInfo: selected CA hostname=" + hostname + " port=" + httpsPortStr); --- > private void updateCloneSDCAInfo(HttpServletRequest request, Context context, String ca_ee_hostname, String ca_ee_httpsPortStr) throws IOException { > CMS.debug("NamePanel updateCloneSDCAInfo: selected CA EE hostname=" + > ca_ee_hostname + " Secure CA EE port=" + ca_ee_httpsPortStr); 896c907 < if (hostname == null || hostname.length() == 0) { --- > if (ca_ee_hostname == null || ca_ee_hostname.length() == 0) { 904,905c915,916 < hostname, < httpsPortStr, --- > ca_ee_hostname, > ca_ee_httpsPortStr, 908,909c919,920 < hostname, < httpsPortStr, --- > ca_ee_hostname, > ca_ee_httpsPortStr, 910a922,926 > CMS.debug("NamePanel: updateCloneSDCAInfo " + > "ca_ee_hostname=" + ca_ee_hostname + > " ca_ee_httpsPortStr=" + ca_ee_httpsPortStr + > " https_admin_host=" + https_admin_host + > " https_admin_port=" + https_admin_port); 912c928 < int httpsport = -1; --- > int ca_ee_httpsport = -1; 915c931 < httpsport = Integer.parseInt(httpsPortStr); --- > ca_ee_httpsport = Integer.parseInt(ca_ee_httpsPortStr); 917,920c933,935 < CMS.debug( < "NamePanel update: Https port is not valid. Exception: " < + e.toString()); < throw new IOException("Https Port is not valid."); --- > CMS.debug("NamePanel update: Https CA EE port is not valid. " + > "Exception: " + e.toString()); > throw new IOException("Https CA EE Port is not valid."); 923,924c938,940 < config.putString("preop.ca.hostname", hostname); < config.putString("preop.ca.httpsport", httpsPortStr); --- > // : from preop.ca.list > config.putString("preop.ca.hostname", ca_ee_hostname); > config.putString("preop.ca.httpsport", ca_ee_httpsPortStr); 929c945 < private void sdca(HttpServletRequest request, Context context, String hostname, String httpsPortStr) throws IOException { --- > private void sdca(HttpServletRequest request, Context context, String ca_ee_hostname, String ca_ee_httpsPortStr) throws IOException { 931c947,948 < CMS.debug("NamePanel update: selected CA hostname=" + hostname + " port=" + httpsPortStr); --- > CMS.debug("NamePanel update: selected CA EE hostname=" + > ca_ee_hostname + " Secure CA EE port=" + ca_ee_httpsPortStr); 936,937c953,954 < context.put("sdcaHostname", hostname); < context.put("sdHttpPort", httpsPortStr); --- > context.put("sdcaHostname", ca_ee_hostname); > context.put("sdHttpPort", ca_ee_httpsPortStr); 939c956 < if (hostname == null || hostname.length() == 0) { --- > if (ca_ee_hostname == null || ca_ee_hostname.length() == 0) { 947,948c964,965 < hostname, < httpsPortStr, --- > ca_ee_hostname, > ca_ee_httpsPortStr, 951,952c968,969 < hostname, < httpsPortStr, --- > ca_ee_hostname, > ca_ee_httpsPortStr, 953a971,975 > CMS.debug("NamePanel: sdca " + > "ca_ee_hostname=" + ca_ee_hostname + > " ca_ee_httpsPortStr=" + ca_ee_httpsPortStr + > " https_admin_host=" + https_admin_host + > " https_admin_port=" + https_admin_port); 959,960c981,983 < CMS.debug("NamePanel update: Https port is not valid. Exception: " + e.toString()); < throw new IOException("Https Port is not valid."); --- > CMS.debug("NamePanel update: Https CA Admin port is not valid. " + > "Exception: " + e.toString()); > throw new IOException("Https CA Admin Port is not valid."); 963,964c986,988 < config.putString("preop.ca.hostname", hostname); < config.putString("preop.ca.httpsport", httpsPortStr); --- > // : from preop.ca.url > config.putString("preop.ca.hostname", ca_ee_hostname); > config.putString("preop.ca.httpsport", ca_ee_httpsPortStr); diff -r 20130408/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java 20130410/pki/base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java 238c238,240 < CMS.debug("WizardPanelBase updateDomainXML start hostname=" + hostname + " port=" + port + " url=" + servlet + " content=" + uri); --- > CMS.debug("WizardPanelBase updateDomainXML start hostname=" + > hostname + " port=" + port + " url=" + servlet + > " content=" + uri); 1191c1193 < "Host" ); --- > "AdminHost" ); diff -r 20130408/pki/base/setup/pkicommon 20130410/pki/base/setup/pkicommon 224a225 > $PKI_UNKNOWN_PORT_MODE = "Unknown Port Mode"; 258d258 < my $addr = ""; 662a663,664 > my( $host ) = @_; > my $addr = ""; 664c666 < if( $_[0] !~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/ ) { --- > if( $host !~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/ ) { 666c668 < ( $addr ) = inet_ntoa( ( gethostbyname( $_[0] ) )[4] ); --- > ( $addr ) = inet_ntoa( ( gethostbyname( $host ) )[4] ); 669c671 < $addr = $_[0]; --- > $addr = $host; 673c675 < $addr = $_[0]; --- > $addr = $host; 716,720c718,724 < # return 3 - IP Separated Port configuration mode is valid (success) < # return 2 - Separated Port configuration mode is valid (success) < # return 1 - RA/TPS/Shared Port configuration mode is valid (success) < # return 0 - specified port configuration mode has a conflict (failure) < sub IsPortConfigurationModeValid --- > # return $PKI_IP_PORT_SEPARATION_MODE > # return $PKI_PORT_SEPARATION_MODE > # return $PKI_SHARED_PORTS_MODE > # return $RA_PORTS_MODE > # return $TPS_PORTS_MODE > # return $PKI_UNKNOWN_PORT_MODE > sub get_port_configuration_mode 749c753 < return 0; --- > return $PKI_UNKNOWN_PORT_MODE; 757c761 < return 0; --- > return $PKI_UNKNOWN_PORT_MODE; 761c765 < return 0; --- > return $PKI_UNKNOWN_PORT_MODE; 767c771 < return 0; --- > return $PKI_UNKNOWN_PORT_MODE; 776c780 < return 0; --- > return $PKI_UNKNOWN_PORT_MODE; 779c783 < return 1; --- > return $PKI_SHARED_PORTS_MODE; 804c808 < return 0; --- > return $PKI_UNKNOWN_PORT_MODE; 807c811 < return 2; --- > return $PKI_PORT_SEPARATION_MODE; 821c825 < return 0; --- > return $PKI_UNKNOWN_PORT_MODE; 833c837 < return 0; --- > return $PKI_UNKNOWN_PORT_MODE; 851c855 < return 0; --- > return $PKI_UNKNOWN_PORT_MODE; 874c878 < return 0; --- > return $PKI_UNKNOWN_PORT_MODE; 877c881 < return 3; --- > return $PKI_IP_PORT_SEPARATION_MODE; 894c898 < return 0; --- > return $PKI_UNKNOWN_PORT_MODE; 897c901 < return 3; --- > return $PKI_IP_PORT_SEPARATION_MODE; 907,910c911,917 < return 0; < } else { < # Specified RA/TPS connector ports are valid! < return 1; --- > return $PKI_UNKNOWN_PORT_MODE; > } elsif( $subsystem_type eq $RA ) { > # Specified RA connector ports are valid! > return $RA_PORTS_MODE; > } elsif( $subsystem_type eq $TPS ) { > # Specified TPS connector ports are valid! > return $TPS_PORTS_MODE; 932,939c939 < my $unique_list = ""; < foreach my $unique_item (@unique_items) { < if( $unique_list eq "" ) { < $unique_list = $unique_item; < } else { < $unique_list = $unique_list . "," . $unique_item; < } < } --- > my $unique_list = join(",", @unique_items); diff -r 20130408/pki/base/setup/pkicreate 20130410/pki/base/setup/pkicreate 406a407 > my $getenforce = "/usr/sbin/getenforce"; 411a413,415 > my $SELINUX_MODE_DISABLED = "Disabled"; > my $SELINUX_MODE_ENFORCING = "Enforcing"; > my $SELINUX_MODE_PERMISSIVE = "Permissive"; 1523,1536c1527,1540 < my $rv = IsPortConfigurationModeValid( $subsystem_type, < $secure_port, < $unsecure_port, < $non_clientauth_secure_port, < $agent_secure_port, < $ee_secure_port, < $ee_secure_client_auth_port, < $admin_secure_port, < $tomcat_server_port, < $agent_hostname, < $ee_hostname, < $ee_client_auth_hostname, < $admin_hostname ); < if( $rv == 3 ) { --- > my $mode = get_port_configuration_mode( $subsystem_type, > $secure_port, > $unsecure_port, > $non_clientauth_secure_port, > $agent_secure_port, > $ee_secure_port, > $ee_secure_client_auth_port, > $admin_secure_port, > $tomcat_server_port, > $agent_hostname, > $ee_hostname, > $ee_client_auth_hostname, > $admin_hostname ); > if( $mode eq $PKI_IP_PORT_SEPARATION_MODE ) { 1564c1568 < } elsif( $rv == 2 ) { --- > } elsif( $mode eq $PKI_PORT_SEPARATION_MODE ) { 1588,1632c1592,1610 < } elsif( $rv == 1 ) { < if( $subsystem_type ne $RA && $subsystem_type ne $TPS ) { < # Set port configuration mode < $port_configuration_mode = $PKI_SHARED_PORTS_MODE; < < # Set all '' equal to the local FQDN hostname < $agent_hostname = $host; < $ee_hostname = $host; < if( $subsystem_type eq $CA ) { < $ee_client_auth_hostname = $host; < } < $admin_hostname = $host; < $san_hostnames = $host; < < # Establish all ':' URIs < $agent_uri = $agent_hostname . ':' . $secure_port; < $ee_uri = $ee_hostname . ':' . $secure_port; < if( $subsystem_type eq $CA ) { < $ee_client_auth_uri = $ee_client_auth_hostname . ':' < . $secure_port; < } < $admin_uri = $admin_hostname . ':' . $secure_port; < $unsecure_uri = $ee_hostname . ':' . $unsecure_port; < $tomcat_uri = $host . ':' . $tomcat_server_port; < emit( " Using 'Shared Ports' Configuration Mode\n" ); < } else { < # Set port configuration mode < if( $subsystem_type eq $RA ) { < $port_configuration_mode = $PKI_RA_PORTS_MODE; < } elsif( $subsystem_type eq $TPS ) { < $port_configuration_mode = $PKI_TPS_PORTS_MODE; < } < < # Set all '' equal to the local FQDN hostname < $agent_hostname = $host; < $ee_hostname = $host; < $admin_hostname = $host; < $san_hostnames = $host; < < # Establish all ':' URIs < $agent_uri = $agent_hostname . ':' . $secure_port; < $ee_uri = $ee_hostname . ':' . $secure_port; < $admin_uri = $admin_hostname . ':' . $secure_port; < $unsecure_uri = $ee_hostname . ':' . $unsecure_port; < emit( " Using '$SUBSYSTEM_TYPE Ports' Configuration Mode\n" ); --- > } elsif( $mode eq $PKI_SHARED_PORTS_MODE ) { > # Set port configuration mode > $port_configuration_mode = $PKI_SHARED_PORTS_MODE; > > # Set all '' equal to the local FQDN hostname > $agent_hostname = $host; > $ee_hostname = $host; > if( $subsystem_type eq $CA ) { > $ee_client_auth_hostname = $host; > } > $admin_hostname = $host; > $san_hostnames = $host; > > # Establish all ':' URIs > $agent_uri = $agent_hostname . ':' . $secure_port; > $ee_uri = $ee_hostname . ':' . $secure_port; > if( $subsystem_type eq $CA ) { > $ee_client_auth_uri = $ee_client_auth_hostname . ':' > . $secure_port; 1634c1612,1648 < } elsif( $rv == 0 ) { --- > $admin_uri = $admin_hostname . ':' . $secure_port; > $unsecure_uri = $ee_hostname . ':' . $unsecure_port; > $tomcat_uri = $host . ':' . $tomcat_server_port; > emit( " Using 'Shared Ports' Configuration Mode\n" ); > } elsif( $mode eq $RA_PORTS_MODE ) { > # Set port configuration mode > $port_configuration_mode = $PKI_RA_PORTS_MODE; > > # Set all '' equal to the local FQDN hostname > $agent_hostname = $host; > $ee_hostname = $host; > $admin_hostname = $host; > $san_hostnames = $host; > > # Establish all ':' URIs > $agent_uri = $agent_hostname . ':' . $secure_port; > $ee_uri = $ee_hostname . ':' . $secure_port; > $admin_uri = $admin_hostname . ':' . $secure_port; > $unsecure_uri = $ee_hostname . ':' . $unsecure_port; > emit( " Using '$RA Ports' Configuration Mode\n" ); > } elsif( $mode eq $TPS_PORTS_MODE ) { > # Set port configuration mode > $port_configuration_mode = $PKI_TPS_PORTS_MODE; > > # Set all '' equal to the local FQDN hostname > $agent_hostname = $host; > $ee_hostname = $host; > $admin_hostname = $host; > $san_hostnames = $host; > > # Establish all ':' URIs > $agent_uri = $agent_hostname . ':' . $secure_port; > $ee_uri = $ee_hostname . ':' . $secure_port; > $admin_uri = $admin_hostname . ':' . $secure_port; > $unsecure_uri = $ee_hostname . ':' . $unsecure_port; > emit( " Using '$TPS Ports' Configuration Mode\n" ); > } elsif( $mode eq $PKI_UNKNOWN_PORT_MODE ) { 3954,3956c3968,3986 < # always check to make certain that the AGENT, EE, EE_Client_Auth, < # ADMIN, and UNSECURE ports refer to ports located on the < # installation host ($host) prior to making any attempt to label them --- > # Always check to make certain that the AGENT, EE, EE_Client_Auth, > # ADMIN, and UNSECURE ports refer to ports located on the installation > # host ($host) prior to making any attempt to label them using SELinux. > # > # The primary purpose of this is to allow the user to implement > # IP Separation (e. g. - all interfaces distinguishable by unique > # IPs using a common port), while still leaving the installation host > # protected by SELinux in Enforcing mode. > # > # It should be noted, however, that if an interface port is allowed to be > # unlabeled, in order to avoid potential port-level SELinux binding issues > # on the installation host, always check to make certain that the specified > # port has not previously been labeled on the installation host. > # > # IMPORTANT: Caution should be taken when using unlabeled ports, as this > # does not prevent a future application from labeling this > # port for its own use on the installation host which > # could cause port-level SELinux binding issues. > # 3959a3990,4018 > } elsif ( $agent_secure_port != -1 ) { > print( STDOUT > "Agent port $agent_secure_port is unlabeled " > . "on $agent_hostname\n" ); > $status = &check_selinux_port($setype_p, $agent_secure_port); > if ($status == $SELINUX_PORT_UNDEFINED) { > print( STDERR > "Warning - Agent port $agent_secure_port could be " > . "defined on the installation host $host in the future.\n" ); > print( STDOUT "\n" ); > } elsif ($status == $SELINUX_PORT_DEFINED) { > print( STDERR > "Warning - Agent port $agent_secure_port is already " > . "defined as $setype_p on the installation host $host.\n" ); > print( STDOUT "\n" ); > } elsif ($status == $SELINUX_PORT_WRONGLY_DEFINED) { > print( STDERR > "Warning - Agent port $agent_secure_port is " > . "already defined as a different SELinux context type " > . "than $setype_p on the installation host $host.\n" ); > print( STDOUT "\n" ); > my $selinux_mode = system("$getenforce"); > if ($selinux_mode == $SELINUX_MODE_ENFORCING) { > print( STDERR > "Error - Agent port $agent_secure_port cannot " > . "be used when SELinux mode is 'Enforcing'.\n" ); > print( STDOUT "\n" ); > } > } 3963a4023,4051 > } elsif ( $ee_secure_port != -1 ) { > print( STDOUT > "EE port $ee_secure_port is unlabeled " > . "on $ee_hostname\n" ); > $status = &check_selinux_port($setype_p, $ee_secure_port); > if ($status == $SELINUX_PORT_UNDEFINED) { > print( STDERR > "Warning - EE port $ee_secure_port could be " > . "defined on the installation host $host in the future.\n" ); > print( STDOUT "\n" ); > } elsif ($status == $SELINUX_PORT_DEFINED) { > print( STDERR > "Warning - EE port $ee_secure_port is already " > . "defined as $setype_p on the installation host $host.\n" ); > print( STDOUT "\n" ); > } elsif ($status == $SELINUX_PORT_WRONGLY_DEFINED) { > print( STDERR > "Warning - EE port $ee_secure_port is " > . "already defined as a different SELinux context type " > . "than $setype_p on the installation host $host.\n" ); > print( STDOUT "\n" ); > my $selinux_mode = system("$getenforce"); > if ($selinux_mode == $SELINUX_MODE_ENFORCING) { > print( STDERR > "Error - EE port $ee_secure_port cannot " > . "be used when SELinux mode is 'Enforcing'.\n" ); > print( STDOUT "\n" ); > } > } 3965,3968c4053,4091 < if( ( $subsystem_type eq $CA ) && < ( $ee_client_auth_hostname eq $host ) && < ( $ee_secure_client_auth_port != -1 ) ) { < &add_selinux_port($setype_p, $ee_secure_client_auth_port); --- > if($subsystem_type eq $CA ) { > if( ( $ee_client_auth_hostname eq $host ) && > ( $ee_secure_client_auth_port != -1 ) ) { > &add_selinux_port($setype_p, $ee_secure_client_auth_port); > } elsif ( $ee_secure_client_auth_port != -1 ) { > print( STDOUT > "EE client auth port $ee_secure_client_auth_port is " > . "unlabeled on $ee_hostname\n" ); > $status = &check_selinux_port($setype_p, > $ee_secure_client_auth_port); > if ($status == $SELINUX_PORT_UNDEFINED) { > print( STDERR > "Warning - EE client auth port " > . "$ee_secure_client_auth_port could be defined on the " > . "installation host $host in the future.\n" ); > print( STDOUT "\n" ); > } elsif ($status == $SELINUX_PORT_DEFINED) { > print( STDERR > "Warning - EE client auth port " > . "$ee_secure_client_auth_port is already defined " > . "as $setype_p on the installation host $host.\n" ); > print( STDOUT "\n" ); > } elsif ($status == $SELINUX_PORT_WRONGLY_DEFINED) { > print( STDERR > "Warning - EE client auth port " > . "$ee_secure_client_auth_port is " > . "already defined as a different SELinux context type " > . "than $setype_p on the installation host $host.\n" ); > print( STDOUT "\n" ); > my $selinux_mode = system("$getenforce"); > if ($selinux_mode == $SELINUX_MODE_ENFORCING) { > print( STDERR > "Error - EE client auth port " > . "$ee_secure_client_auth_port cannot be used " > . "when SELinux mode is 'Enforcing'.\n" ); > print( STDOUT "\n" ); > } > } > } 3972a4096,4124 > } elsif ( $admin_secure_port != -1 ) { > print( STDOUT > "Admin port $admin_secure_port is unlabeled " > . "on $admin_hostname\n" ); > $status = &check_selinux_port($setype_p, $admin_secure_port); > if ($status == $SELINUX_PORT_UNDEFINED) { > print( STDERR > "Warning - Admin port $admin_secure_port could be " > . "defined on the installation host $host in the future.\n" ); > print( STDOUT "\n" ); > } elsif ($status == $SELINUX_PORT_DEFINED) { > print( STDERR > "Warning - Admin port $admin_secure_port is already " > . "defined as $setype_p on the installation host $host.\n" ); > print( STDOUT "\n" ); > } elsif ($status == $SELINUX_PORT_WRONGLY_DEFINED) { > print( STDERR > "Warning - Admin port $admin_secure_port is " > . "already defined as a different SELinux context type " > . "than $setype_p on the installation host $host.\n" ); > print( STDOUT "\n" ); > my $selinux_mode = system("$getenforce"); > if ($selinux_mode == $SELINUX_MODE_ENFORCING) { > print( STDERR > "Error - Admin port $admin_secure_port cannot " > . "be used when SELinux mode is 'Enforcing'.\n" ); > print( STDOUT "\n" ); > } > } 3976a4129,4157 > } elsif ( $unsecure_port != -1 ) { > print( STDOUT > "Unsecure EE port $unsecure_port is unlabeled " > . "on $ee_hostname\n" ); > $status = &check_selinux_port($setype_p, $unsecure_port); > if ($status == $SELINUX_PORT_UNDEFINED) { > print( STDERR > "Warning - Unsecure EE port $unsecure_port could be " > . "defined on the installation host $host in the future.\n" ); > print( STDOUT "\n" ); > } elsif ($status == $SELINUX_PORT_DEFINED) { > print( STDERR > "Warning - Unsecure EE port $unsecure_port is already " > . "defined as $setype_p on the installation host $host.\n" ); > print( STDOUT "\n" ); > } elsif ($status == $SELINUX_PORT_WRONGLY_DEFINED) { > print( STDERR > "Warning - Unsecure EE port $unsecure_port is " > . "already defined as a different SELinux context type " > . "than $setype_p on the installation host $host.\n" ); > print( STDOUT "\n" ); > my $selinux_mode = system("$getenforce"); > if ($selinux_mode == $SELINUX_MODE_ENFORCING) { > print( STDERR > "Error - Unsecure EE port $unsecure_port cannot " > . "be used when SELinux mode is 'Enforcing'.\n" ); > print( STDOUT "\n" ); > } > } diff -r 20130408/pki/base/silent/templates/.svn/entries 20130410/pki/base/silent/templates/.svn/entries 4c4 < 2554 --- > 2558 96a97,110 > silent_kra_ip_port.template > file > 0 > > > add > > > > > > has-props > has-prop-mods > 198a213,226 > silent_tks_ip_port.template > file > 0 > > > add > > > > > > has-props > has-prop-mods > 232a261,288 > silent_ca_ip_port.template > file > 0 > > > add > > > > > > has-props > has-prop-mods > > silent_ocsp_ip_port.template > file > 0 > > > add > > > > > > has-props > has-prop-mods > Only in 20130410/pki/base/silent/templates/.svn/props: silent_ca_ip_port.template.svn-work Only in 20130410/pki/base/silent/templates/.svn/props: silent_kra_ip_port.template.svn-work Only in 20130410/pki/base/silent/templates/.svn/props: silent_ocsp_ip_port.template.svn-work Only in 20130410/pki/base/silent/templates/.svn/props: silent_tks_ip_port.template.svn-work Only in 20130410/pki/base/silent/templates: silent_ca_ip_port.template Only in 20130410/pki/base/silent/templates: silent_kra_ip_port.template Only in 20130410/pki/base/silent/templates: silent_ocsp_ip_port.template Only in 20130410/pki/base/silent/templates: silent_tks_ip_port.template diff -r 20130408/pki/dogtag/common-ui/shared/admin/console/config/.svn/entries 20130410/pki/dogtag/common-ui/shared/admin/console/config/.svn/entries 4c4 < 2554 --- > 2556 607c607 < config_clone.vm --- > config_addhsm.vm 614c614 < b1b0eac6ba11da8973b71cbe635fe83d --- > a5a9da0bcd3219760bab0904ec8fe706 639c639 < 3910 --- > 2823 641c641 < config_addhsm.vm --- > config_clone.vm 648c648 < a5a9da0bcd3219760bab0904ec8fe706 --- > b1b0eac6ba11da8973b71cbe635fe83d 673c673 < 2823 --- > 3910 777c777 < xml.vm --- > namepanel.vm 784,787c784,787 < 74e94014e433bb1034d2093dc561b5f7 < 2008-03-18T22:36:57.789174Z < 2 < PKI Team --- > e593f5594ef351870739c36210dd7854 > 2009-02-27T17:29:15.650851Z > 262 > alee 809c809 < 75 --- > 3795 845c845 < namepanel.vm --- > xml.vm 852,855c852,855 < e593f5594ef351870739c36210dd7854 < 2009-02-27T17:29:15.650851Z < 262 < alee --- > 74e94014e433bb1034d2093dc561b5f7 > 2008-03-18T22:36:57.789174Z > 2 > PKI Team 877c877 < 3795 --- > 75 1089c1089 < 2013-01-28T19:56:22.000000Z --- > 2013-04-10T19:18:50.000000Z diff -r 20130408/pki/dogtag/common-ui/shared/admin/console/config/importadmincertpanel.vm 20130410/pki/dogtag/common-ui/shared/admin/console/config/importadmincertpanel.vm 50c50 < document.writeln(''); --- > document.writeln(''); 52c52 < document.writeln(''); --- > document.writeln(''); diff -r 20130408/pki/redhat/common-ui/shared/admin/console/config/.svn/all-wcprops 20130410/pki/redhat/common-ui/shared/admin/console/config/.svn/all-wcprops 108,113d107 < config_clone.vm < K 25 < svn:wc:ra_dav:version-url < V 121 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/config_clone.vm < END 119a114,119 > config_clone.vm > K 25 > svn:wc:ra_dav:version-url > V 121 > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/config_clone.vm > END 138c138 < xml.vm --- > namepanel.vm 141,142c141,142 < V 112 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/xml.vm --- > V 118 > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/namepanel.vm 150c150 < namepanel.vm --- > xml.vm 153,154c153,154 < V 118 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/namepanel.vm --- > V 112 > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/xml.vm diff -r 20130408/pki/redhat/common-ui/shared/admin/console/config/.svn/entries 20130410/pki/redhat/common-ui/shared/admin/console/config/.svn/entries 4c4 < 16073 --- > 16075 607c607 < config_addhsm.vm --- > config_clone.vm 614c614 < db6b8039e207cb6a4c6335b447c5c4a8 --- > 7621e438ac042716133c5454a42b055d 639c639 < 2830 --- > 3918 641c641 < config_clone.vm --- > config_addhsm.vm 648c648 < 7621e438ac042716133c5454a42b055d --- > db6b8039e207cb6a4c6335b447c5c4a8 673c673 < 3918 --- > 2830 777c777 < namepanel.vm --- > xml.vm 784,787c784,787 < e593f5594ef351870739c36210dd7854 < 2009-02-27T17:49:21.091588Z < 15433 < alee at REDHAT.COM --- > 4ba759406bd097c46db558c58becea0c > 2011-01-20T23:10:17.714646Z > 15835 > mharmsen at REDHAT.COM 809c809 < 3795 --- > 875 845c845 < xml.vm --- > namepanel.vm 852,855c852,855 < 4ba759406bd097c46db558c58becea0c < 2011-01-20T23:10:17.714646Z < 15835 < mharmsen at REDHAT.COM --- > e593f5594ef351870739c36210dd7854 > 2009-02-27T17:49:21.091588Z > 15433 > alee at REDHAT.COM 877c877 < 875 --- > 3795 1089c1089 < 2013-02-06T23:00:37.000000Z --- > 2013-04-10T18:39:45.000000Z diff -r 20130408/pki/redhat/common-ui/shared/admin/console/config/importadmincertpanel.vm 20130410/pki/redhat/common-ui/shared/admin/console/config/importadmincertpanel.vm 50c50 < document.writeln(''); --- > document.writeln(''); 52c52 < document.writeln(''); --- > document.writeln(''); Only in 20130410/pki/redhat/common-ui/shared/admin/console/config: importadmincertpanel.vm.mlh From cfu at redhat.com Thu Apr 11 04:05:06 2013 From: cfu at redhat.com (Christina Fu) Date: Wed, 10 Apr 2013 21:05:06 -0700 Subject: [Pki-devel] Request for review: Bug 928680 - Minor additions to pkisilent (ECC) Message-ID: <51663672.9000205@redhat.com> Please review the following patch for https://bugzilla.redhat.com/show_bug.cgi?id=928680 https://bugzilla.redhat.com/attachment.cgi?id=733986&action=diff&context=patch&collapsed=&headers=1&format=raw Please note that the 1st reported issue regarding trust bits was pre-existing with RSA, so it is not specific to ECC. thanks, Christina From alee at redhat.com Thu Apr 11 15:32:53 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 11 Apr 2013 11:32:53 -0400 Subject: [Pki-devel] [PATCH] RHCS 8.1 - SAN Multi-Host Patches (preliminary) [UPDATE 20130410] In-Reply-To: <51662FE4.6060205@redhat.com> References: <51635A8C.1060202@redhat.com> <51662FE4.6060205@redhat.com> Message-ID: <1365694373.2226.35.camel@localhost.localdomain> See comments below. On Wed, 2013-04-10 at 20:37 -0700, Matthew Harmsen wrote: > On 04/08/13 17:02, Matthew Harmsen wrote: > > > Please perform an initial code review on the attached patches (only > > applicable for RHCS 8.1 on RHEL 5). > > > Three new patches (two which are revisions to the previous patches, > and one which represents a simple recursive diffs between the two > 'pki' trees which contain the code changes) have been attached with > address the following issues raised during code review (also see > inline comments regarding other issues): > * base/common/src/com/netscape/cms/authentication/TokenAuthentication.java: > * remove CMS.debug("TokenAuthentication: givenHost=" + > givenHost); > * base/common/src/com/netscape/cms/servlet/csadmin/*Panel.java: > * rename 'buildSANsslserverURLextension' to > 'buildSANSSLserverURLExtension' > * fix preop.ca.hostname (be explicit as to which host > this refers to) > * base/common/src/com/netscape/cms/servlet/csadmin/ImportAdminCertPanel.java: > * try to make them all use EE host and EE port (which > did not work as the EE connection is unavailable > during installation of a CA) > * since that did not work for all cases, fixed all cases > to utilize Admin host and Admin port as requested > * base/common/src/com/netscape/cms/servlet/csadmin/WizardPanelBase.java: > * break line CMS.debug("WizardPanelBase updateDomainXML > start hostname=" + hostname + " port=" + port + " > url=" + servlet + " content=" + uri); > * change 'Vector v_admin_host = > parser.getValuesFromContainer( nodeList.item(i), > "Host" );' to 'Vector v_admin_host = > parser.getValuesFromContainer( nodeList.item(i), > "AdminHost" );' > * base/pkisilent/templates: > * fixed failure of pkisilent to successfully configure a > PKI instance > * New IP Port Separation pkisilent templates have been > created for CA, KRA, OCSP, and TKS > * New pkisilent templates for CA and KRA utilizing IP > Port Separation were successfully executed > * base/setup/pkicommon: > * make 'addr' a local variable rather than global > variable > * used join() for SAN uniqueness routine > * renamed 'IsPortConfigurationModeValid' to > 'get_port_configuration_mode' and changed it to return > strings rather than integers > * added logic to check for unlabeled ports being defined > on installation host primarily to support IP > Separation (e. g. - all interfaces distinguishable by > unique IPs using a common port) This is an interesting solution. What it basically says is that if you are using virtual IPs, then we will not label the ports - which is probably correct, and there is probably a rule already in the policy that allows the app to connect to all VIPs. This is not optimal. The right way to do this is to use semanage to specify access to particular interfaces (semanage interface ..). This should also happen in conjunction with a change in the policy restricting the interfaces to which we can connect. I suggest we open a separate bug for this, and we can triage this separately. > The lone remaining item that MUST be addressed (besides any additional > feedback associated with these revised patches) is: > * reported concerns regarding the ability to install/configure > an RA/TPS instance which uses the existing code changes > required for interaction with the revised security domain > * will be investigated starting on 4/11/2013 > > The new patches do not address the following items from the previous > code review, and may not be addressed due to schedule and resources: > * base/setup/pkiremove: > * revive 'use strict' - was removed since 'pkiremove' > now references variables from the 'require pkicommon' > file; this was probably the cause for 'use strict' not > being a part of 'pkicreate' I'm not too happy about this. A basic minimum in terms of maintainability is to use "use strict". While we do not use any of this code in dogtag 10, this code will be deployed for awhile. I think we need to open a separate bug for this (to revive "use strict" in all the pkicreate/pkiremove code). This bug need not hold up the current development cycle, but rather can be addressed during the QE testing phase. > * in pkiremove, in the function where is is determined > which selinux ports to remove, the $i variable is used > to track the index of the array - no need to do that > -- just use append() > * base/setup/pkicommon: > * modularization of IsPortConfigurationModeValid() - e. > g. - uniqueness helper functions to replace large > conditional blocks > * refactor IsPortConfigurationModeValid() - rejected as > it was discussed that since the code has been tested > numerous times, and while this may help with > maintainability, this code is only used for the 8.1 > code base errata process > * standardize coding style - rejected for the 8.1 code > base -- this has already been addressed in the Dogtag > 10 code base I suspect that refactoring the IsConfigurationModeValid() function will allow you to improve the error checking more transparently. For instance, its not clear to me that you are actually testing for host:port uniqueness in the IP separation case, and I can certainly conceive of input parameter combinations that will break your checks. In the long run, making this clearer will reduce support issues. Remember that this code will be around for awhile. As for the testing aspect, refactoring this function does not require a full install. This function could be tested in a standalone / unit test like mode. So, not fixing this is not ideal - but we can live with it for now. Perhaps we should open a bug for this, and then triage it accordingly. The changes so far other than that are fine. > -- Matt > > The following two patches address: > > * 'pkicreate' now does three types of port configuration: > > * IP Port Separation > > * Port Separation > > * Shared Ports (deprecated) > > * security manager issue was fixed > > * new security domain schema is complete > > * the security domain has been implemented to comply with this > > new schema > > * generated a multi-host CA complete with an SSL Server > > Certificate containing SAN information (utilizes profile > > framework) > > * generated a multi-host KRA complete with an SSL Server > > Certificate containing SAN information (utilizes name/value > > pairs passed in via the enrollment URL which are processed > > via the profile framework) > > * addressed 'TokenAuthenticate' SSL_ForceHandshake issue by > > utilizing DNSName instead of DirectoryName attributes in the > > SSL Server certificate SAN extensions > > * applied the checkIP() feature described in 'Bugzilla Bug > > #708075 - Clone installation does not work over NAT' > > * applied substitution of raw IP addresses from 'pkicreate' > > into the 'server.xml' to support the new IP Port Separation > > mode > > Development test info: > > * pki-ip-host (installation host - RHEL 5.9 x86_64) > > * pki-ca-agent (CA agent interface - virtual IP) > > * pki-ca-ee (CA EE interface - virtual IP) > > * pki-ca-ee-ca (CA EE clientauth interface - virtual > > IP) > > * pki-ca-admin (CA admin interface - virtual IP) > > * pki-kra-agent (KRA agent interface - virtual IP) > > * pki-kra-ee (KRA EE interface - virtual IP) > > * pki-kra-admin (KRA admin interface - virtual IP) > > * pki-rhel6 (RHDS 9.1 - RHEL 6.3 x86_64 which uses a different > > domain) > > Thus far, only the following tests have been run against these > > patches: > > * successfully tested regression case of CA and KRA installed > > using Port Separation > > * successfully tested sanity case of CA and KRA installed > > using IP Port Separation > > * successfully tested mixed mode deployment case of a CA > > installed using Port Separation and a KRA installed using IP > > Port Separation > > * successfully tested mixed mode deployment case of a CA > > installed using IP Port Separation and a KRA installed using > > Port Separation > > * successfully tested miscellaneous case of specifying a CA > > with four virtual IPs (none of which belonged to the host > > that the server was being installed upon) using IP Port > > Separation > > * successfully tested miscellaneous case of CA and KRA > > installed using IP Port Separation utilizing unique IP > > addresses for each interface (none of which specified the > > installation host IP), but specifying the same HTTP/HTTPS > > port numbers (e. g. - 19080/19443) and unique ports for > > Tomcat (9701/10701) > > * NOTE: I managed to successfully test this case with > > SELinux in Enforcing mode -- this is because the > > only ports that would be labeled are the Tomcat > > ports which exist on the installation machine (which > > do not in this case, as they are the default cases > > for pki_ca_port_t and pki_kra_port_t). In this test > > case, since none of the interfaces refer to the > > installation machine IP, none of these ports are > > labeled by SELinux. The 'pkicreate' executable > > enforces unique entries. While a > > second instance (e. g. - KRA) could be installed > > re-using the entries specified (e. > > g. - CA), the two instances could not be started > > simultaneously due to an inability to bind > > (java.net.BindException: Address already in use) - > > see 'netstat -a | grep ' or 'netstat -a | grep > > '. > > * successfully tested miscellaneous case of installing a CA > > using IP Port Separation which was configured using a > > customized SAN 'serverCert.profile' which included two > > additional SAN entries on top of the entries computed for IP > > Port Separation > > The following issues are still actively being addressed: > > * failure of java security manager to allow server to start > > when specifying non-installation host ports 80/443 (SELinux > > in permissive mode) results in (java.net.BindException: > > Permission denied:80) - (i. e. - see > > http://www.jvmhost.com/articles/java-net-bindexception-permisssion-denied-operation-not-permitted) > This issue will be documented, and does not block the release of this > patch. > > * failure of pkisilent to successfully configure a PKI > > instance > Fixed -- new pkisilent templates for CA and KRA utilizing IP Port > Separation were successfully executed. New IP Port Separation > pkisilent templates have been created for CA, KRA, OCSP, and TKS. > > * reported concerns regarding the ability to install/configure > > an RA/TPS instance which uses the existing code changes > > required for interaction with the revised security domain > > > This last remaining issue will be investigated starting on 4/11/2013. > > > > > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Thu Apr 11 15:35:12 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 11 Apr 2013 11:35:12 -0400 Subject: [Pki-devel] Request for review: Bug 928680 - Minor additions to pkisilent (ECC) In-Reply-To: <51663672.9000205@redhat.com> References: <51663672.9000205@redhat.com> Message-ID: <1365694512.2226.36.camel@localhost.localdomain> ACK On Wed, 2013-04-10 at 21:05 -0700, Christina Fu wrote: > Please review the following patch for > https://bugzilla.redhat.com/show_bug.cgi?id=928680 > > https://bugzilla.redhat.com/attachment.cgi?id=733986&action=diff&context=patch&collapsed=&headers=1&format=raw > > Please note that the 1st reported issue regarding trust bits was > pre-existing with RSA, so it is not specific to ECC. > > thanks, > Christina > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Thu Apr 11 16:11:07 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 11 Apr 2013 12:11:07 -0400 Subject: [Pki-devel] Request for review: Bug 928680 - Minor additions to pkisilent (ECC) In-Reply-To: <1365694512.2226.36.camel@localhost.localdomain> References: <51663672.9000205@redhat.com> <1365694512.2226.36.camel@localhost.localdomain> Message-ID: <1365696667.2226.40.camel@localhost.localdomain> Endi brought up an interesting question .. In this code, you do a string comparison to find the CA cert. + if (ca_certs[i].getSubjectDN().toString().equals( + cert.getIssuerDN().toString())) { Is a string comparison valid? For example, if one uses c=US and the other uses C=US, then the string comparison might fail. Shouldn't some DN comparison operation be done instead? Ade On Thu, 2013-04-11 at 11:35 -0400, Ade Lee wrote: > ACK > > On Wed, 2013-04-10 at 21:05 -0700, Christina Fu wrote: > > Please review the following patch for > > https://bugzilla.redhat.com/show_bug.cgi?id=928680 > > > > https://bugzilla.redhat.com/attachment.cgi?id=733986&action=diff&context=patch&collapsed=&headers=1&format=raw > > > > Please note that the 1st reported issue regarding trust bits was > > pre-existing with RSA, so it is not specific to ECC. > > > > thanks, > > Christina > > > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From cfu at redhat.com Thu Apr 11 17:02:02 2013 From: cfu at redhat.com (Christina Fu) Date: Thu, 11 Apr 2013 10:02:02 -0700 Subject: [Pki-devel] Request for review: Bug 928680 - Minor additions to pkisilent (ECC) In-Reply-To: <1365696667.2226.40.camel@localhost.localdomain> References: <51663672.9000205@redhat.com> <1365694512.2226.36.camel@localhost.localdomain> <1365696667.2226.40.camel@localhost.localdomain> Message-ID: <5166EC8A.9030902@redhat.com> On 04/11/2013 09:11 AM, Ade Lee wrote: > Endi brought up an interesting question .. > > In this code, you do a string comparison to find the CA cert. > > + if (ca_certs[i].getSubjectDN().toString().equals( > + cert.getIssuerDN().toString())) { > > Is a string comparison valid? For example, if one uses c=US and the > other uses C=US, then the string comparison might fail. Shouldn't some > DN comparison operation be done instead? The Issuer DN of a cert and the Subject DN of the issuer's cert have to be encoded exactly the same, therefore, the string comparison within the same Java VM should result the same. Ideally, I'd want to compare Authority Key Identifier and Subject Key Identifier but due to the lack of JSS exposure for appropriate NSS functions, I took an easier route. This brought up something else. I originally was going to look through PKCS7 instead of searching the DB for efficiency, however, again, due to lack of JSS functions, I had to change course yesterday. I made such decision because pkisilent is just a tool that is to be run once during installation, so if it does take a little longer it should be fine for now. I think later when we have time we should refactor JSS and offer richer interfaces. thanks, Christina > Ade > > On Thu, 2013-04-11 at 11:35 -0400, Ade Lee wrote: >> ACK >> >> On Wed, 2013-04-10 at 21:05 -0700, Christina Fu wrote: >>> Please review the following patch for >>> https://bugzilla.redhat.com/show_bug.cgi?id=928680 >>> >>> https://bugzilla.redhat.com/attachment.cgi?id=733986&action=diff&context=patch&collapsed=&headers=1&format=raw >>> >>> Please note that the 1st reported issue regarding trust bits was >>> pre-existing with RSA, so it is not specific to ECC. >>> >>> thanks, >>> Christina >>> >>> _______________________________________________ >>> Pki-devel mailing list >>> Pki-devel at redhat.com >>> https://www.redhat.com/mailman/listinfo/pki-devel >> >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel > From edewata at redhat.com Thu Apr 11 21:20:18 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 11 Apr 2013 16:20:18 -0500 Subject: [Pki-devel] [PATCH] 227 Fixed version number in CMake script. Message-ID: <51672912.9010902@redhat.com> The main CMake script has been modified to remove hard-coded APPLICATION_VERSION_PATCH. This fixed the problem building javadoc. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0227-Fixed-version-number-in-CMake-script.patch Type: text/x-patch Size: 1887 bytes Desc: not available URL: From alee at redhat.com Fri Apr 12 02:45:27 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 11 Apr 2013 22:45:27 -0400 Subject: [Pki-devel] [PATCH] in place migration for 8.1 Message-ID: <1365734727.2686.1.camel@aleeredhat.laptop> Realized I had forgotten one more change to web.xml on the CA. Please review. This is for 8.1 only. Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: bar.patch Type: text/x-patch Size: 2335 bytes Desc: not available URL: From mharmsen at redhat.com Fri Apr 12 02:54:02 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Thu, 11 Apr 2013 19:54:02 -0700 Subject: [Pki-devel] [PATCH] in place migration for 8.1 In-Reply-To: <1365734727.2686.1.camel@aleeredhat.laptop> References: <1365734727.2686.1.camel@aleeredhat.laptop> Message-ID: <5167774A.1050304@redhat.com> On 04/11/13 19:45, Ade Lee wrote: > Realized I had forgotten one more change to web.xml on the CA. > Please review. This is for 8.1 only. > > Ade > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ACK -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Fri Apr 12 03:58:40 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 11 Apr 2013 23:58:40 -0400 Subject: [Pki-devel] [PATCH] in place migration for 8.1 In-Reply-To: <5167774A.1050304@redhat.com> References: <1365734727.2686.1.camel@aleeredhat.laptop> <5167774A.1050304@redhat.com> Message-ID: <1365739120.2686.3.camel@aleeredhat.laptop> Pushed to 8.1 errata and 8.2 On Thu, 2013-04-11 at 19:54 -0700, Matthew Harmsen wrote: > On 04/11/13 19:45, Ade Lee wrote: > > > Realized I had forgotten one more change to web.xml on the CA. > > Please review. This is for 8.1 only. > > > > Ade > > > > > > > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > ACK From alee at redhat.com Fri Apr 12 14:27:27 2013 From: alee at redhat.com (Ade Lee) Date: Fri, 12 Apr 2013 10:27:27 -0400 Subject: [Pki-devel] [PATCH] 125 - migration script for cloning changes Message-ID: <1365776847.2686.7.camel@aleeredhat.laptop> Ticket 546. There are some additional cloning changes which have not yet been ported to dogtag 10. These will be added in a separate patch (with migration changes). This goes on top of Endi's patch for the random number generator changes. Please review. Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0125-Migration-script-for-cloning-changes.patch Type: text/x-patch Size: 6374 bytes Desc: not available URL: From alee at redhat.com Fri Apr 12 16:30:09 2013 From: alee at redhat.com (Ade Lee) Date: Fri, 12 Apr 2013 12:30:09 -0400 Subject: [Pki-devel] [PATCH] 126 - Add tokenAuthenticate to admin interface. Message-ID: <1365784209.2686.10.camel@aleeredhat.laptop> This was part of the cloning changes recently added to 8.1. Also added the required migration script code. This goes on top of patch 125. Please review. Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0126-Added-tokenAuthenticate-to-admin-interface.patch Type: text/x-patch Size: 10335 bytes Desc: not available URL: From mharmsen at redhat.com Sun Apr 14 06:14:39 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Sat, 13 Apr 2013 23:14:39 -0700 Subject: [Pki-devel] [PATCH] RHCS 8.1 - SAN Multi-Host Patches [20130413] Message-ID: <516A494F.9080202@redhat.com> Please review the attached patches which seek to implement '*Bugzilla Bug #902956* -[RFE] Cert System 8.1 - Provide automated option for IP separated configuration' for RHCS 8.1. Three new patches (two which are revisions to the previous patches, and one which represents a simple recursive diffs between the two 'pki' trees which contain the code changes) have been attached whichaddress the remaining issues. * This version of the code has been tested utilizing the following configuration: o pki-ip-host (installation host - RHEL 5.9 x86_64) + pki-ca-agent (CA agent interface - virtual IP) + pki-ca-ee (CA EE interface- virtual IP) + pki-ca-ee-ca (CA EE clientauth interface- virtual IP) + pki-ca-admin (CA admin interface- virtual IP) + pki-kra-agent (KRA agent interface- virtual IP) + pki-kra-ee (KRA EE interface- virtual IP) + pki-kra-admin (KRA admin interface- virtual IP) o pki-rhel6 (RHDS 9.1 - RHEL 6.3 x86_64 which uses a different domain) * Tests utilizing the browser GUI interface have been tested successfully for the following PKI subsystems: o CA using four VIPs o KRA using three VIPs o OCSP (was never tested, but is strongly believed to work since the batch 'pkisilent' worked successfully) o TKS using 'pki-ip-host' as the address for all three hosts o RAconnecting to this CA o TPS connecting to this CA, KRA, and TKS * Tests utilizing new'pkisilent'batch process templates, the following PKI subsystems have been tested successfully: o CA using four VIPs o KRA using three VIPs o OCSPusing 'pki-ip-host' as the address for all three hosts o TKS using 'pki-ip-host' as the address for all three hosts o RA failed to connect to this CA (Bugzilla Bug #951891 filed) o TPS connecting to this CA, KRA, and TKS * Bugs have been filed for all remaining issues (many of which may be addressable duringthe Q/E test cycle): o *Bugzilla Bug #224770* -Apply "use strict" methodology to "pkicommon/pkicreate/pkiremove/pkicomplete" . . . o *Bugzilla Bug #951886* -Refactor 'get_port_configuration_mode()' in 'pkicommon' o *Bugzilla Bug #951887* -Use of unlabelled SELinux ports on VIPs to support 'IP Separation' o *Bugzilla Bug #951890* -Include default EE clientauth port (9446) in pki-selinux policy o *Bugzilla Bug #951891* -'silent_ra_to_ip_port.template' fails to configure an RA successfully o *Bugzilla Bug #910175* -[DOC] Cert System 8.1 - IP Port Separation Configuration Mode (additional material has been added to this bug) -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20130413_redhat_san_multi_host.patch Type: text/x-patch Size: 3821 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20130413_san_multi_host.patch Type: text/x-patch Size: 483959 bytes Desc: not available URL: -------------- next part -------------- diff -r 20130410/pki/.svn/entries 20130413/pki/.svn/entries 4c4 < 2554 --- > 2564 10,11c10,11 < 2013-04-04T19:28:43.276281Z < 2553 --- > 2013-04-12T02:57:05.580597Z > 2563 diff -r 20130410/pki/base/.svn/entries 20130413/pki/base/.svn/entries 4c4 < 2554 --- > 2564 10,11c10,11 < 2013-04-04T19:28:43.276281Z < 2553 --- > 2013-04-12T02:57:05.580597Z > 2563 diff -r 20130410/pki/base/ca/.svn/entries 20130413/pki/base/ca/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/config/.svn/entries 20130413/pki/base/ca/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/doc/.svn/entries 20130413/pki/base/ca/doc/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/setup/.svn/entries 20130413/pki/base/ca/setup/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/shared/.svn/entries 20130413/pki/base/ca/shared/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/shared/alias/.svn/entries 20130413/pki/base/ca/shared/alias/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/shared/conf/.svn/entries 20130413/pki/base/ca/shared/conf/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/shared/emails/.svn/entries 20130413/pki/base/ca/shared/emails/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/shared/etc/.svn/entries 20130413/pki/base/ca/shared/etc/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/shared/etc/init.d/.svn/entries 20130413/pki/base/ca/shared/etc/init.d/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/shared/logs/.svn/entries 20130413/pki/base/ca/shared/logs/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/shared/logs/signedAudit/.svn/entries 20130413/pki/base/ca/shared/logs/signedAudit/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/shared/profiles/.svn/entries 20130413/pki/base/ca/shared/profiles/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/shared/profiles/ca/.svn/entries 20130413/pki/base/ca/shared/profiles/ca/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/shared/shared/.svn/entries 20130413/pki/base/ca/shared/shared/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/shared/shared/classes/.svn/entries 20130413/pki/base/ca/shared/shared/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/shared/shared/lib/.svn/entries 20130413/pki/base/ca/shared/shared/lib/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/shared/temp/.svn/entries 20130413/pki/base/ca/shared/temp/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/shared/webapps/.svn/entries 20130413/pki/base/ca/shared/webapps/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/shared/webapps/ROOT/.svn/entries 20130413/pki/base/ca/shared/webapps/ROOT/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/shared/webapps/ROOT/WEB-INF/.svn/entries 20130413/pki/base/ca/shared/webapps/ROOT/WEB-INF/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/shared/webapps/ca/.svn/entries 20130413/pki/base/ca/shared/webapps/ca/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/shared/webapps/ca/WEB-INF/.svn/entries 20130413/pki/base/ca/shared/webapps/ca/WEB-INF/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/shared/webapps/ca/WEB-INF/classes/.svn/entries 20130413/pki/base/ca/shared/webapps/ca/WEB-INF/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/shared/work/.svn/entries 20130413/pki/base/ca/shared/work/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/src/.svn/entries 20130413/pki/base/ca/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/src/com/.svn/entries 20130413/pki/base/ca/src/com/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/src/com/netscape/.svn/entries 20130413/pki/base/ca/src/com/netscape/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ca/src/com/netscape/ca/.svn/entries 20130413/pki/base/ca/src/com/netscape/ca/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/.svn/entries 20130413/pki/base/common/.svn/entries 4c4 < 2554 --- > 2564 10,12c10,12 < 2013-04-04T19:28:43.276281Z < 2553 < vakwetu --- > 2013-04-12T01:14:49.624638Z > 2561 > awnuk diff -r 20130410/pki/base/common/config/.svn/entries 20130413/pki/base/common/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/scripts/.svn/entries 20130413/pki/base/common/scripts/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/setup/.svn/entries 20130413/pki/base/common/setup/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/.svn/entries 20130413/pki/base/common/src/.svn/entries 4c4 < 2554 --- > 2564 10,12c10,12 < 2013-04-04T19:28:43.276281Z < 2553 < vakwetu --- > 2013-04-12T01:14:49.624638Z > 2561 > awnuk diff -r 20130410/pki/base/common/src/com/.svn/entries 20130413/pki/base/common/src/com/.svn/entries 4c4 < 2554 --- > 2564 10,12c10,12 < 2013-04-04T19:28:43.276281Z < 2553 < vakwetu --- > 2013-04-12T01:14:49.624638Z > 2561 > awnuk diff -r 20130410/pki/base/common/src/com/netscape/.svn/entries 20130413/pki/base/common/src/com/netscape/.svn/entries 4c4 < 2554 --- > 2564 10,12c10,12 < 2013-04-04T19:28:43.276281Z < 2553 < vakwetu --- > 2013-04-12T01:14:49.624638Z > 2561 > awnuk diff -r 20130410/pki/base/common/src/com/netscape/certsrv/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/acls/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/acls/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/apps/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/apps/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/authentication/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/authentication/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/authority/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/authority/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/authorization/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/authorization/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/base/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/base/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/ca/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/ca/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/cert/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/cert/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/client/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/client/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/client/connection/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/client/connection/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/common/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/common/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/connector/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/connector/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/dbs/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/dbs/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/dbs/certdb/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/dbs/certdb/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/dbs/crldb/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/dbs/crldb/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/dbs/keydb/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/dbs/keydb/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/dbs/replicadb/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/dbs/replicadb/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/dbs/repository/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/dbs/repository/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/evaluators/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/evaluators/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/extensions/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/extensions/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/jobs/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/jobs/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/kra/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/kra/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/ldap/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/ldap/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/listeners/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/listeners/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/logging/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/logging/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/notification/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/notification/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/ocsp/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/ocsp/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/password/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/password/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/pattern/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/pattern/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/policy/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/policy/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/profile/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/profile/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/property/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/property/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/publish/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/publish/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/ra/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/ra/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/registry/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/registry/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/request/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/request/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/request/ldap/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/request/ldap/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/security/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/security/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/selftests/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/selftests/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/template/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/template/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/tks/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/tks/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/usrgrp/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/usrgrp/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/certsrv/util/.svn/entries 20130413/pki/base/common/src/com/netscape/certsrv/util/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/authentication/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/authentication/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/authorization/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/authorization/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/crl/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/crl/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/evaluators/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/evaluators/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/jobs/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/jobs/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/listeners/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/listeners/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/logging/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/logging/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/notification/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/notification/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/ocsp/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/ocsp/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/password/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/password/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/policy/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/policy/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/policy/constraints/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/policy/constraints/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/policy/extensions/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/policy/extensions/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/profile/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/profile/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/profile/common/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/profile/common/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/profile/constraint/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/profile/constraint/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/profile/def/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/profile/def/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/profile/input/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/profile/input/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/profile/output/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/profile/output/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/profile/updater/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/profile/updater/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/publish/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/publish/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/publish/mappers/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/publish/mappers/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/publish/publishers/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/publish/publishers/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/request/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/request/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/selftests/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/selftests/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/selftests/ca/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/selftests/ca/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/selftests/common/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/selftests/common/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/selftests/kra/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/selftests/kra/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/selftests/ocsp/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/selftests/ocsp/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/selftests/ra/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/selftests/ra/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/selftests/tks/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/selftests/tks/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/servlet/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/servlet/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/servlet/admin/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/servlet/admin/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/servlet/base/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/servlet/base/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/servlet/cert/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/servlet/cert/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/servlet/cert/scep/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/servlet/cert/scep/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/servlet/common/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/servlet/common/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/servlet/connector/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/servlet/connector/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/servlet/csadmin/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/servlet/csadmin/.svn/entries 4c4 < 2554 --- > 2564 1015c1015 < ConfigBaseServlet.java --- > ModulePanel.java 1022c1022 < b1b214658458f99043447ce1e88d6cca --- > e7feabb12b8ab2fbde2bb9602b39f8c5 1047c1047 < 4789 --- > 11260 1049c1049 < ModulePanel.java --- > ConfigCertApprovalCallback.java 1056c1056 < e7feabb12b8ab2fbde2bb9602b39f8c5 --- > 2ee299e600427067c47a6b787ba254ce 1081c1081 < 11260 --- > 1227 1083c1083 < ConfigCertApprovalCallback.java --- > ConfigBaseServlet.java 1090c1090 < 2ee299e600427067c47a6b787ba254ce --- > b1b214658458f99043447ce1e88d6cca 1115c1115 < 1227 --- > 4789 diff -r 20130410/pki/base/common/src/com/netscape/cms/servlet/filter/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/servlet/filter/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/servlet/key/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/servlet/key/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/servlet/ocsp/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/servlet/ocsp/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/servlet/processors/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/servlet/processors/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/servlet/profile/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/servlet/profile/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/servlet/request/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/servlet/request/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/servlet/tks/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/servlet/tks/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/servlet/wizard/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/servlet/wizard/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cms/shares/.svn/entries 20130413/pki/base/common/src/com/netscape/cms/shares/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/.svn/entries 4c4 < 2554 --- > 2564 10,11c10,11 < 2013-04-04T18:37:47.645623Z < 2551 --- > 2013-04-12T01:14:49.624638Z > 2561 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/apps/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/apps/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/authentication/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/authentication/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/authorization/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/authorization/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/base/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/base/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/cert/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/cert/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/connector/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/connector/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/crmf/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/crmf/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/dbs/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/dbs/.svn/entries 4c4 < 2554 --- > 2564 10,11c10,11 < 2013-04-04T18:37:47.645623Z < 2551 --- > 2013-04-12T01:14:49.624638Z > 2561 1123,1126c1123,1126 < 2013-04-04T21:03:31.000000Z < 6c11a67fb64a9df957d6440e9f4ac9a3 < 2013-04-04T18:37:47.645623Z < 2551 --- > 2013-04-13T02:42:09.000000Z > f7df82e8089417bb636e2bcdda9df274 > 2013-04-12T01:14:49.624638Z > 2561 1149c1149 < 83986 --- > 85390 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/dbs/.svn/text-base/CertificateRepository.java.svn-base 20130413/pki/base/common/src/com/netscape/cmscore/dbs/.svn/text-base/CertificateRepository.java.svn-base 61a62 > private static final String PROP_MINIMUM_RANDOM_BITS = "minimumRandomBits"; 155a157 > CMS.debug("CertificateRepository: getRandomNumber mRangeSize="+mRangeSize); 156a159 > CMS.debug("CertificateRepository: getRandomNumber mBitLength="+mBitLength); 158c161 < rid = -1; // shared ranges using replica IDs are postponed --- > CMS.debug("CertificateRepository: getRandomNumber rid="+rid); 163a167 > mReplicaBitLength = 0; // shared ranges using replica IDs are postponed 164a169,171 > CMS.debug("CertificateRepository: getRandomNumber mRandomRangeSize="+mRandomRangeSize); > CMS.debug("CertificateRepository: getRandomNumber mBitLength="+mBitLength+ > " -mReplicaBitLength="+mReplicaBitLength+" >mMinRandomBitLength="+mMinRandomBitLength); 166a174,175 > CMS.debug("CertificateRepository: getRandomNumber mBitLength="+mBitLength+ > " -mReplicaBitLength="+mReplicaBitLength+" nextSerialNumber = nextSerialNumber.add(mMinSerialNo); 373c382 < CMS.debug("CertificateRepository: getInRangeCounter: c=" + c + ((t != null)?(" t="+t):"")); --- > CMS.debug("CertificateRepository: getInRangeCounter: c=" + c + ((t != null)?(" t="+t):"null")); 377c386,395 < if (t != null) { --- > if (CMS.isPreOpMode()) { > CMS.debug("CertificateRepository: getInRangeCounter: CMS.isPreOpMode"); > counter = new BigInteger("-2"); > mDBConfig.putString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, "-2"); > try { > CMS.getConfigStore().commit(false); > } catch (Exception e) { > CMS.debug("CertificateRepository: updateCounter Exception committing ConfigStore="+e.getMessage()); > } > } else if (t != null) { 382c400 < } else if (s.equals("-2") || (c.equals("-1") && CMS.isPreOpMode())) { --- > } else if (s.equals("-2")) { 406a425 > mMinRandomBitLength = mDBConfig.getInteger(PROP_MINIMUM_RANDOM_BITS, 4); 412a432 > " mMinRandomBitLength="+mMinRandomBitLength+ diff -r 20130410/pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java 20130413/pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java 50c50 < * @version $Revision: 2551 $, $Date: 2013-04-04 14:37:47 -0400 (Thu, 04 Apr 2013) $ --- > * @version $Revision: 2561 $, $Date: 2013-04-11 21:14:49 -0400 (Thu, 11 Apr 2013) $ 61a62 > private static final String PROP_MINIMUM_RANDOM_BITS = "minimumRandomBits"; 155a157 > CMS.debug("CertificateRepository: getRandomNumber mRangeSize="+mRangeSize); 156a159 > CMS.debug("CertificateRepository: getRandomNumber mBitLength="+mBitLength); 158c161 < rid = -1; // shared ranges using replica IDs are postponed --- > CMS.debug("CertificateRepository: getRandomNumber rid="+rid); 163a167 > mReplicaBitLength = 0; // shared ranges using replica IDs are postponed 164a169,171 > CMS.debug("CertificateRepository: getRandomNumber mRandomRangeSize="+mRandomRangeSize); > CMS.debug("CertificateRepository: getRandomNumber mBitLength="+mBitLength+ > " -mReplicaBitLength="+mReplicaBitLength+" >mMinRandomBitLength="+mMinRandomBitLength); 166a174,175 > CMS.debug("CertificateRepository: getRandomNumber mBitLength="+mBitLength+ > " -mReplicaBitLength="+mReplicaBitLength+" nextSerialNumber = nextSerialNumber.add(mMinSerialNo); 373c382 < CMS.debug("CertificateRepository: getInRangeCounter: c=" + c + ((t != null)?(" t="+t):"")); --- > CMS.debug("CertificateRepository: getInRangeCounter: c=" + c + ((t != null)?(" t="+t):"null")); 377c386,395 < if (t != null) { --- > if (CMS.isPreOpMode()) { > CMS.debug("CertificateRepository: getInRangeCounter: CMS.isPreOpMode"); > counter = new BigInteger("-2"); > mDBConfig.putString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, "-2"); > try { > CMS.getConfigStore().commit(false); > } catch (Exception e) { > CMS.debug("CertificateRepository: updateCounter Exception committing ConfigStore="+e.getMessage()); > } > } else if (t != null) { 382c400 < } else if (s.equals("-2") || (c.equals("-1") && CMS.isPreOpMode())) { --- > } else if (s.equals("-2")) { 406a425 > mMinRandomBitLength = mDBConfig.getInteger(PROP_MINIMUM_RANDOM_BITS, 4); 412a432 > " mMinRandomBitLength="+mMinRandomBitLength+ diff -r 20130410/pki/base/common/src/com/netscape/cmscore/extensions/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/extensions/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/jobs/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/jobs/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/ldap/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/ldap/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/ldapconn/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/ldapconn/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/listeners/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/listeners/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/logging/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/logging/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/notification/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/notification/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/policy/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/policy/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/profile/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/profile/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/registry/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/registry/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/request/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/request/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/security/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/security/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/selftests/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/selftests/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/time/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/time/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/usrgrp/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/usrgrp/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/src/com/netscape/cmscore/util/.svn/entries 20130413/pki/base/common/src/com/netscape/cmscore/util/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/test/.svn/entries 20130413/pki/base/common/test/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/test/com/.svn/entries 20130413/pki/base/common/test/com/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/test/com/netscape/.svn/entries 20130413/pki/base/common/test/com/netscape/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/test/com/netscape/certsrv/.svn/entries 20130413/pki/base/common/test/com/netscape/certsrv/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/test/com/netscape/certsrv/app/.svn/entries 20130413/pki/base/common/test/com/netscape/certsrv/app/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/test/com/netscape/certsrv/authentication/.svn/entries 20130413/pki/base/common/test/com/netscape/certsrv/authentication/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/test/com/netscape/certsrv/logging/.svn/entries 20130413/pki/base/common/test/com/netscape/certsrv/logging/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/test/com/netscape/certsrv/request/.svn/entries 20130413/pki/base/common/test/com/netscape/certsrv/request/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/test/com/netscape/cmscore/.svn/entries 20130413/pki/base/common/test/com/netscape/cmscore/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/test/com/netscape/cmscore/dbs/.svn/entries 20130413/pki/base/common/test/com/netscape/cmscore/dbs/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/test/com/netscape/cmscore/request/.svn/entries 20130413/pki/base/common/test/com/netscape/cmscore/request/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/common/test/com/netscape/cmscore/test/.svn/entries 20130413/pki/base/common/test/com/netscape/cmscore/test/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/config/.svn/entries 20130413/pki/base/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/.svn/entries 20130413/pki/base/console/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/config/.svn/entries 20130413/pki/base/console/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/src/.svn/entries 20130413/pki/base/console/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/src/com/.svn/entries 20130413/pki/base/console/src/com/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/src/com/netscape/.svn/entries 20130413/pki/base/console/src/com/netscape/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/src/com/netscape/admin/.svn/entries 20130413/pki/base/console/src/com/netscape/admin/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/src/com/netscape/admin/certsrv/.svn/entries 20130413/pki/base/console/src/com/netscape/admin/certsrv/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/src/com/netscape/admin/certsrv/config/.svn/entries 20130413/pki/base/console/src/com/netscape/admin/certsrv/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/src/com/netscape/admin/certsrv/config/install/.svn/entries 20130413/pki/base/console/src/com/netscape/admin/certsrv/config/install/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/src/com/netscape/admin/certsrv/connection/.svn/entries 20130413/pki/base/console/src/com/netscape/admin/certsrv/connection/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/src/com/netscape/admin/certsrv/images/.svn/entries 20130413/pki/base/console/src/com/netscape/admin/certsrv/images/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/src/com/netscape/admin/certsrv/keycert/.svn/entries 20130413/pki/base/console/src/com/netscape/admin/certsrv/keycert/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/src/com/netscape/admin/certsrv/managecert/.svn/entries 20130413/pki/base/console/src/com/netscape/admin/certsrv/managecert/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/src/com/netscape/admin/certsrv/menu/.svn/entries 20130413/pki/base/console/src/com/netscape/admin/certsrv/menu/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/src/com/netscape/admin/certsrv/misc/.svn/entries 20130413/pki/base/console/src/com/netscape/admin/certsrv/misc/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/src/com/netscape/admin/certsrv/notification/.svn/entries 20130413/pki/base/console/src/com/netscape/admin/certsrv/notification/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/src/com/netscape/admin/certsrv/security/.svn/entries 20130413/pki/base/console/src/com/netscape/admin/certsrv/security/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/src/com/netscape/admin/certsrv/status/.svn/entries 20130413/pki/base/console/src/com/netscape/admin/certsrv/status/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/src/com/netscape/admin/certsrv/task/.svn/entries 20130413/pki/base/console/src/com/netscape/admin/certsrv/task/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/src/com/netscape/admin/certsrv/ug/.svn/entries 20130413/pki/base/console/src/com/netscape/admin/certsrv/ug/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/src/com/netscape/admin/certsrv/wizard/.svn/entries 20130413/pki/base/console/src/com/netscape/admin/certsrv/wizard/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/src/com/netscape/certsrv/.svn/entries 20130413/pki/base/console/src/com/netscape/certsrv/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/src/com/netscape/certsrv/common/.svn/entries 20130413/pki/base/console/src/com/netscape/certsrv/common/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/console/templates/.svn/entries 20130413/pki/base/console/templates/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/java-tools/.svn/entries 20130413/pki/base/java-tools/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/java-tools/config/.svn/entries 20130413/pki/base/java-tools/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/java-tools/doc/.svn/entries 20130413/pki/base/java-tools/doc/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/java-tools/src/.svn/entries 20130413/pki/base/java-tools/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/java-tools/src/com/.svn/entries 20130413/pki/base/java-tools/src/com/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/java-tools/src/com/netscape/.svn/entries 20130413/pki/base/java-tools/src/com/netscape/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/java-tools/src/com/netscape/cmstools/.svn/entries 20130413/pki/base/java-tools/src/com/netscape/cmstools/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/java-tools/templates/.svn/entries 20130413/pki/base/java-tools/templates/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/.svn/entries 20130413/pki/base/kra/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/config/.svn/entries 20130413/pki/base/kra/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/doc/.svn/entries 20130413/pki/base/kra/doc/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/setup/.svn/entries 20130413/pki/base/kra/setup/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/shared/.svn/entries 20130413/pki/base/kra/shared/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/shared/alias/.svn/entries 20130413/pki/base/kra/shared/alias/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/shared/conf/.svn/entries 20130413/pki/base/kra/shared/conf/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/shared/etc/.svn/entries 20130413/pki/base/kra/shared/etc/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/shared/etc/init.d/.svn/entries 20130413/pki/base/kra/shared/etc/init.d/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/shared/logs/.svn/entries 20130413/pki/base/kra/shared/logs/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/shared/logs/signedAudit/.svn/entries 20130413/pki/base/kra/shared/logs/signedAudit/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/shared/shared/.svn/entries 20130413/pki/base/kra/shared/shared/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/shared/shared/classes/.svn/entries 20130413/pki/base/kra/shared/shared/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/shared/shared/lib/.svn/entries 20130413/pki/base/kra/shared/shared/lib/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/shared/temp/.svn/entries 20130413/pki/base/kra/shared/temp/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/shared/webapps/.svn/entries 20130413/pki/base/kra/shared/webapps/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/shared/webapps/ROOT/.svn/entries 20130413/pki/base/kra/shared/webapps/ROOT/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/shared/webapps/ROOT/WEB-INF/.svn/entries 20130413/pki/base/kra/shared/webapps/ROOT/WEB-INF/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/shared/webapps/kra/.svn/entries 20130413/pki/base/kra/shared/webapps/kra/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/shared/webapps/kra/WEB-INF/.svn/entries 20130413/pki/base/kra/shared/webapps/kra/WEB-INF/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/shared/webapps/kra/WEB-INF/classes/.svn/entries 20130413/pki/base/kra/shared/webapps/kra/WEB-INF/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/shared/work/.svn/entries 20130413/pki/base/kra/shared/work/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/src/.svn/entries 20130413/pki/base/kra/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/src/com/.svn/entries 20130413/pki/base/kra/src/com/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/src/com/netscape/.svn/entries 20130413/pki/base/kra/src/com/netscape/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/kra/src/com/netscape/kra/.svn/entries 20130413/pki/base/kra/src/com/netscape/kra/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/manage/.svn/entries 20130413/pki/base/manage/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/manage/config/.svn/entries 20130413/pki/base/manage/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/.svn/entries 20130413/pki/base/migrate/.svn/entries 4c4 < 2554 --- > 2564 10,11c10,11 < 2013-04-04T19:28:43.276281Z < 2553 --- > 2013-04-12T02:57:05.580597Z > 2563 diff -r 20130410/pki/base/migrate/41ToTxt/.svn/entries 20130413/pki/base/migrate/41ToTxt/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/41ToTxt/classes/.svn/entries 20130413/pki/base/migrate/41ToTxt/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/41ToTxt/src/.svn/entries 20130413/pki/base/migrate/41ToTxt/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/42SP2ToTxt/.svn/entries 20130413/pki/base/migrate/42SP2ToTxt/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/42SP2ToTxt/classes/.svn/entries 20130413/pki/base/migrate/42SP2ToTxt/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/42SP2ToTxt/src/.svn/entries 20130413/pki/base/migrate/42SP2ToTxt/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/42ToTxt/.svn/entries 20130413/pki/base/migrate/42ToTxt/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/42ToTxt/classes/.svn/entries 20130413/pki/base/migrate/42ToTxt/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/42ToTxt/src/.svn/entries 20130413/pki/base/migrate/42ToTxt/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/45ToTxt/.svn/entries 20130413/pki/base/migrate/45ToTxt/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/45ToTxt/classes/.svn/entries 20130413/pki/base/migrate/45ToTxt/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/45ToTxt/src/.svn/entries 20130413/pki/base/migrate/45ToTxt/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/47ToTxt/.svn/entries 20130413/pki/base/migrate/47ToTxt/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/47ToTxt/classes/.svn/entries 20130413/pki/base/migrate/47ToTxt/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/47ToTxt/src/.svn/entries 20130413/pki/base/migrate/47ToTxt/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/60ToTxt/.svn/entries 20130413/pki/base/migrate/60ToTxt/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/60ToTxt/classes/.svn/entries 20130413/pki/base/migrate/60ToTxt/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/60ToTxt/src/.svn/entries 20130413/pki/base/migrate/60ToTxt/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/61ToTxt/.svn/entries 20130413/pki/base/migrate/61ToTxt/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/61ToTxt/classes/.svn/entries 20130413/pki/base/migrate/61ToTxt/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/61ToTxt/src/.svn/entries 20130413/pki/base/migrate/61ToTxt/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/62ToTxt/.svn/entries 20130413/pki/base/migrate/62ToTxt/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/62ToTxt/classes/.svn/entries 20130413/pki/base/migrate/62ToTxt/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/62ToTxt/src/.svn/entries 20130413/pki/base/migrate/62ToTxt/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/63ToTxt/.svn/entries 20130413/pki/base/migrate/63ToTxt/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/63ToTxt/classes/.svn/entries 20130413/pki/base/migrate/63ToTxt/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/63ToTxt/src/.svn/entries 20130413/pki/base/migrate/63ToTxt/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/70ToTxt/.svn/entries 20130413/pki/base/migrate/70ToTxt/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/70ToTxt/classes/.svn/entries 20130413/pki/base/migrate/70ToTxt/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/70ToTxt/src/.svn/entries 20130413/pki/base/migrate/70ToTxt/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/71ToTxt/.svn/entries 20130413/pki/base/migrate/71ToTxt/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/71ToTxt/classes/.svn/entries 20130413/pki/base/migrate/71ToTxt/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/71ToTxt/src/.svn/entries 20130413/pki/base/migrate/71ToTxt/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/72ToTxt/.svn/entries 20130413/pki/base/migrate/72ToTxt/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/72ToTxt/classes/.svn/entries 20130413/pki/base/migrate/72ToTxt/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/72ToTxt/src/.svn/entries 20130413/pki/base/migrate/72ToTxt/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/73ToTxt/.svn/entries 20130413/pki/base/migrate/73ToTxt/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/73ToTxt/classes/.svn/entries 20130413/pki/base/migrate/73ToTxt/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/73ToTxt/src/.svn/entries 20130413/pki/base/migrate/73ToTxt/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/80/.svn/entries 20130413/pki/base/migrate/80/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/80To81/.svn/entries 20130413/pki/base/migrate/80To81/.svn/entries 4c4 < 2554 --- > 2564 10,11c10,11 < 2013-04-04T19:28:43.276281Z < 2553 --- > 2013-04-12T02:57:05.580597Z > 2563 35,38c35,38 < 2013-04-04T21:03:31.000000Z < c5cb756da97e5d913cc47fc4f568d41f < 2013-04-04T19:28:43.276281Z < 2553 --- > 2013-04-11T02:48:26.000000Z > 49d8850480e9f26ce328bb7cb0c45715 > 2013-04-10T13:40:18.088192Z > 2555 61c61 < 57530 --- > 60261 103,106c103,106 < 2013-04-04T21:03:31.000000Z < a09c2edf97cbb9a56d5ce690f1fe014d < 2013-04-04T19:28:43.276281Z < 2553 --- > 2013-04-13T02:42:09.000000Z > 8d69dec9439b162f6ad984efee05c62f > 2013-04-12T02:57:05.580597Z > 2563 129c129 < 29765 --- > 31197 diff -r 20130410/pki/base/migrate/80To81/.svn/text-base/common.pm.svn-base 20130413/pki/base/migrate/80To81/.svn/text-base/common.pm.svn-base 6d5 < use XML::LibXML; 27a27 > update_node_text add_node remove_node 32a33,35 > use Socket; > use Sys::Hostname; > use XML::LibXML; 74a78 > my $PKI_PORT_CONFIGURATION_MODE_SLOT = "PKI_PORT_CONFIGURATION_MODE"; 103a108,112 > my $PKI_AGENT_MACHINE_IP_ADDR_SLOT = "PKI_AGENT_MACHINE_IP_ADDR"; > my $PKI_EE_MACHINE_IP_ADDR_SLOT = "PKI_EE_MACHINE_IP_ADDR"; > my $PKI_EE_CLIENT_AUTH_MACHINE_IP_ADDR_SLOT = "PKI_EE_CLIENT_AUTH_MACHINE_IP_ADDR"; > my $PKI_ADMIN_MACHINE_IP_ADDR_SLOT = "PKI_ADMIN_MACHINE_IP_ADDR"; > my $PKI_AGENT_MACHINE_NAME_SLOT = "PKI_AGENT_MACHINE_NAME"; 149a159,165 > my $is_IPv6 = 0; > > if( defined( $ENV{ 'PKI_HOSTNAME' } ) ) { > # IPv6: Retrieve hostname from environment variable > $is_IPv6 = 1; > } > 428a445,466 > # arg0 hostname > # return "4-tuple" IP address (IPv4), or pass-through hostname (IPv6) > sub get_IP_address_from_FQDN > { > my $addr = ""; > if( !$is_IPv6 ) { > if( $_[0] !~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/ ) { > # Retrieve IP address from a "mnemonic" hostname > ( $addr ) = inet_ntoa( ( gethostbyname( $_[0] ) )[4] ); > } else { > # Simply return passed-in "4-tuple" IP address > $addr = $_[0]; > } > } else { > # IPv6: Don't rely upon "Socket6.pm" being present! > $addr = $_[0]; > } > > return( $addr ); > } > > 628a667,691 > #ip addresses > my $agent_ip_addr = get_IP_address_from_FQDN($agentMachineName); > my $ee_ip_addr = get_IP_address_from_FQDN($eeMachineName); > my $ee_client_auth_ip_addr = get_IP_address_from_FQDN($eecaMachineName); > my $admin_ip_addr = get_IP_address_from_FQDN($adminMachineName); > > # port configuration mode > my $port_configuration_mode = ""; > if (exists $cfg->{'service.portConfigurationMode'} and \ > defined $cfg->{'service.portConfigurationMode'}) { > $port_configuration_mode = $cfg->{'service.portConfigurationMode'}; > } else { > if ($subsystem_type eq $RA) { > $port_configuration_mode = "RA Ports"; > } elsif ($subsystem_type eq $TPS) { > $port_configuration_mode = "TPS Ports"; > } elsif (($secure_port == $ee_secure_port) && > ($secure_port == $admin_secure_port) && > ($secure_port == $agent_secure_port)) { > $port_configuration_mode = "Shared Ports"; > } else { > $port_configuration_mode = "Port Separation"; > } > } > 707,710c770 < $slot_hash{$PKI_AGENT_MACHINE_NAME} = $agentMachineName; < $slot_hash{$PKI_EE_MACHINE_NAME} = $eeMachineName; < $slot_hash{$PKI_EE_CLIENT_AUTH_MACHINE_NAME} = $eecaMachineName; < $slot_hash{$PKI_ADMIN_MACHINE_NAME} = $adminMachineName; --- > $slot_hash{$PKI_PORT_CONFIGURATION_MODE_SLOT} = $port_configuration_mode; 746a807,815 > $slot_hash{$PKI_AGENT_MACHINE_NAME} = $agentMachineName; > $slot_hash{$PKI_EE_MACHINE_NAME} = $eeMachineName; > $slot_hash{$PKI_EE_CLIENT_AUTH_MACHINE_NAME} = $eecaMachineName; > $slot_hash{$PKI_ADMIN_MACHINE_NAME} = $adminMachineName; > $slot_hash{$PKI_AGENT_MACHINE_IP_ADDR_SLOT} = $agent_ip_addr; > $slot_hash{$PKI_EE_MACHINE_IP_ADDR_SLOT} = $ee_ip_addr; > $slot_hash{$PKI_EE_CLIENT_AUTH_MACHINE_IP_ADDR_SLOT} = $ee_client_auth_ip_addr; > $slot_hash{$PKI_ADMIN_MACHINE_IP_ADDR_SLOT} = $admin_ip_addr; > $slot_hash{$PKI_PORT_CONFIGURATION_MODE_SLOT} = $port_configuration_mode; diff -r 20130410/pki/base/migrate/80To81/.svn/text-base/upgrade_config.pl.svn-base 20130413/pki/base/migrate/80To81/.svn/text-base/upgrade_config.pl.svn-base 112a113,140 > my $tokenAuthenticateServletData = > " > caTokenAuthenticate-admin > com.netscape.cms.servlet.csadmin.TokenAuthenticate > > GetClientCert > false > > > authority > ca > > > ID > caTokenAuthenticate > > > interface > admin > > "; > > my $tokenAuthenticateMappingData = > " > caTokenAuthenticate-admin > /admin/ca/tokenAuthenticate > "; > 508a537,545 > > #add caTokenAuthenticate-admin > $q = "//servlet[normalize-space(servlet-name) = 'caTokenAuthenticate-admin']"; > &add_node($doc, $parser, $q, $top_path, $tokenAuthenticateServletData); > > #add caTokenAuthenticate-admin servlet mapping > $q = "//servlet-mapping[normalize-space(servlet-name) = " . > "'caTokenAuthenticate-admin']"; > &add_node($doc,$parser, $q, $top_path, $tokenAuthenticateMappingData); diff -r 20130410/pki/base/migrate/80To81/classes/.svn/entries 20130413/pki/base/migrate/80To81/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/80To81/common.pm 20130413/pki/base/migrate/80To81/common.pm 6d5 < use XML::LibXML; 27a27 > update_node_text add_node remove_node 32a33,35 > use Socket; > use Sys::Hostname; > use XML::LibXML; 74a78 > my $PKI_PORT_CONFIGURATION_MODE_SLOT = "PKI_PORT_CONFIGURATION_MODE"; 103a108,112 > my $PKI_AGENT_MACHINE_IP_ADDR_SLOT = "PKI_AGENT_MACHINE_IP_ADDR"; > my $PKI_EE_MACHINE_IP_ADDR_SLOT = "PKI_EE_MACHINE_IP_ADDR"; > my $PKI_EE_CLIENT_AUTH_MACHINE_IP_ADDR_SLOT = "PKI_EE_CLIENT_AUTH_MACHINE_IP_ADDR"; > my $PKI_ADMIN_MACHINE_IP_ADDR_SLOT = "PKI_ADMIN_MACHINE_IP_ADDR"; > my $PKI_AGENT_MACHINE_NAME_SLOT = "PKI_AGENT_MACHINE_NAME"; 149a159,165 > my $is_IPv6 = 0; > > if( defined( $ENV{ 'PKI_HOSTNAME' } ) ) { > # IPv6: Retrieve hostname from environment variable > $is_IPv6 = 1; > } > 428a445,466 > # arg0 hostname > # return "4-tuple" IP address (IPv4), or pass-through hostname (IPv6) > sub get_IP_address_from_FQDN > { > my $addr = ""; > if( !$is_IPv6 ) { > if( $_[0] !~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/ ) { > # Retrieve IP address from a "mnemonic" hostname > ( $addr ) = inet_ntoa( ( gethostbyname( $_[0] ) )[4] ); > } else { > # Simply return passed-in "4-tuple" IP address > $addr = $_[0]; > } > } else { > # IPv6: Don't rely upon "Socket6.pm" being present! > $addr = $_[0]; > } > > return( $addr ); > } > > 628a667,691 > #ip addresses > my $agent_ip_addr = get_IP_address_from_FQDN($agentMachineName); > my $ee_ip_addr = get_IP_address_from_FQDN($eeMachineName); > my $ee_client_auth_ip_addr = get_IP_address_from_FQDN($eecaMachineName); > my $admin_ip_addr = get_IP_address_from_FQDN($adminMachineName); > > # port configuration mode > my $port_configuration_mode = ""; > if (exists $cfg->{'service.portConfigurationMode'} and \ > defined $cfg->{'service.portConfigurationMode'}) { > $port_configuration_mode = $cfg->{'service.portConfigurationMode'}; > } else { > if ($subsystem_type eq $RA) { > $port_configuration_mode = "RA Ports"; > } elsif ($subsystem_type eq $TPS) { > $port_configuration_mode = "TPS Ports"; > } elsif (($secure_port == $ee_secure_port) && > ($secure_port == $admin_secure_port) && > ($secure_port == $agent_secure_port)) { > $port_configuration_mode = "Shared Ports"; > } else { > $port_configuration_mode = "Port Separation"; > } > } > 707,710c770 < $slot_hash{$PKI_AGENT_MACHINE_NAME} = $agentMachineName; < $slot_hash{$PKI_EE_MACHINE_NAME} = $eeMachineName; < $slot_hash{$PKI_EE_CLIENT_AUTH_MACHINE_NAME} = $eecaMachineName; < $slot_hash{$PKI_ADMIN_MACHINE_NAME} = $adminMachineName; --- > $slot_hash{$PKI_PORT_CONFIGURATION_MODE_SLOT} = $port_configuration_mode; 746a807,815 > $slot_hash{$PKI_AGENT_MACHINE_NAME} = $agentMachineName; > $slot_hash{$PKI_EE_MACHINE_NAME} = $eeMachineName; > $slot_hash{$PKI_EE_CLIENT_AUTH_MACHINE_NAME} = $eecaMachineName; > $slot_hash{$PKI_ADMIN_MACHINE_NAME} = $adminMachineName; > $slot_hash{$PKI_AGENT_MACHINE_IP_ADDR_SLOT} = $agent_ip_addr; > $slot_hash{$PKI_EE_MACHINE_IP_ADDR_SLOT} = $ee_ip_addr; > $slot_hash{$PKI_EE_CLIENT_AUTH_MACHINE_IP_ADDR_SLOT} = $ee_client_auth_ip_addr; > $slot_hash{$PKI_ADMIN_MACHINE_IP_ADDR_SLOT} = $admin_ip_addr; > $slot_hash{$PKI_PORT_CONFIGURATION_MODE_SLOT} = $port_configuration_mode; diff -r 20130410/pki/base/migrate/80To81/src/.svn/entries 20130413/pki/base/migrate/80To81/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/80To81/upgrade_config.pl 20130413/pki/base/migrate/80To81/upgrade_config.pl 112a113,140 > my $tokenAuthenticateServletData = > " > caTokenAuthenticate-admin > com.netscape.cms.servlet.csadmin.TokenAuthenticate > > GetClientCert > false > > > authority > ca > > > ID > caTokenAuthenticate > > > interface > admin > > "; > > my $tokenAuthenticateMappingData = > " > caTokenAuthenticate-admin > /admin/ca/tokenAuthenticate > "; > 508a537,545 > > #add caTokenAuthenticate-admin > $q = "//servlet[normalize-space(servlet-name) = 'caTokenAuthenticate-admin']"; > &add_node($doc, $parser, $q, $top_path, $tokenAuthenticateServletData); > > #add caTokenAuthenticate-admin servlet mapping > $q = "//servlet-mapping[normalize-space(servlet-name) = " . > "'caTokenAuthenticate-admin']"; > &add_node($doc,$parser, $q, $top_path, $tokenAuthenticateMappingData); diff -r 20130410/pki/base/migrate/TpsTo80/.svn/entries 20130413/pki/base/migrate/TpsTo80/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TpsTo80/linux/.svn/entries 20130413/pki/base/migrate/TpsTo80/linux/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TpsTo80/solaris/.svn/entries 20130413/pki/base/migrate/TpsTo80/solaris/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo60/.svn/entries 20130413/pki/base/migrate/TxtTo60/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo60/classes/.svn/entries 20130413/pki/base/migrate/TxtTo60/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo60/src/.svn/entries 20130413/pki/base/migrate/TxtTo60/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo61/.svn/entries 20130413/pki/base/migrate/TxtTo61/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo61/classes/.svn/entries 20130413/pki/base/migrate/TxtTo61/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo61/src/.svn/entries 20130413/pki/base/migrate/TxtTo61/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo62/.svn/entries 20130413/pki/base/migrate/TxtTo62/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo62/classes/.svn/entries 20130413/pki/base/migrate/TxtTo62/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo62/src/.svn/entries 20130413/pki/base/migrate/TxtTo62/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo70/.svn/entries 20130413/pki/base/migrate/TxtTo70/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo70/classes/.svn/entries 20130413/pki/base/migrate/TxtTo70/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo70/src/.svn/entries 20130413/pki/base/migrate/TxtTo70/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo71/.svn/entries 20130413/pki/base/migrate/TxtTo71/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo71/classes/.svn/entries 20130413/pki/base/migrate/TxtTo71/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo71/src/.svn/entries 20130413/pki/base/migrate/TxtTo71/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo72/.svn/entries 20130413/pki/base/migrate/TxtTo72/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo72/classes/.svn/entries 20130413/pki/base/migrate/TxtTo72/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo72/src/.svn/entries 20130413/pki/base/migrate/TxtTo72/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo73/.svn/entries 20130413/pki/base/migrate/TxtTo73/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo73/classes/.svn/entries 20130413/pki/base/migrate/TxtTo73/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo73/src/.svn/entries 20130413/pki/base/migrate/TxtTo73/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo80/.svn/entries 20130413/pki/base/migrate/TxtTo80/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo80/classes/.svn/entries 20130413/pki/base/migrate/TxtTo80/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/TxtTo80/src/.svn/entries 20130413/pki/base/migrate/TxtTo80/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/config/.svn/entries 20130413/pki/base/migrate/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/migrate/kra/.svn/entries 20130413/pki/base/migrate/kra/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/native-tools/.svn/entries 20130413/pki/base/native-tools/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/native-tools/config/.svn/entries 20130413/pki/base/native-tools/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/native-tools/doc/.svn/entries 20130413/pki/base/native-tools/doc/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/native-tools/m4/.svn/entries 20130413/pki/base/native-tools/m4/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/native-tools/src/.svn/entries 20130413/pki/base/native-tools/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/native-tools/src/bulkissuance/.svn/entries 20130413/pki/base/native-tools/src/bulkissuance/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/native-tools/src/p7tool/.svn/entries 20130413/pki/base/native-tools/src/p7tool/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/native-tools/src/revoker/.svn/entries 20130413/pki/base/native-tools/src/revoker/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/native-tools/src/setpin/.svn/entries 20130413/pki/base/native-tools/src/setpin/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/native-tools/src/sslget/.svn/entries 20130413/pki/base/native-tools/src/sslget/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/native-tools/src/tkstool/.svn/entries 20130413/pki/base/native-tools/src/tkstool/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/native-tools/templates/.svn/entries 20130413/pki/base/native-tools/templates/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/native-tools/wrappers/.svn/entries 20130413/pki/base/native-tools/wrappers/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/.svn/entries 20130413/pki/base/ocsp/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/config/.svn/entries 20130413/pki/base/ocsp/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/doc/.svn/entries 20130413/pki/base/ocsp/doc/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/setup/.svn/entries 20130413/pki/base/ocsp/setup/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/shared/.svn/entries 20130413/pki/base/ocsp/shared/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/shared/alias/.svn/entries 20130413/pki/base/ocsp/shared/alias/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/shared/conf/.svn/entries 20130413/pki/base/ocsp/shared/conf/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/shared/etc/.svn/entries 20130413/pki/base/ocsp/shared/etc/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/shared/etc/init.d/.svn/entries 20130413/pki/base/ocsp/shared/etc/init.d/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/shared/logs/.svn/entries 20130413/pki/base/ocsp/shared/logs/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/shared/logs/signedAudit/.svn/entries 20130413/pki/base/ocsp/shared/logs/signedAudit/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/shared/shared/.svn/entries 20130413/pki/base/ocsp/shared/shared/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/shared/shared/classes/.svn/entries 20130413/pki/base/ocsp/shared/shared/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/shared/shared/lib/.svn/entries 20130413/pki/base/ocsp/shared/shared/lib/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/shared/temp/.svn/entries 20130413/pki/base/ocsp/shared/temp/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/shared/webapps/.svn/entries 20130413/pki/base/ocsp/shared/webapps/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/shared/webapps/ROOT/.svn/entries 20130413/pki/base/ocsp/shared/webapps/ROOT/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/shared/webapps/ROOT/WEB-INF/.svn/entries 20130413/pki/base/ocsp/shared/webapps/ROOT/WEB-INF/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/shared/webapps/ocsp/.svn/entries 20130413/pki/base/ocsp/shared/webapps/ocsp/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/.svn/entries 20130413/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/classes/.svn/entries 20130413/pki/base/ocsp/shared/webapps/ocsp/WEB-INF/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/shared/work/.svn/entries 20130413/pki/base/ocsp/shared/work/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/src/.svn/entries 20130413/pki/base/ocsp/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/src/com/.svn/entries 20130413/pki/base/ocsp/src/com/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/src/com/netscape/.svn/entries 20130413/pki/base/ocsp/src/com/netscape/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ocsp/src/com/netscape/ocsp/.svn/entries 20130413/pki/base/ocsp/src/com/netscape/ocsp/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/osutil/.svn/entries 20130413/pki/base/osutil/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/osutil/config/.svn/entries 20130413/pki/base/osutil/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/osutil/m4/.svn/entries 20130413/pki/base/osutil/m4/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/osutil/src/.svn/entries 20130413/pki/base/osutil/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/osutil/src/com/.svn/entries 20130413/pki/base/osutil/src/com/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/osutil/src/com/netscape/.svn/entries 20130413/pki/base/osutil/src/com/netscape/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/osutil/src/com/netscape/osutil/.svn/entries 20130413/pki/base/osutil/src/com/netscape/osutil/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/.svn/entries 20130413/pki/base/ra/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/alias/.svn/entries 20130413/pki/base/ra/alias/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/apache/.svn/entries 20130413/pki/base/ra/apache/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/apache/conf/.svn/entries 20130413/pki/base/ra/apache/conf/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/config/.svn/entries 20130413/pki/base/ra/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/doc/.svn/entries 20130413/pki/base/ra/doc/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/emails/.svn/entries 20130413/pki/base/ra/emails/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/etc/.svn/entries 20130413/pki/base/ra/etc/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/etc/init.d/.svn/entries 20130413/pki/base/ra/etc/init.d/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/forms/.svn/entries 20130413/pki/base/ra/forms/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/forms/admin/.svn/entries 20130413/pki/base/ra/forms/admin/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/forms/admin/group/.svn/entries 20130413/pki/base/ra/forms/admin/group/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/forms/admin/user/.svn/entries 20130413/pki/base/ra/forms/admin/user/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/forms/agent/.svn/entries 20130413/pki/base/ra/forms/agent/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/forms/agent/cert/.svn/entries 20130413/pki/base/ra/forms/agent/cert/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/forms/agent/request/.svn/entries 20130413/pki/base/ra/forms/agent/request/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/forms/ee/.svn/entries 20130413/pki/base/ra/forms/ee/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/forms/ee/agent/.svn/entries 20130413/pki/base/ra/forms/ee/agent/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/forms/ee/request/.svn/entries 20130413/pki/base/ra/forms/ee/request/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/forms/ee/scep/.svn/entries 20130413/pki/base/ra/forms/ee/scep/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/forms/ee/server/.svn/entries 20130413/pki/base/ra/forms/ee/server/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/forms/ee/user/.svn/entries 20130413/pki/base/ra/forms/ee/user/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/lib/.svn/entries 20130413/pki/base/ra/lib/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/lib/perl/.svn/entries 20130413/pki/base/ra/lib/perl/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/lib/perl/PKI/.svn/entries 20130413/pki/base/ra/lib/perl/PKI/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/lib/perl/PKI/Base/.svn/entries 20130413/pki/base/ra/lib/perl/PKI/Base/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/lib/perl/PKI/Conn/.svn/entries 20130413/pki/base/ra/lib/perl/PKI/Conn/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/lib/perl/PKI/RA/.svn/entries 20130413/pki/base/ra/lib/perl/PKI/RA/.svn/entries 4c4 < 2554 --- > 2564 204,205c204,205 < < 2013-01-28T19:58:58.000000Z --- > delete > 2013-04-13T01:26:02.000000Z 1054,1055c1054,1055 < < 2013-01-28T19:58:59.000000Z --- > delete > 2013-04-13T01:26:02.000000Z diff -r 20130410/pki/base/ra/lib/perl/PKI/RA/CAInfoPanel.pm 20130413/pki/base/ra/lib/perl/PKI/RA/CAInfoPanel.pm 80c80,84 < my $count = $q->param('urls'); --- > my $count = defined($q->param('urls')) ? $q->param('urls') : ""; > if ($count eq "") { > $::symbol{errorString} = "No CA information provided. CA must be installed prior to RA installation"; > return 0; > } 86c90,92 < my $host = ""; --- > my $ca_ee_host = ""; > my $ca_agent_host = ""; > my $ca_admin_host = ""; 92a99,104 > # this is for pkisilent > &PKI::RA::Wizard::debug_log("CAInfoPanel: update - It is believed " > . "that 'pkisilent' no longer utilizes " > . "this code path, so this message " > . "should not appear in the log!"); > 94,96c106,118 < $host = $info->host; < $https_ee_port = $info->port; < $domain_xml = get_domain_xml($host, $https_ee_port); --- > $ca_ee_host = defined($info->host) ? $info->host : ""; > if ($ca_ee_host eq "") { > $::symbol{errorString} = "No CA EE host provided."; > return 0; > } > > $https_ee_port = defined($info->port) ? $info->port : ""; > if ($https_ee_port eq "") { > $::symbol{errorString} = "No CA EE port provided."; > return 0; > } > > $domain_xml = get_domain_xml($ca_ee_host, $https_ee_port); 102,106c124,131 < $https_agent_port = get_secure_agent_port_from_domain_xml($domain_xml, $host, $https_ee_port); < $https_admin_port = get_secure_admin_port_from_domain_xml($domain_xml, $host, $https_ee_port); < < if(($https_admin_port eq "") || ($https_agent_port eq "")) { < $::symbol{errorString} = "missing secure CA admin or agent port. CA must be installed prior to RA installation"; --- > $ca_agent_host = get_agent_host_from_domain_xml($domain_xml, $ca_ee_host, $https_ee_port); > $https_agent_port = get_secure_agent_port_from_domain_xml($domain_xml, $ca_ee_host, $https_ee_port); > $ca_admin_host = get_admin_host_from_domain_xml($domain_xml, $ca_ee_host, $https_ee_port); > $https_admin_port = get_secure_admin_port_from_domain_xml($domain_xml, $ca_ee_host, $https_ee_port); > > if(($ca_admin_host eq "") || ($https_admin_port eq "") || > ($ca_agent_host eq "") || ($https_agent_port eq "")) { > $::symbol{errorString} = "missing secure CA admin or agent host/port information not provided by security domain. CA must be installed prior to RA installation"; 110,113c135,149 < $host = $::config->get("preop.securitydomain.ca$count.host"); < $https_ee_port = $::config->get("preop.securitydomain.ca$count.secureport"); < $https_agent_port = $::config->get("preop.securitydomain.ca$count.secureagentport"); < $https_admin_port = $::config->get("preop.securitydomain.ca$count.secureadminport"); --- > &PKI::RA::Wizard::debug_log("CAInfoPanel: update - " > . "Obtaining CA Info from 'CS.cfg'."); > > $ca_ee_host = defined($::config->get("preop.securitydomain.ca$count.eehost")) ? > $::config->get("preop.securitydomain.ca$count.eehost") : ""; > $https_ee_port = defined($::config->get("preop.securitydomain.ca$count.secureport")) ? > $::config->get("preop.securitydomain.ca$count.secureport") : ""; > $ca_agent_host = defined($::config->get("preop.securitydomain.ca$count.agenthost")) ? > $::config->get("preop.securitydomain.ca$count.agenthost") : ""; > $https_agent_port = defined($::config->get("preop.securitydomain.ca$count.secureagentport")) ? > $::config->get("preop.securitydomain.ca$count.secureagentport") : ""; > $ca_admin_host = defined($::config->get("preop.securitydomain.ca$count.adminhost")) ? > $::config->get("preop.securitydomain.ca$count.adminhost") : ""; > $https_admin_port = defined($::config->get("preop.securitydomain.ca$count.secureadminport")) ? > $::config->get("preop.securitydomain.ca$count.secureadminport") : ""; 116c152,154 < if (($host eq "") || ($https_ee_port eq "") || ($https_admin_port eq "") || ($https_agent_port eq "")) { --- > if (($ca_ee_host eq "") || ($https_ee_port eq "") || > ($ca_agent_host eq "") || ($https_agent_port eq "") || > ($ca_admin_host eq "") || ($https_admin_port eq "")) { 121c159 < &PKI::RA::Wizard::debug_log("CAInfoPanel: update - host= $host, https_ee_port= $https_ee_port"); --- > &PKI::RA::Wizard::debug_log("CAInfoPanel: update - ca_ee_host= $ca_ee_host, https_ee_port= $https_ee_port"); 123c161 < $::config->put("preop.cainfo.select", "https://$host:$https_admin_port"); --- > $::config->put("preop.cainfo.select", "https://$ca_admin_host:$https_admin_port"); 128,130c166,168 < $::config->put("conn.ca1.hostport", $host . ":" . $https_ee_port); < $::config->put("conn.ca1.hostagentport", $host . ":" . $https_agent_port); < $::config->put("conn.ca1.hostadminport", $host . ":" . $https_admin_port); --- > $::config->put("conn.ca1.hostport", $ca_ee_host . ":" . $https_ee_port); > $::config->put("conn.ca1.hostagentport", $ca_agent_host . ":" . $https_agent_port); > $::config->put("conn.ca1.hostadminport", $ca_admin_host . ":" . $https_admin_port); 140c178 < system("/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$serverCertNickName\" -r \"/ca/ee/ca/getCertChain\" $host:$https_ee_port > $tmpfile"); --- > system("/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$serverCertNickName\" -r \"/ca/ee/ca/getCertChain\" $ca_ee_host:$https_ee_port > $tmpfile"); 170a209,211 > $::config->put("preop.cainfo.done", "true"); > $::config->commit(); > 185,186c226,228 < my $host = $::config->get("preop.securitydomain.ca$count.host"); < if ($host eq "") { --- > my $ca_ee_host = ""; > $ca_ee_host = $::config->get("preop.securitydomain.ca$count.eehost"); > if ($ca_ee_host eq "") { 191,192c233,234 < my $item = $name . " - https://" . $host . ":" . $https_ee_port; < # my $item = "https://" . $host . ":" . $https_ee_port; --- > my $item = $name . " - https://" . $ca_ee_host . ":" . $https_ee_port; > # my $item = "https://" . $ca_ee_host . ":" . $https_ee_port; 208c250 < $::symbol{errorString} = "no CA found. CA, TKS, and optionally DRM must be installed prior to RA installation"; --- > $::symbol{errorString} = "no CA found. CA must be installed prior to RA installation"; 216c258 < my $host = $1; --- > my $ca_ee_host = $1; 240c282 < my $host = $2; --- > my $ca_ee_host = $2; 244c286 < # to the selected host and secure ee port. --- > # to the selected EE host and secure ee port. 252c294 < if( ( $host eq $c->{'Host'}[0] ) && --- > if( ( $ca_ee_host eq $c->{'Host'}[0] ) && 266c308 < my $host = $2; --- > my $ca_ee_host = $2; 270c312 < # to the selected host and secure ee port. --- > # to the selected EE host and secure ee port. 278c320 < if( ( $host eq $c->{'Host'}[0] ) && --- > if( ( $ca_ee_host eq $c->{'Host'}[0] ) && 288a331,400 > sub get_admin_host_from_domain_xml > { > my $content = $1; > my $ca_ee_host = $2; > my $https_ee_port = $3; > > # Retrieve the admin host corresponding > # to the selected EE host and secure ee port. > my $parser = XML::Simple->new(); > my $response = $parser->XMLin($content); > my $xml = $parser->XMLin( $response->{'DomainInfo'}, > ForceArray => 1 ); > my $ca_admin_host = ""; > my $count = 0; > foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) { > if( ( $ca_ee_host eq $c->{'Host'}[0] ) && > ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { > if( $c->{'AdminHost'}[0] ne "" ) { > # IP Port Separation Schema > $ca_admin_host = https_$c->{'AdminHost'}[0]; > } else { > # Port Separation Schema > $ca_admin_host = https_$c->{'Host'}[0]; > } > } > > $count++; > } > > return $ca_admin_host; > } > > sub get_agent_host_from_domain_xml > { > my $content = $1; > my $ca_ee_host = $2; > my $https_ee_port = $3; > > # Retrieve the agent host corresponding > # to the selected EE host and secure ee port. > my $parser = XML::Simple->new(); > my $response = $parser->XMLin($content); > my $xml = $parser->XMLin( $response->{'DomainInfo'}, > ForceArray => 1 ); > my $ca_agent_host = ""; > my $count = 0; > foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) { > if( ( $ca_ee_host eq $c->{'Host'}[0] ) && > ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { > if( $c->{'AgentHost'}[0] ne "" ) { > # IP Port Separation Schema > $ca_agent_host = https_$c->{'AgentHost'}[0]; > } else { > # Port Separation Schema > $ca_agent_host = https_$c->{'Host'}[0]; > } > } > > $count++; > } > > return $ca_agent_host; > } > > sub is_panel_done > { > return $::config->get("preop.cainfo.done"); > } > > Only in 20130410/pki/base/ra/lib/perl/PKI/RA: DRMInfoPanel.pm diff -r 20130410/pki/base/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm 20130413/pki/base/ra/lib/perl/PKI/RA/DisplayCertChainPanel.pm 124a125,126 > $::config->put("preop.displaycertchain.done", "true"); > $::config->commit(); 253,255c255,261 < $c->{'EEClientAuthPort'}[0]); < // Account for a Security Domain using either an IP Port Separation < // Schema, or a Port Separation Schema --- > $c->{'SecureEEClientAuthPort'}[0]); > # Account for a Security Domain using either an IP Port Separation > # Schema, or a Port Separation Schema > my $ca_agent_hostname = ""; > my $ca_ee_hostname = ""; > my $ca_admin_hostname = ""; > my $ca_eeca_hostname = ""; 258a265 > $ca_agent_hostname = $c->{'AgentHost'}[0]; 261a269 > $ca_agent_hostname = $c->{'Host'}[0]; 265a274 > $ca_ee_hostname = $c->{'EEHost'}[0]; 268a278 > $ca_ee_hostname = $c->{'Host'}[0]; 272a283 > $ca_admin_hostname = $c->{'AdminHost'}[0]; 275a287 > $ca_admin_hostname = $c->{'Host'}[0]; 279a292 > $ca_eeca_hostname = $c->{'EEClientAuthHost'}[0]; 282a296 > $ca_eeca_hostname = $c->{'Host'}[0]; 289,290c303 < if( ( $sd_host eq $c-> $::config->put("preop.securitydomain.ca" . < $count . ".adminhost") ) && --- > if( ( $sd_host eq $ca_admin_hostname ) && 293,310c306,311 < my $http_ee_port = "http://" < . $::config->get("preop.securitydomain.ca" . < $count . ".eehost") < . ":" < . $c->{'UnSecurePort'}[0]; < my $https_agent_port = "https://" < . $::config->get("preop.securitydomain.ca" . < $count . ".agenthost") < . ":" < . $c->{'SecureAgentPort'}[0]; < my $https_ee_port = "https://" < . $::config->get("preop.securitydomain.ca" . < $count . ".eehost") < . ":" < . $c->{'SecurePort'}[0]; < my $https_eeca_port = "https://" < . $::config->get("preop.securitydomain.ca" . < $count . ".eecahost") --- > my $http_ee_url = "http://" > . $ca_ee_hostname > . ":" > . $c->{'UnSecurePort'}[0]; > my $https_agent_url = "https://" > . $ca_agent_hostname 312c313,321 < . $c->{'EEClientAuthPort'}[0]; --- > . $c->{'SecureAgentPort'}[0]; > my $https_ee_url = "https://" > . $ca_ee_hostname > . ":" > . $c->{'SecurePort'}[0]; > my $https_eeca_url = "https://" > . $ca_eeca_hostname > . ":" > . $c->{'SecureEEClientAuthPort'}[0]; 315,318c324,327 < $::config->put( "config.sdomainHttpURL", $http_ee_port ); < $::config->put( "config.sdomainAgentURL", $https_agent_port ); < $::config->put( "config.sdomainEEURL", $https_ee_port ); < $::config->put( "config.sdomainEECAURL", $https_eeca_port ); --- > $::config->put( "config.sdomainHttpURL", $http_ee_url ); > $::config->put( "config.sdomainAgentURL", $https_agent_url ); > $::config->put( "config.sdomainEEURL", $https_ee_url ); > $::config->put( "config.sdomainEECAURL", $https_eeca_url ); 327c336 < $::config->put( "securitydomain.eehost", --- > $::config->put( "securitydomain.eecahost", 334c343 < $::config->put( "securitydomain.httpseeport", --- > $::config->put( "securitydomain.httpseeport", 335a345,346 > $::config->put( "securitydomain.httpseecaport", > $c->{'SecureEEClientAuthPort'}[0] ); 355,356c366,367 < // Account for a Security Domain using either an IP Port Separation < // Schema, or a Port Separation Schema --- > # Account for a Security Domain using either an IP Port Separation > # Schema, or a Port Separation Schema 395,396c406,407 < // Account for a Security Domain using either an IP Port Separation < // Schema, or a Port Separation Schema --- > # Account for a Security Domain using either an IP Port Separation > # Schema, or a Port Separation Schema 439a451,456 > sub is_panel_done > { > return $::config->get("preop.displaycertchain.done"); > } > > diff -r 20130410/pki/base/ra/lib/perl/PKI/RA/NamePanel.pm 20130413/pki/base/ra/lib/perl/PKI/RA/NamePanel.pm 89c89 < my $host = ""; --- > my $ca_ee_host = ""; 95c95 < $host = $info->host; --- > $ca_ee_host = $info->host; 98,99c98,99 < $host = $::config->get("preop.securitydomain.ca$count.host"); < if ($host eq "") { --- > $ca_ee_host = $::config->get("preop.securitydomain.ca$count.eehost"); > if ($ca_ee_host eq "") { 103c103 < &PKI::RA::Wizard::debug_log("NamePanel: update - host= $host, https_ee_port= $https_ee_port"); --- > &PKI::RA::Wizard::debug_log("NamePanel: update - ca_ee_host= $ca_ee_host, https_ee_port= $https_ee_port"); 108c108 < $::config->put("preop.ca.url", "https://" . $host . ":" . $https_ee_port); --- > $::config->put("preop.ca.url", "https://" . $ca_ee_host . ":" . $https_ee_port); 295c295 < $host = $sdom_url->host; --- > $ca_ee_host = $sdom_url->host; 299,300c299,300 < $req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port"; < $debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port"; --- > $req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; > $debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; 302,303c302,303 < $req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port"; < $debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port"; --- > $req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; > $debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; 482,483c482,483 < my $host = $::config->get("preop.securitydomain.ca$count.host"); < if ($host eq "") { --- > my $ca_ee_host = $::config->get("preop.securitydomain.ca$count.eehost"); > if ($ca_ee_host eq "") { 488c488 < my $item = $name . " - https://" . $host . ":" . $https_ee_port; --- > my $item = $name . " - https://" . $ca_ee_host . ":" . $https_ee_port; Only in 20130410/pki/base/ra/lib/perl/PKI/RA: TKSInfoPanel.pm diff -r 20130410/pki/base/ra/lib/perl/PKI/Request/.svn/entries 20130413/pki/base/ra/lib/perl/PKI/Request/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/lib/perl/PKI/Request/Plugin/.svn/entries 20130413/pki/base/ra/lib/perl/PKI/Request/Plugin/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/lib/perl/PKI/Service/.svn/entries 20130413/pki/base/ra/lib/perl/PKI/Service/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/lib/perl/Template/.svn/entries 20130413/pki/base/ra/lib/perl/Template/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/logs/.svn/entries 20130413/pki/base/ra/logs/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/scripts/.svn/entries 20130413/pki/base/ra/scripts/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/ra/setup/.svn/entries 20130413/pki/base/ra/setup/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/scripts/.svn/entries 20130413/pki/base/scripts/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/selinux/.svn/entries 20130413/pki/base/selinux/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/selinux/config/.svn/entries 20130413/pki/base/selinux/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/selinux/src/.svn/entries 20130413/pki/base/selinux/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/setup/.svn/entries 20130413/pki/base/setup/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/setup/config/.svn/entries 20130413/pki/base/setup/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/setup/pkicommon 20130413/pki/base/setup/pkicommon 225c225,235 < $PKI_UNKNOWN_PORT_MODE = "Unknown Port Mode"; --- > $PKI_MISSING_PORT_MODE = "Must be shared ports, separated ports, OR IP separated ports!"; > $PKI_SHARED_AND_IP_SEPARATED_PORT_MODES = "Cannot be shared ports AND IP separated ports!"; > $PKI_SHARED_AND_SEPARATED_PORT_MODES = "Cannot be shared ports AND separated ports!"; > $PKI_DUPLICATE_SHARED_CONNECTOR_PORTS = "Specified shared connector ports must be unique!"; > $PKI_DUPLICATE_SEPARATED_CONNECTOR_PORTS = "Specified separated connector ports must be unique!"; > $PKI_DUPLICATE_IP_SEPARATED_CONNECTOR_PORTS = "For IP separated connector ports, specified secure ports must be unique from the specified unsecure port which must be unique from the specified tomcat port!"; > $PKI_MISSING_HOSTNAMES = "For IP separated ports, ALL hostnames must be specified!"; > $PKI_MISSING_EE_CLIENT_AUTH_HOSTNAME = "When using IP separated ports on a CA, an EE client auth hostname must be specified!"; > $PKI_IP_DUPLICATE_HOSTNAME_PORT = "For IP separated ports, all 'hostname:port' combinations must be unique!"; > $PKI_DUPLICATE_RA_CONNECTOR_PORTS = "Specified RA connector ports must be unique!"; > $PKI_DUPLICATE_TPS_CONNECTOR_PORTS = "Specified TPS connector ports must be unique!"; 718,723c728,730 < # return $PKI_IP_PORT_SEPARATION_MODE < # return $PKI_PORT_SEPARATION_MODE < # return $PKI_SHARED_PORTS_MODE < # return $RA_PORTS_MODE < # return $TPS_PORTS_MODE < # return $PKI_UNKNOWN_PORT_MODE --- > # return $PKI_IP_PORT_SEPARATION_MODE, $PKI_PORT_SEPARATION_MODE, > # $PKI_SHARED_PORTS_MODE, $RA_PORTS_MODE, $TPS_PORTS_MODE, or > # explanatory error message 726,731c733,738 < my $l_agent_uri = ""; < my $l_ee_uri = ""; < my $l_ee_client_auth_uri = ""; < my $l_admin_uri = ""; < my $l_unsecure_uri = ""; < my $l_tomcat_uri = ""; --- > my $l_agent_hostport = ""; > my $l_ee_hostport = ""; > my $l_ee_client_auth_hostport = ""; > my $l_admin_hostport = ""; > my $l_unsecure_hostport = ""; > my $l_tomcat_hostport = ""; 753c760 < return $PKI_UNKNOWN_PORT_MODE; --- > return $PKI_MISSING_PORT_MODE; 761c768 < return $PKI_UNKNOWN_PORT_MODE; --- > return $PKI_SHARED_AND_IP_SEPARATED_PORT_MODES; 765c772 < return $PKI_UNKNOWN_PORT_MODE; --- > return $PKI_SHARED_AND_IP_SEPARATED_PORT_MODES; 771c778 < return $PKI_UNKNOWN_PORT_MODE; --- > return $PKI_SHARED_AND_SEPARATED_PORT_MODES; 780c787 < return $PKI_UNKNOWN_PORT_MODE; --- > return $PKI_DUPLICATE_SHARED_CONNECTOR_PORTS; 808c815 < return $PKI_UNKNOWN_PORT_MODE; --- > return $PKI_DUPLICATE_SEPARATED_CONNECTOR_PORTS; 825c832 < return $PKI_UNKNOWN_PORT_MODE; --- > return $PKI_DUPLICATE_IP_SEPARATED_CONNECTOR_PORTS; 837c844 < return $PKI_UNKNOWN_PORT_MODE; --- > return $PKI_MISSING_HOSTNAMES; 841,846c848,853 < # IP Separated Ports: establish URIs < $l_agent_uri = $agent_hostname . ':' . $agent_secure_port; < $l_ee_uri = $ee_hostname . ':' . $ee_secure_port; < $l_admin_uri = $admin_hostname . ':' . $admin_secure_port; < $l_unsecure_uri = $ee_hostname . ':' . $unsecure_port; < $l_tomcat_uri = $admin_hostname . ':' . $tomcat_server_port; --- > # IP Separated Ports: establish "hostname:port" combinations > $l_agent_hostport = $agent_hostname . ':' . $agent_secure_port; > $l_ee_hostport = $ee_hostname . ':' . $ee_secure_port; > $l_admin_hostport = $admin_hostname . ':' . $admin_secure_port; > $l_unsecure_hostport = $ee_hostname . ':' . $unsecure_port; > $l_tomcat_hostport = $admin_hostname . ':' . $tomcat_server_port; 855c862 < return $PKI_UNKNOWN_PORT_MODE; --- > return $PKI_MISSING_EE_CLIENT_AUTH_HOSTNAME; 858,859c865,866 < $l_ee_client_auth_uri = $ee_client_auth_hostname . ':' < . $ee_client_auth_secure_port; --- > $l_ee_client_auth_hostport = $ee_client_auth_hostname . ':' > . $ee_secure_client_auth_port; 861,876c868,884 < # IP Separated Ports: all uri's must be unique < if( ( $l_agent_uri eq $l_admin_uri ) || < ( $l_agent_uri eq $l_ee_uri ) || < ( $l_agent_uri eq $l_ee_client_auth_uri ) || < ( $l_agent_uri eq $l_unsecure_uri ) || < ( $l_agent_uri eq $l_tomcat_uri ) || < ( $l_ee_uri eq $l_admin_uri ) || < ( $l_ee_uri eq $l_ee_client_auth_uri ) || < ( $l_ee_uri eq $l_unsecure_uri ) || < ( $l_ee_uri eq $l_tomcat_uri ) || < ( $l_ee_client_auth_uri eq $l_admin_uri ) || < ( $l_ee_client_auth_uri eq $l_unsecure_uri ) || < ( $l_ee_client_auth_uri eq $l_tomcat_uri ) || < ( $l_admin_uri eq $l_unsecure_uri ) || < ( $l_admin_uri eq $l_tomcat_uri ) || < ( $l_unsecure_uri eq $l_tomcat_uri ) ) { --- > # IP Separated Ports: all "hostname:port" combinations > # must be unique > if( ( $l_agent_hostport eq $l_admin_hostport ) || > ( $l_agent_hostport eq $l_ee_hostport ) || > ( $l_agent_hostport eq $l_ee_client_auth_hostport ) || > ( $l_agent_hostport eq $l_unsecure_hostport ) || > ( $l_agent_hostport eq $l_tomcat_hostport ) || > ( $l_ee_hostport eq $l_admin_hostport ) || > ( $l_ee_hostport eq $l_ee_client_auth_hostport ) || > ( $l_ee_hostport eq $l_unsecure_hostport ) || > ( $l_ee_hostport eq $l_tomcat_hostport ) || > ( $l_ee_client_auth_hostport eq $l_admin_hostport ) || > ( $l_ee_client_auth_hostport eq $l_unsecure_hostport ) || > ( $l_ee_client_auth_hostport eq $l_tomcat_hostport ) || > ( $l_admin_hostport eq $l_unsecure_hostport ) || > ( $l_admin_hostport eq $l_tomcat_hostport ) || > ( $l_unsecure_hostport eq $l_tomcat_hostport ) ) { 878c886 < return $PKI_UNKNOWN_PORT_MODE; --- > return $PKI_IP_DUPLICATE_HOSTNAME_PORT; 886,896c894,905 < # IP Separated Ports: all uri's must be unique < if( ( $l_agent_uri eq $l_admin_uri ) || < ( $l_agent_uri eq $l_ee_uri ) || < ( $l_agent_uri eq $l_unsecure_uri ) || < ( $l_agent_uri eq $l_tomcat_uri ) || < ( $l_ee_uri eq $l_admin_uri ) || < ( $l_ee_uri eq $l_unsecure_uri ) || < ( $l_ee_uri eq $l_tomcat_uri ) || < ( $l_admin_uri eq $l_unsecure_uri ) || < ( $l_admin_uri eq $l_tomcat_uri ) || < ( $l_unsecure_uri eq $l_tomcat_uri ) ) { --- > # IP Separated Ports: all "hostname:port" combinations > # must be unique > if( ( $l_agent_hostport eq $l_admin_hostport ) || > ( $l_agent_hostport eq $l_ee_hostport ) || > ( $l_agent_hostport eq $l_unsecure_hostport ) || > ( $l_agent_hostport eq $l_tomcat_hostport ) || > ( $l_ee_hostport eq $l_admin_hostport ) || > ( $l_ee_hostport eq $l_unsecure_hostport ) || > ( $l_ee_hostport eq $l_tomcat_hostport ) || > ( $l_admin_hostport eq $l_unsecure_hostport ) || > ( $l_admin_hostport eq $l_tomcat_hostport ) || > ( $l_unsecure_hostport eq $l_tomcat_hostport ) ) { 898c907 < return $PKI_UNKNOWN_PORT_MODE; --- > return $PKI_IP_DUPLICATE_HOSTNAME_PORT; 911c920,924 < return $PKI_UNKNOWN_PORT_MODE; --- > if( $subsystem_type eq $RA ) { > return $PKI_DUPLICATE_RA_CONNECTOR_PORTS; > } elsif( $subsystem_type eq $TPS ) { > return $PKI_DUPLICATE_TPS_CONNECTOR_PORTS; > } diff -r 20130410/pki/base/setup/pkicreate 20130413/pki/base/setup/pkicreate 443c443 < my $SUBSYSTEM_TYPE = ""; --- > my $uc_subsystem_type = ""; 469,474c469,474 < my $agent_uri = ""; < my $ee_uri = ""; < my $ee_client_auth_uri = ""; < my $admin_uri = ""; < my $unsecure_uri = ""; < my $tomcat_uri = ""; --- > my $agent_hostport = ""; > my $ee_hostport = ""; > my $ee_client_auth_hostport = ""; > my $admin_hostport = ""; > my $unsecure_hostport = ""; > my $tomcat_hostport = ""; 1298c1298 < $SUBSYSTEM_TYPE = uc $subsystem_type; --- > $uc_subsystem_type = uc $subsystem_type; 1339,1340c1339,1340 < . "'$SUBSYSTEM_TYPE' subsystems; NO values for agent, admin, " < . "ee, or ee client auth hostnames should be specified!\n", --- > . "'$uc_subsystem_type' subsystems; NO values for agent, admin," > . " ee, or ee client auth hostnames should be specified!\n", 1392c1392 < emit( "For '$SUBSYSTEM_TYPE' subsystems, if attempting " --- > emit( "For '$uc_subsystem_type' subsystems, if attempting " 1557,1559c1557,1559 < # Establish all ':' URIs < $agent_uri = $agent_hostname . ':' . $agent_secure_port; < $ee_uri = $ee_hostname . ':' . $ee_secure_port; --- > # Establish all ':' combinations > $agent_hostport = $agent_hostname . ':' . $agent_secure_port; > $ee_hostport = $ee_hostname . ':' . $ee_secure_port; 1561,1562c1561,1562 < $ee_client_auth_uri = $ee_client_auth_hostname . ':' < . $ee_secure_client_auth_port; --- > $ee_client_auth_hostport = $ee_client_auth_hostname . ':' > . $ee_secure_client_auth_port; 1564,1566c1564,1566 < $admin_uri = $admin_hostname . ':' . $admin_secure_port; < $unsecure_uri = $ee_hostname . ':' . $unsecure_port; < $tomcat_uri = $host . ':' . $tomcat_server_port; --- > $admin_hostport = $admin_hostname . ':' . $admin_secure_port; > $unsecure_hostport = $ee_hostname . ':' . $unsecure_port; > $tomcat_hostport = $host . ':' . $tomcat_server_port; 1581,1583c1581,1583 < # Establish all ':' URIs < $agent_uri = $agent_hostname . ':' . $agent_secure_port; < $ee_uri = $ee_hostname . ':' . $ee_secure_port; --- > # Establish all ':' combinations > $agent_hostport = $agent_hostname . ':' . $agent_secure_port; > $ee_hostport = $ee_hostname . ':' . $ee_secure_port; 1585,1586c1585,1586 < $ee_client_auth_uri = $ee_client_auth_hostname . ':' < . $ee_secure_client_auth_port; --- > $ee_client_auth_hostport = $ee_client_auth_hostname . ':' > . $ee_secure_client_auth_port; 1588,1590c1588,1590 < $admin_uri = $admin_hostname . ':' . $admin_secure_port; < $unsecure_uri = $ee_hostname . ':' . $unsecure_port; < $tomcat_uri = $host . ':' . $tomcat_server_port; --- > $admin_hostport = $admin_hostname . ':' . $admin_secure_port; > $unsecure_hostport = $ee_hostname . ':' . $unsecure_port; > $tomcat_hostport = $host . ':' . $tomcat_server_port; 1605,1607c1605,1607 < # Establish all ':' URIs < $agent_uri = $agent_hostname . ':' . $secure_port; < $ee_uri = $ee_hostname . ':' . $secure_port; --- > # Establish all ':' combinations > $agent_hostport = $agent_hostname . ':' . $secure_port; > $ee_hostport = $ee_hostname . ':' . $secure_port; 1609c1609 < $ee_client_auth_uri = $ee_client_auth_hostname . ':' --- > $ee_client_auth_hostport = $ee_client_auth_hostname . ':' 1612,1614c1612,1614 < $admin_uri = $admin_hostname . ':' . $secure_port; < $unsecure_uri = $ee_hostname . ':' . $unsecure_port; < $tomcat_uri = $host . ':' . $tomcat_server_port; --- > $admin_hostport = $admin_hostname . ':' . $secure_port; > $unsecure_hostport = $ee_hostname . ':' . $unsecure_port; > $tomcat_hostport = $host . ':' . $tomcat_server_port; 1626,1630c1626,1630 < # Establish all ':' URIs < $agent_uri = $agent_hostname . ':' . $secure_port; < $ee_uri = $ee_hostname . ':' . $secure_port; < $admin_uri = $admin_hostname . ':' . $secure_port; < $unsecure_uri = $ee_hostname . ':' . $unsecure_port; --- > # Establish all ':' combinations > $agent_hostport = $agent_hostname . ':' . $secure_port; > $ee_hostport = $ee_hostname . ':' . $secure_port; > $admin_hostport = $admin_hostname . ':' . $secure_port; > $unsecure_hostport = $ee_hostname . ':' . $unsecure_port; 1642,1646c1642,1646 < # Establish all ':' URIs < $agent_uri = $agent_hostname . ':' . $secure_port; < $ee_uri = $ee_hostname . ':' . $secure_port; < $admin_uri = $admin_hostname . ':' . $secure_port; < $unsecure_uri = $ee_hostname . ':' . $unsecure_port; --- > # Establish all ':' combinations > $agent_hostport = $agent_hostname . ':' . $secure_port; > $ee_hostport = $ee_hostname . ':' . $secure_port; > $admin_hostport = $admin_hostname . ':' . $secure_port; > $unsecure_hostport = $ee_hostname . ':' . $unsecure_port; 1648c1648,1649 < } elsif( $mode eq $PKI_UNKNOWN_PORT_MODE ) { --- > } else { > # Port Configuration Mode Error: Display usage with error message 1650c1651 < emit( "Invalid port configuration mode!\n","error" ); --- > emit( "$mode\n","error" ); diff -r 20130410/pki/base/silent/.svn/entries 20130413/pki/base/silent/.svn/entries 4c4 < 2554 --- > 2564 10,11c10,11 < 2013-02-21T19:36:45.980348Z < 2531 --- > 2013-04-11T20:38:49.312670Z > 2559 diff -r 20130410/pki/base/silent/config/.svn/entries 20130413/pki/base/silent/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/silent/scripts/.svn/entries 20130413/pki/base/silent/scripts/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/silent/src/.svn/entries 20130413/pki/base/silent/src/.svn/entries 4c4 < 2554 --- > 2564 10,11c10,11 < 2013-02-20T22:02:49.508780Z < 2526 --- > 2013-04-11T20:38:49.312670Z > 2559 diff -r 20130410/pki/base/silent/src/argparser/.svn/entries 20130413/pki/base/silent/src/argparser/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/silent/src/ca/.svn/entries 20130413/pki/base/silent/src/ca/.svn/entries 4c4 < 2554 --- > 2564 10,11c10,11 < 2013-02-20T22:02:49.508780Z < 2526 --- > 2013-04-11T20:38:49.312670Z > 2559 35,38c35,38 < 2013-02-21T01:38:42.000000Z < 82bff3fac40bdc142c8dd62074676dbd < 2013-02-20T22:02:49.508780Z < 2526 --- > 2013-04-13T02:42:08.000000Z > b45a4d284155de983ede987888467aa4 > 2013-04-11T20:38:49.312670Z > 2559 61c61 < 73647 --- > 73574 diff -r 20130410/pki/base/silent/src/ca/.svn/text-base/ConfigureCA.java.svn-base 20130413/pki/base/silent/src/ca/.svn/text-base/ConfigureCA.java.svn-base 1106d1105 < System.out.println("Cert to Import =" + cert_to_import); diff -r 20130410/pki/base/silent/src/ca/ConfigureCA.java 20130413/pki/base/silent/src/ca/ConfigureCA.java 1106d1105 < System.out.println("Cert to Import =" + cert_to_import); diff -r 20130410/pki/base/silent/src/common/.svn/entries 20130413/pki/base/silent/src/common/.svn/entries 4c4 < 2554 --- > 2564 10,11c10,11 < 2013-02-20T22:02:49.508780Z < 2526 --- > 2013-04-11T20:38:49.312670Z > 2559 307,310c307,310 < 2013-02-21T01:38:43.000000Z < 7f15c64e72517d25ae08e9b6d48dfeba < 2013-02-20T22:02:49.508780Z < 2526 --- > 2013-04-13T02:42:08.000000Z > a3c38a50828191700a84d6a6563a5873 > 2013-04-11T20:38:49.312670Z > 2559 333c333 < 25905 --- > 27584 diff -r 20130410/pki/base/silent/src/common/.svn/text-base/ComCrypto.java.svn-base 20130413/pki/base/silent/src/common/.svn/text-base/ComCrypto.java.svn-base 36a37 > import org.mozilla.jss.crypto.InternalCertificate; 251,252d251 < < 270c269,296 < return true; --- > /* > * failing to import cert should not be detrimental. When failed, > * allow to continue and user can manually import them later. > * Same with trust setting. > */ > if (cert != null) > System.out.println("importCert string: importCertPackage() succeeded"); > else > System.out.println("importCert string: importCertPackage() failed"); > > /* set trust bits for the issuer CA cert */ > System.out.println("importCert string: set CA trust bits"); > X509Certificate[] ca_certs = manager.getCACerts(); > for (int i =0; i< ca_certs.length; i++) { > // look for the signing CA > if (ca_certs[i].getSubjectDN().toString().equals( > cert.getIssuerDN().toString())) { > // set the trust bits > InternalCertificate icert = > (InternalCertificate) ca_certs[i]; > icert.setSSLTrust(InternalCertificate.TRUSTED_CA > | InternalCertificate.TRUSTED_CLIENT_CA > | InternalCertificate.VALID_CA); > > System.out.println("importCert string: CA trust bits set"); > break; > } > } 274c300 < "ERROR:exception importing cert " + e.getMessage()); --- > "ERROR: exception importing cert: " + e.getMessage()); 276c302 < return false; --- > // return false; 278c304 < --- > return true; 297a324,328 > // adjust the trust bits > InternalCertificate icert = (InternalCertificate) cert; > icert.setSSLTrust(InternalCertificate.TRUSTED_CA > | InternalCertificate.TRUSTED_CLIENT_CA > | InternalCertificate.VALID_CA); diff -r 20130410/pki/base/silent/src/common/ComCrypto.java 20130413/pki/base/silent/src/common/ComCrypto.java 36a37 > import org.mozilla.jss.crypto.InternalCertificate; 251,252d251 < < 270c269,296 < return true; --- > /* > * failing to import cert should not be detrimental. When failed, > * allow to continue and user can manually import them later. > * Same with trust setting. > */ > if (cert != null) > System.out.println("importCert string: importCertPackage() succeeded"); > else > System.out.println("importCert string: importCertPackage() failed"); > > /* set trust bits for the issuer CA cert */ > System.out.println("importCert string: set CA trust bits"); > X509Certificate[] ca_certs = manager.getCACerts(); > for (int i =0; i< ca_certs.length; i++) { > // look for the signing CA > if (ca_certs[i].getSubjectDN().toString().equals( > cert.getIssuerDN().toString())) { > // set the trust bits > InternalCertificate icert = > (InternalCertificate) ca_certs[i]; > icert.setSSLTrust(InternalCertificate.TRUSTED_CA > | InternalCertificate.TRUSTED_CLIENT_CA > | InternalCertificate.VALID_CA); > > System.out.println("importCert string: CA trust bits set"); > break; > } > } 274c300 < "ERROR:exception importing cert " + e.getMessage()); --- > "ERROR: exception importing cert: " + e.getMessage()); 276c302 < return false; --- > // return false; 278c304 < --- > return true; 297a324,328 > // adjust the trust bits > InternalCertificate icert = (InternalCertificate) cert; > icert.setSSLTrust(InternalCertificate.TRUSTED_CA > | InternalCertificate.TRUSTED_CLIENT_CA > | InternalCertificate.VALID_CA); diff -r 20130410/pki/base/silent/src/drm/.svn/entries 20130413/pki/base/silent/src/drm/.svn/entries 4c4 < 2554 --- > 2564 10,11c10,11 < 2013-02-20T22:02:49.508780Z < 2526 --- > 2013-04-11T20:38:49.312670Z > 2559 35,38c35,38 < 2013-02-21T01:38:42.000000Z < f19f22bbc322a4e6605153005be039d9 < 2013-02-20T22:02:49.508780Z < 2526 --- > 2013-04-13T02:42:07.000000Z > 1826e5d88ff1f46405bd2577a3645955 > 2013-04-11T20:38:49.312670Z > 2559 61c61 < 55851 --- > 55852 diff -r 20130410/pki/base/silent/src/drm/.svn/text-base/ConfigureDRM.java.svn-base 20130413/pki/base/silent/src/drm/.svn/text-base/ConfigureDRM.java.svn-base 842c842 < System.out.println("Imported Cert=" + cert_to_import); --- > System.out.println("Cert to Import=" + cert_to_import); diff -r 20130410/pki/base/silent/src/drm/ConfigureDRM.java 20130413/pki/base/silent/src/drm/ConfigureDRM.java 842c842 < System.out.println("Imported Cert=" + cert_to_import); --- > System.out.println("Cert to Import=" + cert_to_import); diff -r 20130410/pki/base/silent/src/http/.svn/entries 20130413/pki/base/silent/src/http/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/silent/src/ocsp/.svn/entries 20130413/pki/base/silent/src/ocsp/.svn/entries 4c4 < 2554 --- > 2564 10,11c10,11 < 2013-02-20T22:02:49.508780Z < 2526 --- > 2013-04-11T20:38:49.312670Z > 2559 35,38c35,38 < 2013-02-21T01:38:43.000000Z < 4bb1b5d3f16f786df685118357f1e12f < 2013-02-20T22:02:49.508780Z < 2526 --- > 2013-04-13T02:42:08.000000Z > 8799b825f8dc81ae368a8aeb98c1d1fb > 2013-04-11T20:38:49.312670Z > 2559 61c61 < 49409 --- > 49410 diff -r 20130410/pki/base/silent/src/ocsp/.svn/text-base/ConfigureOCSP.java.svn-base 20130413/pki/base/silent/src/ocsp/.svn/text-base/ConfigureOCSP.java.svn-base 746c746 < System.out.println("Imported Cert=" + cert_to_import); --- > System.out.println("Cert to Import=" + cert_to_import); diff -r 20130410/pki/base/silent/src/ocsp/ConfigureOCSP.java 20130413/pki/base/silent/src/ocsp/ConfigureOCSP.java 746c746 < System.out.println("Imported Cert=" + cert_to_import); --- > System.out.println("Cert to Import=" + cert_to_import); diff -r 20130410/pki/base/silent/src/ra/.svn/entries 20130413/pki/base/silent/src/ra/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/silent/src/ra/ConfigureRA.java 20130413/pki/base/silent/src/ra/ConfigureRA.java 76a77 > public static String ca_admin_hostname = null; 299a301,302 > // 'ca_url' is not used, but refers to > // the CA EE hostname and the CA EE port 441a445,446 > // 'ca_url' is not used, but refers to > // the CA EE hostname and the CA EE port 523a529,530 > // 'auth_hostname' references the CA EE hostname > // 'auth_port' references the CA EE port 575a583,593 > // Account for a connection to a CA that has been > // configured with IP Port Configuration Mode. > if ( ca_admin_hostname == null ) { > // A missing 'ca_admin_hostname' implies that the CA > // may have been configured with a single hostname > // (i. e. - Port Configuration Mode). Try setting > // 'ca_admin_hostname' to 'ca_hostname', although > // this may still fail. > ca_admin_hostname = ca_hostname; > } > 581c599 < hr = hc.sslConnect(ca_hostname,ca_admin_port,admin_uri,query_string); --- > hr = hc.sslConnect(ca_admin_hostname,ca_admin_port,admin_uri,query_string); 620c638 < URLEncoder.encode( ca_hostname ) + --- > URLEncoder.encode( ca_admin_hostname ) + 778a797 > StringHolder x_ca_admin_hostname = new StringHolder(); 838c857 < parser.addOption ("-ca_hostname %s #CA Hostname", --- > parser.addOption ("-ca_hostname %s #CA EE Hostname", 839a859,860 > parser.addOption ("-ca_admin_hostname %s #CA Admin Hostname", > x_ca_admin_hostname); 919a941 > ca_admin_hostname = x_ca_admin_hostname.value; diff -r 20130410/pki/base/silent/src/subca/.svn/entries 20130413/pki/base/silent/src/subca/.svn/entries 4c4 < 2554 --- > 2564 10,11c10,11 < 2013-02-20T22:02:49.508780Z < 2526 --- > 2013-04-11T20:38:49.312670Z > 2559 35,38c35,38 < 2013-02-21T01:38:43.000000Z < d7939ebdc9a7aa8e7e21c295ec0239a8 < 2013-02-20T22:02:49.508780Z < 2526 --- > 2013-04-13T02:42:08.000000Z > cd6943ecef4270c0b232da160ad9ed22 > 2013-04-11T20:38:49.312670Z > 2559 61c61 < 53544 --- > 53545 diff -r 20130410/pki/base/silent/src/subca/.svn/text-base/ConfigureSubCA.java.svn-base 20130413/pki/base/silent/src/subca/.svn/text-base/ConfigureSubCA.java.svn-base 785c785 < System.out.println("Imported Cert=" + cert_to_import); --- > System.out.println("Cert to Import=" + cert_to_import); diff -r 20130410/pki/base/silent/src/subca/ConfigureSubCA.java 20130413/pki/base/silent/src/subca/ConfigureSubCA.java 785c785 < System.out.println("Imported Cert=" + cert_to_import); --- > System.out.println("Cert to Import=" + cert_to_import); diff -r 20130410/pki/base/silent/src/tks/.svn/entries 20130413/pki/base/silent/src/tks/.svn/entries 4c4 < 2554 --- > 2564 10,11c10,11 < 2013-02-20T22:02:49.508780Z < 2526 --- > 2013-04-11T20:38:49.312670Z > 2559 35,38c35,38 < 2013-02-21T01:38:42.000000Z < ef1ebda5d90526a375fb84c3c01ce9af < 2013-02-20T22:02:49.508780Z < 2526 --- > 2013-04-13T02:42:07.000000Z > a0ccc90176cc939ac7cb2bab0e3a3b1d > 2013-04-11T20:38:49.312670Z > 2559 61c61 < 45422 --- > 45423 diff -r 20130410/pki/base/silent/src/tks/.svn/text-base/ConfigureTKS.java.svn-base 20130413/pki/base/silent/src/tks/.svn/text-base/ConfigureTKS.java.svn-base 715c715 < System.out.println("Imported Cert=" + cert_to_import); --- > System.out.println("Cert to Import=" + cert_to_import); diff -r 20130410/pki/base/silent/src/tks/ConfigureTKS.java 20130413/pki/base/silent/src/tks/ConfigureTKS.java 715c715 < System.out.println("Imported Cert=" + cert_to_import); --- > System.out.println("Cert to Import=" + cert_to_import); diff -r 20130410/pki/base/silent/src/tps/.svn/entries 20130413/pki/base/silent/src/tps/.svn/entries 4c4 < 2554 --- > 2564 10,11c10,11 < 2013-02-20T22:02:49.508780Z < 2526 --- > 2013-04-11T20:38:49.312670Z > 2559 35,38c35,38 < 2013-02-21T01:38:43.000000Z < 497a49c8a293fd0f288abf00b04f8c20 < 2013-02-20T22:02:49.508780Z < 2526 --- > 2013-04-13T02:42:08.000000Z > 0bb71f05056fd8eda1e4d570d8573508 > 2013-04-11T20:38:49.312670Z > 2559 61c61 < 35736 --- > 35737 diff -r 20130410/pki/base/silent/src/tps/.svn/text-base/ConfigureTPS.java.svn-base 20130413/pki/base/silent/src/tps/.svn/text-base/ConfigureTPS.java.svn-base 738c738 < System.out.println("Imported Cert=" + cert_to_import); --- > System.out.println("Cert to Import=" + cert_to_import); diff -r 20130410/pki/base/silent/src/tps/ConfigureTPS.java 20130413/pki/base/silent/src/tps/ConfigureTPS.java 76a77 > public static String ca_admin_hostname = null; 345a347,348 > // 'ca_url' is not used, but refers to > // the CA EE hostname and the CA EE port 572a576,577 > // 'ca_url' is not used, but refers to > // the CA EE hostname and the CA EE port 667a673,674 > // 'auth_hostname' references the CA EE hostname > // 'auth_port' references the CA EE port 719a727,737 > // Account for a connection to a CA that has been > // configured with IP Port Configuration Mode. > if ( ca_admin_hostname == null ) { > // A missing 'ca_admin_hostname' implies that the CA > // may have been configured with a single hostname > // (i. e. - Port Configuration Mode). Try setting > // 'ca_admin_hostname' to 'ca_hostname', although > // this may still fail. > ca_admin_hostname = ca_hostname; > } > 725c743 < hr = hc.sslConnect(ca_hostname,ca_admin_port,admin_uri,query_string); --- > hr = hc.sslConnect(ca_admin_hostname,ca_admin_port,admin_uri,query_string); 738c756 < System.out.println("Imported Cert=" + cert_to_import); --- > System.out.println("Cert to Import=" + cert_to_import); 765c783 < URLEncoder.encode( ca_hostname ) + --- > URLEncoder.encode( ca_admin_hostname ) + 933a952 > StringHolder x_ca_admin_hostname = new StringHolder(); 1026c1045 < parser.addOption ("-ca_hostname %s #CA Hostname", --- > parser.addOption ("-ca_hostname %s #CA EE Hostname", 1027a1047,1048 > parser.addOption ("-ca_admin_hostname %s #CA Admin Hostname", > x_ca_admin_hostname); 1160a1182 > ca_admin_hostname = x_ca_admin_hostname.value; diff -r 20130410/pki/base/silent/templates/.svn/entries 20130413/pki/base/silent/templates/.svn/entries 4c4 < 2558 --- > 2564 10,11c10,11 < 2013-02-21T19:36:45.980348Z < 2531 --- > 2013-04-11T20:38:49.312670Z > 2559 29c29 < silentEC_readme.txt --- > silent_ocsp_ip_port.template 30a31 > 0 33,41c34 < < < 2013-02-21T01:38:44.000000Z < dfc13aaa1353e5849b1d320f4668d4f1 < 2013-02-20T22:02:49.508780Z < 2526 < cfu < < --- > add 46a40,45 > has-props > has-prop-mods > > silent_ra_to_ip_port.template > file > 0 48a48 > add 53a54,59 > has-props > has-prop-mods > > silent_tps_to_ip_port.template > file > 0 55a62 > add 61c68,69 < 115 --- > has-props > has-prop-mods 63c71 < silentEC_tks.template --- > silentEC_subca.template 69,72c77,80 < 2013-03-22T01:03:40.000000Z < cb3b6b9e8c672d39cb6ae3eb1001fa98 < 2013-02-20T22:02:49.508780Z < 2526 --- > 2013-04-13T03:15:05.000000Z > ffe6eb492ab95f5db3cb93c0025daf20 > 2013-04-11T20:38:49.312670Z > 2559 95c103 < 19316 --- > 22867 97,111c105 < silent_kra_ip_port.template < file < 0 < < < add < < < < < < has-props < has-prop-mods < < silentEC_ca.template --- > silentEC_readme.txt 117,118c111,112 < 2013-03-22T01:03:40.000000Z < 00f1a73bbb761f0ce124cd1b4967a89d --- > 2013-04-13T03:15:05.000000Z > dfc13aaa1353e5849b1d320f4668d4f1 122d115 < has-props 143c136,137 < 24086 --- > > 115 145c139 < silentEC_ocsp.template --- > silentEC_tks.template 151,154c145,148 < 2013-03-22T01:03:40.000000Z < c4b5f6b7b83a0c1fa7bfbabd8b9fe16e < 2013-02-20T22:02:49.508780Z < 2526 --- > 2013-04-13T03:15:05.000000Z > 10a8bcd35971d6a0c3057cc8bef95406 > 2013-04-11T20:38:49.312670Z > 2559 177c171 < 19853 --- > 19262 179c173 < subca_silent.template --- > silent_kra_ip_port.template 180a175 > 0 182a178 > add 185,190d180 < 2013-03-22T01:03:40.000000Z < 5ce11c97d5387f007adbf1aaf3f1e4d5 < 2013-02-21T19:36:45.980348Z < 2531 < cfu < has-props 193a184,188 > has-props > has-prop-mods > > silentEC_ocsp.template > file 197a193,198 > 2013-04-13T03:15:05.000000Z > 12f5b50280431da90134d2c55dfc3b4e > 2013-04-11T20:38:49.312670Z > 2559 > cfu > has-props 211,215d211 < 19959 < < silent_tks_ip_port.template < file < 0 218d213 < add 224,225c219 < has-props < has-prop-mods --- > 19670 233,236c227,230 < 2013-03-22T01:03:40.000000Z < 6b62c8058655df22ed5accfd95dfca54 < 2013-02-20T22:02:49.508780Z < 2526 --- > 2013-04-13T03:15:05.000000Z > a4a9df6f78b4e8020d1aff846e324cca > 2013-04-11T20:38:49.312670Z > 2559 259c253 < 19978 --- > 19793 275c269 < silent_ocsp_ip_port.template --- > pki_silent.template 277d270 < 0 280c273,280 < add --- > > > 2013-04-13T01:11:04.000000Z > 8084968320ea19bcd9cce57e9e983a3a > 2013-04-11T20:38:49.312670Z > 2559 > cfu > has-props 286,287c286,301 < has-props < has-prop-mods --- > > > > > > > > > > > > > > > > 72509 289c303 < pki_silent.template --- > silentEC_kra.template 295,298c309,312 < 2013-03-22T01:03:40.000000Z < 0856601e9a370e08411628ae45056b01 < 2013-02-21T19:36:45.980348Z < 2531 --- > 2013-04-13T03:15:05.000000Z > c8a2999a74286ab38db07e19f85db621 > 2013-04-11T20:38:49.312670Z > 2559 321c335 < 72548 --- > 22168 323c337 < silentEC_kra.template --- > silentEC_ca.template 329,332c343,346 < 2013-03-22T01:03:40.000000Z < 9fe8cc4f24e4dda0f0f2e294a7db4b23 < 2013-02-20T22:02:49.508780Z < 2526 --- > 2013-04-13T03:15:05.000000Z > 2b0fa0895c8e293a5e893326ae31ed02 > 2013-04-11T20:38:49.312670Z > 2559 355c369 < 22231 --- > 24031 357c371 < silentEC_subca.template --- > subca_silent.template 363,366c377,380 < 2013-03-22T01:03:40.000000Z < c16fef52fef6465731a37af3b4526ed5 < 2013-02-20T22:02:49.508780Z < 2526 --- > 2013-04-13T01:11:04.000000Z > a66b35aff865e62010c59f9441cdb95c > 2013-04-11T20:38:49.312670Z > 2559 389c403,417 < 22930 --- > 19947 > > silent_tks_ip_port.template > file > 0 > > > add > > > > > > has-props > has-prop-mods Only in 20130413/pki/base/silent/templates/.svn/props: silent_ra_to_ip_port.template.svn-work Only in 20130413/pki/base/silent/templates/.svn/props: silent_tps_to_ip_port.template.svn-work diff -r 20130410/pki/base/silent/templates/.svn/text-base/pki_silent.template.svn-base 20130413/pki/base/silent/templates/.svn/text-base/pki_silent.template.svn-base 83c83 < pki_silent_security_database_password= --- > pki_silent_security_token_password= 809,810c809,810 < if [ "${pki_silent_security_database_password}" = "" ] ; then < printf "${usage_error_preamble} 'pki_silent_security_database_password'!\n" --- > if [ "${pki_silent_security_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n" 1080c1080 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ 1151c1151 < # -client_certdb_pwd ${pki_silent_security_database_password} \ --- > # -client_certdb_pwd ${pki_silent_security_token_password} \ 1214c1214 < # -client_certdb_pwd ${pki_silent_security_database_password} \ --- > # -client_certdb_pwd ${pki_silent_security_token_password} \ 1286c1286 < # -client_certdb_pwd ${pki_silent_security_database_password} \ --- > # -client_certdb_pwd ${pki_silent_security_token_password} \ 1360c1360 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ 1430c1430 < # -client_certdb_pwd ${pki_silent_security_database_password} \ --- > # -client_certdb_pwd ${pki_silent_security_token_password} \ 1503c1503 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ 1571c1571 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ 1637c1637 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ 1709c1709 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ diff -r 20130410/pki/base/silent/templates/.svn/text-base/silentEC_ca.template.svn-base 20130413/pki/base/silent/templates/.svn/text-base/silentEC_ca.template.svn-base 95c95 < ##pki_silent_security_database_password="mypasswd" --- > ##pki_silent_security_token_password="mypasswd" 98c98 < pki_silent_security_database_password= --- > pki_silent_security_token_password= 411,412c411,412 < if [ "${pki_silent_security_database_password}" = "" ] ; then < printf "${usage_error_preamble} 'pki_silent_security_database_password'!\n" --- > if [ "${pki_silent_security_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n" 498c498 < ## Instead, inform the user and exit this script. --- > ## Instead, just inform the user 503c503 < printf "WARNING: At least one of the security databases\n" --- > printf "WARNING: The existing security databases\n" 505c505 < printf " required by '${pki_silent_script}' exists at the\n" --- > printf " required by '${pki_silent_script}' at the\n" 507,508c507 < printf "\n" < printf " Continue...\n\n" --- > printf " are to be used \n\n" 555c554 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ diff -r 20130410/pki/base/silent/templates/.svn/text-base/silentEC_kra.template.svn-base 20130413/pki/base/silent/templates/.svn/text-base/silentEC_kra.template.svn-base 94c94 < ##pki_silent_security_database_password="mypasswd" --- > ##pki_silent_security_token_password="mypasswd" 97c97 < pki_silent_security_database_password= --- > pki_silent_security_token_password= 386,387c386,387 < if [ "${pki_silent_security_database_password}" = "" ] ; then < printf "${usage_error_preamble} 'pki_silent_security_database_password'!\n" --- > if [ "${pki_silent_security_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n" 473c473 < ## Instead, inform the user and exit this script. --- > ## Instead, just inform the user. 478c478 < printf "WARNING: At least one of the security databases\n" --- > printf "WARNING: The security databases\n" 480c480 < printf " required by '${pki_silent_script}' exists at the\n" --- > printf " required by '${pki_silent_script}' at the\n" 482,483c482 < printf "\n" < printf " Continue...\n\n" --- > printf " are to be used.\n\n" 516c515 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ diff -r 20130410/pki/base/silent/templates/.svn/text-base/silentEC_ocsp.template.svn-base 20130413/pki/base/silent/templates/.svn/text-base/silentEC_ocsp.template.svn-base 93c93 < ##pki_silent_security_database_password="mypasswd" --- > ##pki_silent_security_token_password="mypasswd" 96c96 < pki_silent_security_database_password= --- > pki_silent_security_token_password= 339,340c339,340 < if [ "${pki_silent_security_database_password}" = "" ] ; then < printf "${usage_error_preamble} 'pki_silent_security_database_password'!\n" --- > if [ "${pki_silent_security_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n" 426c426 < ## Instead, inform the user and exit this script. --- > ## Instead, just inform the user 431c431 < printf "WARNING: At least one of the security databases\n" --- > printf "WARNING: The existing security databases\n" 433c433 < printf " required by '${pki_silent_script}' exists at the\n" --- > printf " required by '${pki_silent_script}' at the\n" 435,437c435 < printf "\n" < printf " Please MANUALLY move or erase these security database(s),\n" < printf " or specify a different location before re-running this script.\n\n" --- > printf " are to be used.\n\n" 469c467 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ diff -r 20130410/pki/base/silent/templates/.svn/text-base/silentEC_subca.template.svn-base 20130413/pki/base/silent/templates/.svn/text-base/silentEC_subca.template.svn-base 98c98 < ##pki_silent_security_database_password="mypasswd" --- > ##pki_silent_security_token_password="mypasswd" 101c101 < pki_silent_security_database_password= --- > pki_silent_security_token_password= 369,370c369,370 < if [ "${pki_silent_security_database_password}" = "" ] ; then < printf "${usage_error_preamble} 'pki_silent_security_database_password'!\n" --- > if [ "${pki_silent_security_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n" 456c456 < ## Instead, inform the user and continue with this script. --- > ## Instead, just inform the user. 461c461 < printf "WARNING: At least one of the security databases\n" --- > printf "WARNING: The existing security databases\n" 463c463 < printf " required by '${subca_silentEC_script}' exists at the\n" --- > printf " required by '${subca_silentEC_script}' at the\n" 465,466c465 < printf "\n" < printf " Continue...\n\n" --- > printf " are to be used.\n\n" 523c522 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ diff -r 20130410/pki/base/silent/templates/.svn/text-base/silentEC_tks.template.svn-base 20130413/pki/base/silent/templates/.svn/text-base/silentEC_tks.template.svn-base 94c94 < ##pki_silent_security_database_password="mypasswd" --- > ##pki_silent_security_token_password="mypasswd" 97c97 < pki_silent_security_database_password= --- > pki_silent_security_token_password= 338,339c338,339 < if [ "${pki_silent_security_database_password}" = "" ] ; then < printf "${usage_error_preamble} 'pki_silent_security_database_password'!\n" --- > if [ "${pki_silent_security_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n" 426c426 < ## Instead, inform the user and exit this script. --- > ## Instead, just inform the user. 431c431 < printf "WARNING: At least one of the security databases\n" --- > printf "WARNING: The existing security databases\n" 433c433 < printf " required by '${pki_silent_script}' exists at the\n" --- > printf " required by '${pki_silent_script}' at the\n" 435,436c435 < printf "\n" < printf " Continue...\n\n" --- > printf " are to be used.\n\n" 468c467 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ diff -r 20130410/pki/base/silent/templates/.svn/text-base/silentEC_tps.template.svn-base 20130413/pki/base/silent/templates/.svn/text-base/silentEC_tps.template.svn-base 96c96 < ##pki_silent_security_database_password="mypasswd" --- > ##pki_silent_security_token_password="mypasswd" 99c99 < pki_silent_security_database_password= --- > pki_silent_security_token_password= 351,352c351,352 < if [ "${pki_silent_security_database_password}" = "" ] ; then < printf "${usage_error_preamble} 'pki_silent_security_database_password'!\n" --- > if [ "${pki_silent_security_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n" 438c438 < ## Instead, inform the user and exit this script. --- > ## Instead, just inform the user. 443c443 < printf "WARNING: At least one of the security databases\n" --- > printf "WARNING: The existing security databases\n" 445c445 < printf " required by '${pki_silent_script}' exists at the\n" --- > printf " required by '${pki_silent_script}' at the\n" 447,449c447 < printf "\n" < printf " Please MANUALLY move or erase these security database(s),\n" < printf " or specify a different location before re-running this script.\n\n" --- > printf " are to be used.\n\n" 489c487 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ diff -r 20130410/pki/base/silent/templates/.svn/text-base/subca_silent.template.svn-base 20130413/pki/base/silent/templates/.svn/text-base/subca_silent.template.svn-base 86c86 < pki_silent_security_database_password= --- > pki_silent_security_token_password= 317,318c317,318 < if [ "${pki_silent_security_database_password}" = "" ] ; then < printf "${usage_error_preamble} 'pki_silent_security_database_password'!\n" --- > if [ "${pki_silent_security_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n" 475c475 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ diff -r 20130410/pki/base/silent/templates/pki_silent.template 20130413/pki/base/silent/templates/pki_silent.template 83c83 < pki_silent_security_database_password= --- > pki_silent_security_token_password= 708a709 > ra_chosen_ca_admin_hostname=${pki_security_domain_host} 763a765 > tps_chosen_ca_admin_hostname=${pki_security_domain_host} 809,810c811,812 < if [ "${pki_silent_security_database_password}" = "" ] ; then < printf "${usage_error_preamble} 'pki_silent_security_database_password'!\n" --- > if [ "${pki_silent_security_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n" 1080c1082 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ 1151c1153 < # -client_certdb_pwd ${pki_silent_security_database_password} \ --- > # -client_certdb_pwd ${pki_silent_security_token_password} \ 1214c1216 < # -client_certdb_pwd ${pki_silent_security_database_password} \ --- > # -client_certdb_pwd ${pki_silent_security_token_password} \ 1286c1288 < # -client_certdb_pwd ${pki_silent_security_database_password} \ --- > # -client_certdb_pwd ${pki_silent_security_token_password} \ 1360c1362 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ 1430c1432 < # -client_certdb_pwd ${pki_silent_security_database_password} \ --- > # -client_certdb_pwd ${pki_silent_security_token_password} \ 1503c1505 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ 1571c1573 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ 1632a1635 > -ca_admin_hostname ${ra_chosen_ca_admin_hostname} \ 1637c1640 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ 1699a1703 > -ca_admin_hostname ${tps_chosen_ca_admin_hostname} \ 1709c1713 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ diff -r 20130410/pki/base/silent/templates/silentEC_ca.template 20130413/pki/base/silent/templates/silentEC_ca.template 25c25 < printf " (2) Install (but not configure) the Root CA subsystem instance\n" --- > printf " (2) Install (but do NOT configure) the Root CA subsystem instance\n" 27c27 < printf " Follow ECC setup instruction in silentEC_readme.txt.\n" --- > printf " Follow ECC setup instructions in silentEC_readme.txt.\n\n" 30,31c30,31 < printf " without the '.template' extension.\n" < printf " (e .g. - 'configure_ec_ca_instance')\n\n" --- > printf " without the '.template' extension\n" > printf " (e .g. - 'configure_ec_ca_instance').\n\n" 38c38 < printf " configure a 'default' CA subsystem instance.\n" --- > printf " configure this CA subsystem instance\n" 95c95 < ##pki_silent_security_database_password="mypasswd" --- > ##pki_silent_security_token_password="mypasswd" 98c98 < pki_silent_security_database_password= --- > pki_silent_security_token_password= 411,412c411,412 < if [ "${pki_silent_security_database_password}" = "" ] ; then < printf "${usage_error_preamble} 'pki_silent_security_database_password'!\n" --- > if [ "${pki_silent_security_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n" 498c498 < ## Instead, inform the user and exit this script. --- > ## Instead, just inform the user. 503c503 < printf "WARNING: At least one of the security databases\n" --- > printf "WARNING: The existing security databases\n" 505,509c505,508 < printf " required by '${pki_silent_script}' exists at the\n" < printf " specified location '${pki_silent_security_database_repository}'.\n" < printf "\n" < printf " Continue...\n\n" < # exit 255 --- > printf " required by '${pki_silent_script}' at the\n" > printf " specified location '${pki_silent_security_database_repository}'\n" > printf " will be used.\n\n" > # exit 255 513c512 < ## (5) Remove ALL old PKI Silent log files --- > ## (5) Remove any old PKI Silent log file named '${pki_silent_ca_log}' 555c554 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ diff -r 20130410/pki/base/silent/templates/silentEC_kra.template 20130413/pki/base/silent/templates/silentEC_kra.template 18,20d17 < printf "Important:\n" < printf " Use the following reference for essential EC setup prior to running this script:\n" < printf " silentEC_readme.txt.\n\n" 21a19,22 > printf "Important: Use the following reference for essential EC setup\n" > printf " prior to running this script:\n" > printf "\n" > printf " silentEC_readme.txt.\n\n" 26,27c27,28 < printf " (3) Install (but not configure) a DRM subsystem instance\n" < printf " Follow ECC setup instruction in silentEC_readme.txt.\n" --- > printf " (3) Install (but do NOT configure) a DRM subsystem instance.\n\n" > printf " Follow ECC setup instructions in silentEC_readme.txt.\n\n" 30,31c31,32 < printf " without the '.template' extension.\n" < printf " (e .g. - 'configure_kra_ec_instances')\n\n" --- > printf " without the '.template' extension\n" > printf " (e .g. - 'configure_ec_kra_instance').\n\n" 36c37 < printf " (8) Become the DRM administrator user (not 'root' user),\n" --- > printf " (8) Become the DRM administrator user (NOT 'root' user),\n" 38c39 < printf " configure the DRM subsystem instances.\n\n" --- > printf " configure this DRM subsystem instance.\n\n" 94c95 < ##pki_silent_security_database_password="mypasswd" --- > ##pki_silent_security_token_password="mypasswd" 97c98 < pki_silent_security_database_password= --- > pki_silent_security_token_password= 386,387c387,388 < if [ "${pki_silent_security_database_password}" = "" ] ; then < printf "${usage_error_preamble} 'pki_silent_security_database_password'!\n" --- > if [ "${pki_silent_security_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n" 473c474 < ## Instead, inform the user and exit this script. --- > ## Instead, just inform the user. 478c479 < printf "WARNING: At least one of the security databases\n" --- > printf "WARNING: The existing security databases\n" 480,483c481,483 < printf " required by '${pki_silent_script}' exists at the\n" < printf " specified location '${pki_silent_security_database_repository}'.\n" < printf "\n" < printf " Continue...\n\n" --- > printf " required by '${pki_silent_script}' at the\n" > printf " specified location '${pki_silent_security_database_repository}'\n" > printf " will be used.\n\n" 488c488 < ## (5) Remove ALL old PKI Silent log files --- > ## (5) Remove any old PKI Silent log file named '${pki_silent_kra_log}' 516c516 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ diff -r 20130410/pki/base/silent/templates/silentEC_ocsp.template 20130413/pki/base/silent/templates/silentEC_ocsp.template 18,19d17 < printf " Use the following reference for essential EC setup prior to running this script:\n" < printf " silentEC_readme.txt.\n\n" 20a19,22 > printf "Important: Use the following reference for essential EC setup\n" > printf " prior to running this script:\n" > printf "\n" > printf " silentEC_readme.txt.\n\n" 25,26c27,28 < printf " (3) Install (but not configure) a OCSP subsystem instance\n" < printf " Follow ECC setup instruction in silentEC_readme.txt.\n" --- > printf " (3) Install (but do NOT configure) an OCSP subsystem instance.\n\n" > printf " Follow ECC setup instructions in silentEC_readme.txt.\n\n" 29,30c31,32 < printf " without the '.template' extension.\n" < printf " (e .g. - 'configure_ocsp_ec_instances')\n\n" --- > printf " without the '.template' extension\n" > printf " (e .g. - 'configure_ec_ocsp_instance').\n\n" 35c37 < printf " (8) Become the OCSP administrator user (not 'root' user),\n" --- > printf " (8) Become the OCSP administrator user (NOT 'root' user),\n" 37c39 < printf " configure the OCSP subsystem instances.\n\n" --- > printf " configure this OCSP subsystem instance.\n\n" 93c95 < ##pki_silent_security_database_password="mypasswd" --- > ##pki_silent_security_token_password="mypasswd" 96c98 < pki_silent_security_database_password= --- > pki_silent_security_token_password= 339,340c341,342 < if [ "${pki_silent_security_database_password}" = "" ] ; then < printf "${usage_error_preamble} 'pki_silent_security_database_password'!\n" --- > if [ "${pki_silent_security_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n" 426c428 < ## Instead, inform the user and exit this script. --- > ## Instead, just inform the user. 431c433 < printf "WARNING: At least one of the security databases\n" --- > printf "WARNING: The existing security databases\n" 433,437c435,437 < printf " required by '${pki_silent_script}' exists at the\n" < printf " specified location '${pki_silent_security_database_repository}'.\n" < printf "\n" < printf " Please MANUALLY move or erase these security database(s),\n" < printf " or specify a different location before re-running this script.\n\n" --- > printf " required by '${pki_silent_script}' at the\n" > printf " specified location '${pki_silent_security_database_repository}'\n" > printf " will be used.\n\n" 442c442 < ## (5) Remove ALL old PKI Silent log files --- > ## (5) Remove any old PKI Silent log file named '${pki_silent_ocsp_log}' 469c469 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ diff -r 20130410/pki/base/silent/templates/silentEC_subca.template 20130413/pki/base/silent/templates/silentEC_subca.template 30c30 < printf " Follow ECC setup instruction in silentEC_readme.txt.\n" --- > printf " Follow ECC setup instructions in 'silentEC_readme.txt'.\n\n" 33,34c33,34 < printf " without the '.template' extension.\n" < printf " (e .g. - 'configure_ec_subca_instance')\n\n" --- > printf " without the '.template' extension\n" > printf " (e .g. - 'configure_ec_subca_instance').\n\n" 39c39 < printf " (8) Become the subca administrator user (NOT 'root' user),\n" --- > printf " (8) Become the Subordinate CA administrator user (NOT 'root' user),\n" 41c41 < printf " configure a Subordinate CA subsystem instance.\n\n" --- > printf " configure this Subordinate CA subsystem instance.\n\n" 98c98 < ##pki_silent_security_database_password="mypasswd" --- > ##pki_silent_security_token_password="mypasswd" 101c101 < pki_silent_security_database_password= --- > pki_silent_security_token_password= 369,370c369,370 < if [ "${pki_silent_security_database_password}" = "" ] ; then < printf "${usage_error_preamble} 'pki_silent_security_database_password'!\n" --- > if [ "${pki_silent_security_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n" 456c456 < ## Instead, inform the user and continue with this script. --- > ## Instead, just inform the user. 461c461 < printf "WARNING: At least one of the security databases\n" --- > printf "WARNING: The existing security databases\n" 463,466c463,465 < printf " required by '${subca_silentEC_script}' exists at the\n" < printf " specified location '${pki_silent_security_database_repository}'.\n" < printf "\n" < printf " Continue...\n\n" --- > printf " required by '${subca_silentEC_script}' at the\n" > printf " specified location '${pki_silent_security_database_repository}'\n" > printf " will be used.\n\n" 471c470 < ## (5) Remove ALL old PKI Silent log files --- > ## (5) Remove any old PKI Silent log file named '${pki_silent_subca_log}' 523c522 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ diff -r 20130410/pki/base/silent/templates/silentEC_tks.template 20130413/pki/base/silent/templates/silentEC_tks.template 18,20d17 < printf "Important:\n" < printf " Use the following reference for essential EC setup prior to running this script:\n" < printf " silentEC_readme.txt.\n\n" 21a19,22 > printf "Important: Use the following reference for essential EC setup\n" > printf " prior to running this script:\n" > printf "\n" > printf " silentEC_readme.txt.\n\n" 26,32c27,33 < printf " (3) Install (but not configure) a TKS subsystem instance.\n" < printf " Follow ECC setup instruction in silentEC_readme.txt.\n" < printf " (3) Install the 'pki-silent' package.\n\n" < printf " (4) Copy '$0' to a new script name\n" < printf " without the '.template' extension.\n" < printf " (e .g. - 'configure_tks_ec_instances')\n\n" < printf " (5) Fill in all MANDATORY user-defined variables\n" --- > printf " (3) Install (but do NOT configure) a TKS subsystem instance.\n\n" > printf " Follow ECC setup instructions in 'silentEC_readme.txt'.\n\n" > printf " (4) Install the 'pki-silent' package.\n\n" > printf " (5) Copy '$0' to a new script name\n" > printf " without the '.template' extension\n" > printf " (e .g. - 'configure_ec_tks_instance').\n\n" > printf " (6) Fill in all MANDATORY user-defined variables\n" 34c35 < printf " (6) Change any OPTIONAL user-defined variables\n" --- > printf " (7) Change any OPTIONAL user-defined variables\n" 36c37 < printf " (7) Become the TKS administrator user (not 'root' user),\n" --- > printf " (8) Become the TKS administrator user (NOT 'root' user),\n" 38c39 < printf " configure the TKS subsystem instances.\n\n" --- > printf " configure this TKS subsystem instance.\n\n" 94c95 < ##pki_silent_security_database_password="mypasswd" --- > ##pki_silent_security_token_password="mypasswd" 97c98 < pki_silent_security_database_password= --- > pki_silent_security_token_password= 338,339c339,340 < if [ "${pki_silent_security_database_password}" = "" ] ; then < printf "${usage_error_preamble} 'pki_silent_security_database_password'!\n" --- > if [ "${pki_silent_security_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n" 426c427 < ## Instead, inform the user and exit this script. --- > ## Instead, just inform the user. 431c432 < printf "WARNING: At least one of the security databases\n" --- > printf "WARNING: The existing security databases\n" 433,436c434,436 < printf " required by '${pki_silent_script}' exists at the\n" < printf " specified location '${pki_silent_security_database_repository}'.\n" < printf "\n" < printf " Continue...\n\n" --- > printf " required by '${pki_silent_script}' at the\n" > printf " specified location '${pki_silent_security_database_repository}'\n" > printf " will be used.\n\n" 441c441 < ## (5) Remove ALL old PKI Silent log files --- > ## (5) Remove any old PKI Silent log file named '${pki_silent_tks_log}' 468c468 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ diff -r 20130410/pki/base/silent/templates/silentEC_tps.template 20130413/pki/base/silent/templates/silentEC_tps.template 17,40c17,41 < if [ "${pki_silent_script}" = "pki_silent.template" ] ; then < printf "Important:\n" < printf " Use the following reference for essential EC setup prior to running this script:\n" < printf " silentEC_readme.txt.\n\n" < printf "\n" < printf "\n" < printf "Usage: (1) Install AND configure a directory server instance.\n\n" < printf " (2) Install AND configure a Root CA subsystem instance\n" < printf " that is its own security domain.\n\n" < printf " (3) Install and configure a TKS subsystem instance\n" < printf " (4) (optionally) Install and configure a DRM subsystem instance\n" < printf " (5) Install (but not configure) a TPS subsystem instance\n" < printf " Follow ECC setup instruction in silentEC_readme.txt.\n" < printf " (6) Install the 'pki-silent' package.\n\n" < printf " (7) Copy '$0' to a new script name\n" < printf " without the '.template' extension.\n" < printf " (e .g. - 'configure_tps_ec_instances')\n\n" < printf " (8) Fill in all MANDATORY user-defined variables\n" < printf " in the new script.\n\n" < printf " (9) Change any OPTIONAL user-defined variables\n" < printf " in the new script as desired.\n\n" < printf " (10) Become the TPS administrator user (not 'root' user),\n" < printf " and execute the new script to\n" < printf " configure the TPS subsystem instances.\n\n" --- > if [ "${pki_silent_script}" = "silentEC_tps.template" ] ; then > printf "\n" > printf "Important: Use the following reference for essential EC setup\n" > printf " prior to running this script:\n" > printf "\n" > printf " silentEC_readme.txt.\n\n" > printf "\n" > printf "Usage: ( 1) Install AND configure a directory server instance.\n\n" > printf " ( 2) Install AND configure a Root CA subsystem instance\n" > printf " that is its own security domain.\n\n" > printf " ( 3) Install AND configure a TKS subsystem instance.\n\n" > printf " ( 4) (optionally) Install and configure a DRM subsystem instance.\n\n" > printf " ( 5) Install (but do NOT configure) a TPS subsystem instance.\n\n" > printf " Follow ECC setup instructions in 'silentEC_readme.txt'.\n\n" > printf " ( 6) Install the 'pki-silent' package.\n\n" > printf " ( 7) Copy '$0' to a new script name\n" > printf " without the '.template' extension\n" > printf " (e .g. - 'configure_ec_tps_instance').\n\n" > printf " ( 8) Fill in all MANDATORY user-defined variables\n" > printf " in the new script.\n\n" > printf " ( 9) Change any OPTIONAL user-defined variables\n" > printf " in the new script as desired.\n\n" > printf " (10) Become the TPS administrator user (NOT 'root' user),\n" > printf " and execute the new script to\n" > printf " configure this TPS subsystem instance.\n\n" 96c97 < ##pki_silent_security_database_password="mypasswd" --- > ##pki_silent_security_token_password="mypasswd" 99c100 < pki_silent_security_database_password= --- > pki_silent_security_token_password= 289a291 > tps_chosen_ca_admin_hostname=${pki_security_domain_host} 351,352c353,354 < if [ "${pki_silent_security_database_password}" = "" ] ; then < printf "${usage_error_preamble} 'pki_silent_security_database_password'!\n" --- > if [ "${pki_silent_security_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n" 438c440 < ## Instead, inform the user and exit this script. --- > ## Instead, just inform the user. 443c445 < printf "WARNING: At least one of the security databases\n" --- > printf "WARNING: The existing security databases\n" 445,449c447,449 < printf " required by '${pki_silent_script}' exists at the\n" < printf " specified location '${pki_silent_security_database_repository}'.\n" < printf "\n" < printf " Please MANUALLY move or erase these security database(s),\n" < printf " or specify a different location before re-running this script.\n\n" --- > printf " required by '${pki_silent_script}' at the\n" > printf " specified location '${pki_silent_security_database_repository}'\n" > printf " will be used.\n\n" 454c454 < ## (5) Remove ALL old PKI Silent log files --- > ## (5) Remove any old PKI Silent log file named '${pki_silent_tps_log}' 479a480 > -ca_admin_hostname ${tps_chosen_ca_admin_hostname} \ 489c490 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ diff -r 20130410/pki/base/silent/templates/silent_ca_ip_port.template 20130413/pki/base/silent/templates/silent_ca_ip_port.template 17,33c17,33 < if [ "${pki_silent_script}" = "silent_ca_ip_port.template" ] ; then < printf "\n" < printf "Usage: (1) Install AND configure a directory server instance.\n\n" < printf " (2) Install, but do NOT configure a\n" < printf " 'default' PKI CA subsystem instance\n" < printf " using the IP Port Separation Mode.\n\n" < printf " (3) Install the 'pki-silent' package.\n\n" < printf " (4) Copy '$0' to a new script name\n" < printf " without the '.template' extension.\n" < printf " (e .g. - 'configure_default_pki_ca_ip_port_instance')\n\n" < printf " (5) Fill in all MANDATORY user-defined variables\n" < printf " in the new script.\n\n" < printf " (6) Change any OPTIONAL user-defined variables\n" < printf " in the new script as desired.\n\n" < printf " (7) Become the 'root' user, and execute the new script to\n" < printf " configure this 'default' PKI CA subsystem instance.\n\n" < exit 255 --- > if [ "${pki_silent_script}" = "silent_ca_ip_port.template" ] ; then > printf "\n" > printf "Usage: (1) Install AND configure a directory server instance.\n\n" > printf " (2) Install, but do NOT configure a\n" > printf " PKI CA subsystem instance\n" > printf " using the IP Port Separation Mode.\n\n" > printf " (3) Install the 'pki-silent' package.\n\n" > printf " (4) Copy '$0' to a new script name\n" > printf " without the '.template' extension\n" > printf " (e .g. - 'configure_ca_ip_port_instance').\n\n" > printf " (5) Fill in all MANDATORY user-defined variables\n" > printf " in the new script.\n\n" > printf " (6) Change any OPTIONAL user-defined variables\n" > printf " in the new script as desired.\n\n" > printf " (7) Become the 'root' user, and execute the new script to\n" > printf " configure this PKI CA subsystem instance.\n\n" > exit 255 45,47c45,47 < MY_EUID=`/usr/bin/id -u` < MY_UID=`/usr/bin/id -ur` < USERNAME=`/usr/bin/id -un` --- > MY_EUID=`/usr/bin/id -u` > MY_UID=`/usr/bin/id -ur` > USERNAME=`/usr/bin/id -un` 49,50c49,50 < printf "ERROR: Unsupported operating system '${OS}'!\n" < exit 255 --- > printf "ERROR: Unsupported operating system '${OS}'!\n" > exit 255 53,56c53,56 < if [ "${MY_UID}" != "${ROOTUID}" ] && < [ "${MY_EUID}" != "${ROOTUID}" ] ; then < printf "ERROR: The '$0' script must be run as root!\n" < exit 255 --- > if [ "${MY_UID}" != "${ROOTUID}" ] && > [ "${MY_EUID}" != "${ROOTUID}" ] ; then > printf "ERROR: The '$0' script must be run as root!\n" > exit 255 81c81 < ## PKI Subsystem Hosts (FQDN) --- > ## PKI CA Subsystem Hosts (FQDN) 86a87,107 > ## > ## NOTE: Default PKI CA Instance Ports > ## > ## 9180 - non-secure port (not role specific) > ## 9701 - non-secure Tomcat port > ## 9443 - secure EE port > ## 9444 - secure Agent port > ## 9445 - secure Admin port > ## 9446 - secure EE Client Auth port (not necessarily labeled) > ## > ## > ## For Example: > ## > ## semanage port -l | grep pki > ## > ## pki_ca_port_t tcp 9180, 9701, 9443, 9444, 9445 > ## > > ## PKI CA ports > pki_ca_admin_port= > 90c111 < pki_silent_security_database_password= --- > pki_silent_security_token_password= 120,121c141,142 < ## For testing, however, it is often convenient to simply OVERWRITE any exiting < ## data in the LDAP database. If this is desirable, set: --- > ## For testing, however, it is often convenient to simply OVERWRITE any > ## existing data in the LDAP database. If this is desirable, set: 129,130c150,151 < ca_token_name=internal < ca_token_password= --- > pki_ca_token_name=internal > pki_ca_token_password= 134c155 < ca_backup_password= --- > pki_ca_backup_password= 154,158d174 < < ############################################################################## < ## P R E - D E F I N E D " D E F A U L T " V A R I A B L E S ## < ############################################################################## < 160c176 < ca_subsystem_name="Certificate\ Authority" --- > pki_ca_subsystem_name="Certificate\ Authority" 163,181c179 < ca_instance_name="pki-ca" < < ## < ## NOTE: Default CA Instance Ports < ## < ## *180 - non-secure port (not role specific) < ## *701 - non-secure Tomcat port < ## *443 - secure EE port < ## *444 - secure Agent port < ## *445 - secure Admin port < ## *446 - secure EE Client Auth port < ## < ## < ## For Example: < ## < ## semanage port -l | grep pki < ## < ## pki_ca_port_t tcp 9180, 9701, 9443, 9444, 9445, 9446 < ## --- > pki_ca_instance_name="pki-ca" 183,189c181,182 < ## CA ports < ca_nonssl_port=9180 < ca_agent_port=9443 < ca_ee_port=9444 < ca_admin_port=9445 < ca_ee_ca_port=9446 < ca_tomcat_server_port=9701 --- > ## PKI Silent Log Files > pki_silent_ca_log=/tmp/ca.log 197,200d189 < ## PKI Silent Log Files < pki_silent_ca_log=/tmp/ca.log < < 211c200 < ## CA Administrator of Instance ${ca_instance_name}'s --- > ## CA Administrator of Instance ${pki_ca_instance_name}'s 222c211 < ## + "${ca_instance_name}'s " --- > ## + "${pki_ca_instance_name}'s " 225c214 < ## + "${ca_instance_name}," --- > ## + "${pki_ca_instance_name}," 238,239c227,228 < ## "/var/lib/${ca_instance_name}/alias/" security libraries would be < ## something similar to this: --- > ## "/var/lib/${pki_ca_instance_name}/alias/" security libraries would > ## be something similar to this: 244,248c233,237 < ## ocspSigningCert cert-${ca_instance_name} u,u,u < ## subsystemCert cert-${ca_instance_name} u,u,u < ## caSigningCert cert-${ca_instance_name} CTu,Cu,Cu < ## Server-Cert cert-${ca_instance_name} u,u,u < ## auditSigningCert cert-${ca_instance_name} u,u,u --- > ## ocspSigningCert cert-${pki_ca_instance_name} u,u,u > ## subsystemCert cert-${pki_ca_instance_name} u,u,u > ## caSigningCert cert-${pki_ca_instance_name} CTu,Cu,Cu > ## Server-Cert cert-${pki_ca_instance_name} u,u,u > ## auditSigningCert cert-${pki_ca_instance_name} u,u,u 252c241 < ## Nickname: "caSigningCert cert-${ca_instance_name}" --- > ## Nickname: "caSigningCert cert-${pki_ca_instance_name}" 256c245 < ## Nickname: "subsystemCert cert-${ca_instance_name}" --- > ## Nickname: "subsystemCert cert-${pki_ca_instance_name}" 260c249 < ## Nickname: "ocspSigningCert cert-${ca_instance_name}" --- > ## Nickname: "ocspSigningCert cert-${pki_ca_instance_name}" 264c253 < ## Nickname: "Server-Cert cert-${ca_instance_name}" --- > ## Nickname: "Server-Cert cert-${pki_ca_instance_name}" 268c257 < ## Nickname: "auditSigningCert cert-${ca_instance_name}" --- > ## Nickname: "auditSigningCert cert-${pki_ca_instance_name}" 272,276c261,273 < ## NOTE: The parameters for the signing and key algorithms have the following meaning: < ## ca_key_algorithm - signature algorithm used to sign the CA certificate < ## ca_signing_algorithm - signature algorithm used by the CA and OCSP signing certs to sign objects. < ## ca_signing_signingalgorithm - optionally specify the algorithm used by the CA signing cert to sign objects < ## ca_ocsp_signing_signingalgorithm - optionally specify the algorithm used by the CA ocsp signing cert to sign objects --- > ## NOTE: The parameters for the signing and key algorithms have the following > ## meaning: > ## ca_key_algorithm - signature algorithm used to sign > ## the CA certificate > ## ca_signing_algorithm - signature algorithm used by the > ## CA and OCSP signing certs to sign > ## objects. > ## ca_signing_signingalgorithm - optionally specify the algorithm > ## used by the CA signing cert to > ## sign objects > ## ca_ocsp_signing_signingalgorithm - optionally specify the algorithm > ## used by the CA ocsp signing cert > ## to sign objects 279c276,278 < ## remove_data - set to true/false. Remove any existing data found under the baseDN --- > ## remove_data - set to true/false. Remove any > ## existing data found under the > ## baseDN 280a280 > ## 282c282 < ca_agent_name="CA\ Administrator\ of\ Instance\ ${ca_instance_name}\'s\ ${pki_security_domain_name}\ ID" --- > ca_agent_name="CA\ Administrator\ of\ Instance\ ${pki_ca_instance_name}\'s\ ${pki_security_domain_name}\ ID" 285,287c285,287 < ca_agent_cert_subject="cn=CA\ Administrator\ of\ Instance\ ${ca_instance_name},uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}" < ca_base_dn="dc=${pki_ca_admin_host}-${ca_instance_name}" < ca_db_name="${pki_ca_admin_host}-${ca_instance_name}" --- > ca_agent_cert_subject="cn=CA\ Administrator\ of\ Instance\ ${pki_ca_instance_name},uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}" > ca_base_dn="dc=${pki_ca_admin_host}-${pki_ca_instance_name}" > ca_db_name="${pki_ca_admin_host}-${pki_ca_instance_name}" 320,321c320,321 < printf "${usage_error_preamble} 'pki_ca_agent_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_ca_agent_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 324,325c324,325 < printf "${usage_error_preamble} 'pki_ca_ee_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_ca_ee_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 328,329c328,329 < printf "${usage_error_preamble} 'pki_ca_eeca_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_ca_eeca_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 332,333c332,333 < printf "${usage_error_preamble} 'pki_ca_admin_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_ca_admin_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 335,337c335,341 < if [ "${pki_silent_security_database_password}" = "" ] ; then < printf "${usage_error_preamble} 'pki_silent_security_database_password'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > if [ "${pki_ca_admin_port}" = "" ] ; then > printf "${usage_error_preamble} 'pki_ca_admin_port'!\n" > usage_errors=`expr ${usage_errors} + 1` > fi > if [ "${pki_silent_security_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n" > usage_errors=`expr ${usage_errors} + 1` 340,341c344,345 < printf "${usage_error_preamble} 'pki_security_domain_name'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_security_domain_name'!\n" > usage_errors=`expr ${usage_errors} + 1` 344,345c348,349 < printf "${usage_error_preamble} 'pki_security_domain_admin_password'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_security_domain_admin_password'!\n" > usage_errors=`expr ${usage_errors} + 1` 348,349c352,353 < printf "${usage_error_preamble} 'pki_ldap_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_ldap_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 352,353c356,357 < printf "${usage_error_preamble} 'pki_bind_password'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_bind_password'!\n" > usage_errors=`expr ${usage_errors} + 1` 356,357c360,361 < printf "${usage_error_preamble} 'pki_remove_data'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_remove_data'!\n" > usage_errors=`expr ${usage_errors} + 1` 359,365c363,369 < if [ "${ca_token_password}" = "" ] ; then < printf "${usage_error_preamble} 'ca_token_password'!\n" < usage_errors=`expr ${usage_errors} + 1` < fi < if [ "${ca_backup_password}" = "" ] ; then < printf "${usage_error_preamble} 'ca_backup_password'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > if [ "${pki_ca_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_ca_token_password'!\n" > usage_errors=`expr ${usage_errors} + 1` > fi > if [ "${pki_ca_backup_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_ca_backup_password'!\n" > usage_errors=`expr ${usage_errors} + 1` 368,369c372,373 < printf "${usage_error_preamble} 'pki_email_name'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_email_name'!\n" > usage_errors=`expr ${usage_errors} + 1` 372,373c376,377 < printf "${usage_error_preamble} 'pki_email_company'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_email_company'!\n" > usage_errors=`expr ${usage_errors} + 1` 376,377c380,381 < printf "${usage_error_preamble} 'pki_email_domain'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_email_domain'!\n" > usage_errors=`expr ${usage_errors} + 1` 380,381c384,385 < printf "${usage_error_preamble} 'pki_silent_admin_password'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_silent_admin_password'!\n" > usage_errors=`expr ${usage_errors} + 1` 393,395c397,399 < if [ ! -f "/var/lib/${ca_instance_name}/conf/CS.cfg" ] ; then < printf "${existence_error_preamble} '${ca_instance_name}' EXISTS!\n" < existence_errors=`expr ${existence_errors} + 1` --- > if [ ! -f "/var/lib/${pki_ca_instance_name}/conf/CS.cfg" ] ; then > printf "${existence_error_preamble} '${pki_ca_instance_name}' EXISTS!\n" > existence_errors=`expr ${existence_errors} + 1` 397,402c401,406 < ca_configuration_check=`grep -c preop /var/lib/${ca_instance_name}/conf/CS.cfg` < if [ ${ca_configuration_check} -eq 0 ] ; then < printf "${configuration_error_preamble} '${ca_instance_name}' " < printf "${configuration_error_postamble}\n" < configuration_errors=`expr ${configuration_errors} + 1` < fi --- > ca_configuration_check=`grep -c preop /var/lib/${pki_ca_instance_name}/conf/CS.cfg` > if [ ${ca_configuration_check} -eq 0 ] ; then > printf "${configuration_error_preamble} '${pki_ca_instance_name}' " > printf "${configuration_error_postamble}\n" > configuration_errors=`expr ${configuration_errors} + 1` > fi 406,412c410,416 < if [ ${usage_errors} -ne 0 ] || < [ ${existence_errors} -ne 0 ] || < [ ${configuration_errors} -ne 0 ] ; then < printf "\n" < printf "Please correct ALL errors listed above and re-run\n" < printf "the '$0' script!\n\n" < exit 255 --- > if [ ${usage_errors} -ne 0 ] || > [ ${existence_errors} -ne 0 ] || > [ ${configuration_errors} -ne 0 ] ; then > printf "\n" > printf "Please correct ALL errors listed above and re-run\n" > printf "the '$0' script!\n\n" > exit 255 418,421c422,425 < printf "\n" < printf "ERROR: Please install the 'pki-silent' package and re-run\n" < printf "the '$0' script!\n\n" < exit 255 --- > printf "\n" > printf "ERROR: Please install the 'pki-silent' package and re-run\n" > printf "the '$0' script!\n\n" > exit 255 426,438c430,439 < ## Instead, inform the user and exit this script. < if [ -f "${pki_silent_security_database_repository}/cert8.db" ] || < [ -f "${pki_silent_security_database_repository}/key3.db" ] || < [ -f "${pki_silent_security_database_repository}/secmod.db" ] ; then < printf "\n" < printf "WARNING: At least one of the security databases\n" < printf " (i. e. - 'cert8.db', 'key3.db', and/or 'secmod.db')\n" < printf " required by '${pki_silent_script}' exists at the\n" < printf " specified location '${pki_silent_security_database_repository}'.\n" < printf "\n" < printf " Please MANUALLY move or erase these security database(s),\n" < printf " or specify a different location before re-running this script.\n\n" < exit 255 --- > ## Instead, just inform the user. > if [ -f "${pki_silent_security_database_repository}/cert8.db" ] || > [ -f "${pki_silent_security_database_repository}/key3.db" ] || > [ -f "${pki_silent_security_database_repository}/secmod.db" ] ; then > printf "\n" > printf "WARNING: The existing security databases\n" > printf " (i. e. - 'cert8.db', 'key3.db', and/or 'secmod.db')\n" > printf " required by '${pki_silent_script}' at the\n" > printf " specified location '${pki_silent_security_database_repository}'\n" > printf " will be used.\n\n" 442c443 < ## (5) Remove ALL old PKI Silent log files --- > ## (5) Remove any old PKI Silent log file named '${pki_silent_ca_log}' 445,447c446,448 < printf " Removing old '${pki_silent_ca_log}' . . . " < rm ${pki_silent_ca_log} < printf "done.\n" --- > printf " Removing old '${pki_silent_ca_log}' . . . " > rm ${pki_silent_ca_log} > printf "done.\n" 458,459c459,460 < ca_preop_pin=`cat /var/lib/${ca_instance_name}/conf/CS.cfg \ < | grep preop.pin | grep -v grep | awk -F= '{print $2}'` --- > ca_preop_pin=`cat /var/lib/${pki_ca_instance_name}/conf/CS.cfg \ > | grep preop.pin | grep -v grep | awk -F= '{print $2}'` 468c469 < ## execute '/sbin/service ${ca_instance_name} status': --- > ## execute '/sbin/service ${pki_ca_instance_name} status': 470c471 < ## ${ca_instance_name} (pid 7843) is running ... --- > ## ${pki_ca_instance_name} (pid 7843) is running ... 488c489 < printf "'${pki_silent_script}': Configuring '${ca_instance_name}' . . .\n" --- > printf "'${pki_silent_script}': Configuring '${pki_ca_instance_name}' . . .\n" 490,528c491,529 < -cs_hostname "${pki_ca_admin_host}" \ < -cs_port ${ca_admin_port} \ < -client_certdb_dir ${pki_silent_security_database_repository} \ < -client_certdb_pwd ${pki_silent_security_database_password} \ < -client_token_name ${pki_silent_security_token_name} \ < -preop_pin ${ca_preop_pin} \ < -domain_name "${pki_security_domain_name}" \ < -admin_user ${pki_silent_admin_user} \ < -admin_password ${pki_silent_admin_password} \ < -admin_email "${pki_silent_admin_email}" \ < -agent_name ${ca_agent_name} \ < -agent_key_size ${ca_agent_key_size} \ < -agent_key_type ${ca_agent_key_type} \ < -agent_cert_subject "${ca_agent_cert_subject}" \ < -ldap_host ${pki_ldap_host} \ < -ldap_port ${pki_ldap_port} \ < -bind_dn "${pki_bind_dn}" \ < -bind_password ${pki_bind_password} \ < -base_dn "${ca_base_dn}" \ < -db_name "${ca_db_name}" \ < -remove_data "${pki_remove_data}" \ < -key_size ${ca_key_size} \ < -key_type ${ca_key_type} \ < -key_algorithm ${ca_key_algorithm} \ < -signing_algorithm ${ca_signing_algorithm} \ < -signing_signingalgorithm ${ca_signing_signingalgorithm} \ < -ocsp_signing_signingalgorithm ${ca_ocsp_signing_signingalgorithm} \ < -save_p12 ${ca_save_p12} \ < -backup_pwd ${ca_backup_password} \ < -subsystem_name ${ca_subsystem_name} \ < -token_name ${ca_token_name} \ < -token_pwd ${ca_token_password} \ < -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \ < -ca_subsystem_cert_subject_name "${ca_subsystem_cert_subject_name}" \ < -ca_ocsp_cert_subject_name "${ca_ocsp_cert_subject_name}" \ < -ca_server_cert_subject_name "${ca_server_cert_subject_name}" \ < -ca_audit_signing_cert_subject_name \ < "${ca_audit_signing_cert_subject_name}" \ < | tee ${pki_silent_ca_log} --- > -cs_hostname "${pki_ca_admin_host}" \ > -cs_port ${pki_ca_admin_port} \ > -client_certdb_dir ${pki_silent_security_database_repository} \ > -client_certdb_pwd ${pki_silent_security_token_password} \ > -client_token_name ${pki_silent_security_token_name} \ > -preop_pin ${ca_preop_pin} \ > -domain_name "${pki_security_domain_name}" \ > -admin_user ${pki_silent_admin_user} \ > -admin_password ${pki_silent_admin_password} \ > -admin_email "${pki_silent_admin_email}" \ > -agent_name ${ca_agent_name} \ > -agent_key_size ${ca_agent_key_size} \ > -agent_key_type ${ca_agent_key_type} \ > -agent_cert_subject "${ca_agent_cert_subject}" \ > -ldap_host ${pki_ldap_host} \ > -ldap_port ${pki_ldap_port} \ > -bind_dn "${pki_bind_dn}" \ > -bind_password ${pki_bind_password} \ > -base_dn "${ca_base_dn}" \ > -db_name "${ca_db_name}" \ > -remove_data "${pki_remove_data}" \ > -key_size ${ca_key_size} \ > -key_type ${ca_key_type} \ > -key_algorithm ${ca_key_algorithm} \ > -signing_algorithm ${ca_signing_algorithm} \ > -signing_signingalgorithm ${ca_signing_signingalgorithm} \ > -ocsp_signing_signingalgorithm ${ca_ocsp_signing_signingalgorithm} \ > -save_p12 ${ca_save_p12} \ > -backup_pwd ${pki_ca_backup_password} \ > -subsystem_name ${pki_ca_subsystem_name} \ > -token_name ${pki_ca_token_name} \ > -token_pwd ${pki_ca_token_password} \ > -ca_sign_cert_subject_name "${ca_sign_cert_subject_name}" \ > -ca_subsystem_cert_subject_name "${ca_subsystem_cert_subject_name}" \ > -ca_ocsp_cert_subject_name "${ca_ocsp_cert_subject_name}" \ > -ca_server_cert_subject_name "${ca_server_cert_subject_name}" \ > -ca_audit_signing_cert_subject_name \ > "${ca_audit_signing_cert_subject_name}" \ > | tee ${pki_silent_ca_log} 531c532 < /sbin/service ${ca_instance_name} restart --- > /sbin/service ${pki_ca_instance_name} restart diff -r 20130410/pki/base/silent/templates/silent_kra_ip_port.template 20130413/pki/base/silent/templates/silent_kra_ip_port.template 17,33c17,35 < if [ "${pki_silent_script}" = "silent_kra_ip_port.template" ] ; then < printf "\n" < printf "Usage: (1) Install AND configure a directory server instance.\n\n" < printf " (2) Install, but do NOT configure a\n" < printf " 'default' PKI KRA subsystem instance\n" < printf " using the IP Port Separation Mode.\n\n" < printf " (3) Install the 'pki-silent' package.\n\n" < printf " (4) Copy '$0' to a new script name\n" < printf " without the '.template' extension.\n" < printf " (e .g. - 'configure_default_pki_kra_ip_port_instance')\n\n" < printf " (5) Fill in all MANDATORY user-defined variables\n" < printf " in the new script.\n\n" < printf " (6) Change any OPTIONAL user-defined variables\n" < printf " in the new script as desired.\n\n" < printf " (7) Become the 'root' user, and execute the new script to\n" < printf " configure this 'default' PKI KRA subsystem instance.\n\n" < exit 255 --- > if [ "${pki_silent_script}" = "silent_kra_ip_port.template" ] ; then > printf "\n" > printf "Usage: (1) Install AND configure a directory server instance.\n\n" > printf " (2) Install AND configure a Root CA subsystem instance\n" > printf " that is its own security domain.\n\n" > printf " (3) Install, but do NOT configure a\n" > printf " PKI KRA subsystem instance\n" > printf " using the IP Port Separation Mode.\n\n" > printf " (4) Install the 'pki-silent' package.\n\n" > printf " (5) Copy '$0' to a new script name\n" > printf " without the '.template' extension\n" > printf " (e .g. - 'configure_kra_ip_port_instance').\n\n" > printf " (6) Fill in all MANDATORY user-defined variables\n" > printf " in the new script.\n\n" > printf " (7) Change any OPTIONAL user-defined variables\n" > printf " in the new script as desired.\n\n" > printf " (8) Become the 'root' user, and execute the new script to\n" > printf " configure this PKI KRA subsystem instance.\n\n" > exit 255 45,47c47,49 < MY_EUID=`/usr/bin/id -u` < MY_UID=`/usr/bin/id -ur` < USERNAME=`/usr/bin/id -un` --- > MY_EUID=`/usr/bin/id -u` > MY_UID=`/usr/bin/id -ur` > USERNAME=`/usr/bin/id -un` 49,50c51,52 < printf "ERROR: Unsupported operating system '${OS}'!\n" < exit 255 --- > printf "ERROR: Unsupported operating system '${OS}'!\n" > exit 255 53,56c55,58 < if [ "${MY_UID}" != "${ROOTUID}" ] && < [ "${MY_EUID}" != "${ROOTUID}" ] ; then < printf "ERROR: The '$0' script must be run as root!\n" < exit 255 --- > if [ "${MY_UID}" != "${ROOTUID}" ] && > [ "${MY_EUID}" != "${ROOTUID}" ] ; then > printf "ERROR: The '$0' script must be run as root!\n" > exit 255 81c83 < ## PKI Subsystem Hosts (FQDN) --- > ## PKI CA Subsystem Hosts (FQDN) 83a86,87 > > ## PKI KRA Subsystem Hosts (FQDN) 87a92,126 > ## > ## NOTE: Default PKI CA Instance Ports > ## > ## 9180 - non-secure port (not role specific) > ## 9701 - non-secure Tomcat port > ## 9443 - secure EE port > ## 9444 - secure Agent port > ## 9445 - secure Admin port > ## 9446 - secure EE Client Auth port (not necessarily labeled) > ## > ## NOTE: Default PKI DRM Instance Ports > ## > ## 10180 - non-secure port (not role specific) > ## 10701 - non-secure Tomcat port > ## 10443 - secure EE port > ## 10444 - secure Agent port > ## 10445 - secure Admin port > ## > ## For Example: > ## > ## semanage port -l | grep pki > ## > ## pki_ca_port_t tcp 9180, 9701, 9443, 9444, 9445 > ## pki_kra_port_t tcp 10180, 10701, 10443, 10444, 10445 > ## > > ## PKI CA ports > pki_ca_nonssl_port= > pki_ca_ee_port= > pki_ca_agent_port= > pki_ca_admin_port= > > ## PKI DRM ports > pki_kra_admin_port= > 91c130 < pki_silent_security_database_password= --- > pki_silent_security_token_password= 121,122c160,161 < ## For testing, however, it is often convenient to simply OVERWRITE any exiting < ## data in the LDAP database. If this is desirable, set: --- > ## For testing, however, it is often convenient to simply OVERWRITE any > ## existing data in the LDAP database. If this is desirable, set: 130,131c169,170 < kra_token_name=internal < kra_token_password= --- > pki_kra_token_name=internal > pki_kra_token_password= 135c174 < kra_backup_password= --- > pki_kra_backup_password= 155,160d193 < < < ############################################################################## < ## P R E - D E F I N E D " D E F A U L T " V A R I A B L E S ## < ############################################################################## < 162c195 < kra_subsystem_name="Data\ Recovery\ Manager" --- > pki_kra_subsystem_name="Data\ Recovery\ Manager" 165c198 < kra_instance_name="pki-kra" --- > pki_kra_instance_name="pki-kra" 167,206c200,201 < ## < ## NOTE: Default CA Instance Ports < ## < ## *180 - non-secure port (not role specific) < ## *701 - non-secure Tomcat port < ## *443 - secure EE port < ## *444 - secure Agent port < ## *445 - secure Admin port < ## *446 - secure EE Client Auth port < ## < ## NOTE: Default DRM Instance Ports < ## < ## *180 - non-secure port (not role specific) < ## *701 - non-secure Tomcat port < ## *443 - secure EE port < ## *444 - secure Agent port < ## *445 - secure Admin port < ## < ## For Example: < ## < ## semanage port -l | grep pki < ## < ## pki_ca_port_t tcp 9180, 9701, 9443, 9444, 9445, 9446 < ## pki_kra_port_t tcp 10180, 10701, 10443, 10444, 10445 < ## < < ## CA ports < ca_nonssl_port=9180 < ca_agent_port=9443 < ca_ee_port=9444 < ca_admin_port=9445 < ca_ee_ca_port=9446 < ca_tomcat_server_port=9701 < < ## DRM ports < kra_nonssl_port=10180 < kra_agent_port=10443 < kra_ee_port=10444 < kra_admin_port=10445 < kra_tomcat_server_port=10701 --- > ## PKI Silent Log Files > pki_silent_kra_log=/tmp/kra.log 214,217d208 < ## PKI Silent Log Files < pki_silent_kra_log=/tmp/kra.log < < 228c219 < ## KRA Administrator of Instance ${kra_instance_name}'s --- > ## KRA Administrator of Instance ${pki_kra_instance_name}'s 239c230 < ## + "${kra_instance_name}'s " --- > ## + "${pki_kra_instance_name}'s " 242c233 < ## + "${kra_instance_name}," --- > ## + "${pki_kra_instance_name}," 255,256c246,247 < ## "/var/lib/${kra_instance_name}/alias/" security libraries would be < ## something similar to this: --- > ## "/var/lib/${pki_kra_instance_name}/alias/" security libraries would > ## be something similar to this: 261,266c252,257 < ## transportCert cert-${kra_instance_name} u,u,u < ## Server-Cert cert-${kra_instance_name} u,u,u < ## auditSigningCert cert-${kra_instance_name} u,u,u < ## Certificate Authority - ${pki_security_domain_name} CT,c, < ## storageCert cert-${kra_instance_name} u,u,u < ## subsystemCert cert-${kra_instance_name} u,u,u --- > ## transportCert cert-${pki_kra_instance_name} u,u,u > ## Server-Cert cert-${pki_kra_instance_name} u,u,u > ## auditSigningCert cert-${pki_kra_instance_name} u,u,u > ## Certificate Authority - ${pki_security_domain_name} CT,c, > ## storageCert cert-${pki_kra_instance_name} u,u,u > ## subsystemCert cert-${pki_kra_instance_name} u,u,u 270c261 < ## Nickname: "transportCert cert-${kra_instance_name}" --- > ## Nickname: "transportCert cert-${pki_kra_instance_name}" 274c265 < ## Nickname: "Server-Cert cert-${kra_instance_name}" --- > ## Nickname: "Server-Cert cert-${pki_kra_instance_name}" 278c269 < ## Nickname: "auditSigningCert cert-${kra_instance_name}" --- > ## Nickname: "auditSigningCert cert-${pki_kra_instance_name}" 287c278 < ## Nickname: "storageCert cert-${kra_instance_name}" --- > ## Nickname: "storageCert cert-${pki_kra_instance_name}" 291c282 < ## Nickname: "subsystemCert cert-${kra_instance_name}" --- > ## Nickname: "subsystemCert cert-${pki_kra_instance_name}" 296c287 < kra_agent_name="KRA\ Administrator\ of\ Instance\ ${kra_instance_name}\'s\ ${pki_security_domain_name}\ ID" --- > kra_agent_name="KRA\ Administrator\ of\ Instance\ ${pki_kra_instance_name}\'s\ ${pki_security_domain_name}\ ID" 299,301c290,292 < kra_agent_cert_subject="cn=KRA\ Administrator\ of\ Instance\ ${kra_instance_name},uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}" < kra_base_dn="dc=${pki_kra_admin_host}-${kra_instance_name}" < kra_db_name="${pki_kra_admin_host}-${kra_instance_name}" --- > kra_agent_cert_subject="cn=KRA\ Administrator\ of\ Instance\ ${pki_kra_instance_name},uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}" > kra_base_dn="dc=${pki_kra_admin_host}-${pki_kra_instance_name}" > kra_db_name="${pki_kra_admin_host}-${pki_kra_instance_name}" 329,330c320,321 < printf "${usage_error_preamble} 'pki_ca_ee_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_ca_ee_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 333,334c324,325 < printf "${usage_error_preamble} 'pki_ca_admin_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_ca_admin_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 337,338c328,329 < printf "${usage_error_preamble} 'pki_kra_agent_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_kra_agent_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 341,342c332,333 < printf "${usage_error_preamble} 'pki_kra_ee_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_kra_ee_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 345,346c336,337 < printf "${usage_error_preamble} 'pki_kra_admin_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_kra_admin_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 348,350c339,361 < if [ "${pki_silent_security_database_password}" = "" ] ; then < printf "${usage_error_preamble} 'pki_silent_security_database_password'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > if [ "${pki_ca_nonssl_port}" = "" ] ; then > printf "${usage_error_preamble} 'pki_ca_nonssl_port'!\n" > usage_errors=`expr ${usage_errors} + 1` > fi > if [ "${pki_ca_agent_port}" = "" ] ; then > printf "${usage_error_preamble} 'pki_ca_agent_port'!\n" > usage_errors=`expr ${usage_errors} + 1` > fi > if [ "${pki_ca_ee_port}" = "" ] ; then > printf "${usage_error_preamble} 'pki_ca_ee_port'!\n" > usage_errors=`expr ${usage_errors} + 1` > fi > if [ "${pki_ca_admin_port}" = "" ] ; then > printf "${usage_error_preamble} 'pki_ca_admin_port'!\n" > usage_errors=`expr ${usage_errors} + 1` > fi > if [ "${pki_kra_admin_port}" = "" ] ; then > printf "${usage_error_preamble} 'pki_kra_admin_port'!\n" > usage_errors=`expr ${usage_errors} + 1` > fi > if [ "${pki_silent_security_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n" > usage_errors=`expr ${usage_errors} + 1` 353,354c364,365 < printf "${usage_error_preamble} 'pki_security_domain_name'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_security_domain_name'!\n" > usage_errors=`expr ${usage_errors} + 1` 357,358c368,369 < printf "${usage_error_preamble} 'pki_security_domain_admin_password'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_security_domain_admin_password'!\n" > usage_errors=`expr ${usage_errors} + 1` 361,362c372,373 < printf "${usage_error_preamble} 'pki_ldap_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_ldap_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 365,366c376,377 < printf "${usage_error_preamble} 'pki_bind_password'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_bind_password'!\n" > usage_errors=`expr ${usage_errors} + 1` 369,370c380,381 < printf "${usage_error_preamble} 'pki_remove_data'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_remove_data'!\n" > usage_errors=`expr ${usage_errors} + 1` 372,378c383,389 < if [ "${kra_token_password}" = "" ] ; then < printf "${usage_error_preamble} 'kra_token_password'!\n" < usage_errors=`expr ${usage_errors} + 1` < fi < if [ "${kra_backup_password}" = "" ] ; then < printf "${usage_error_preamble} 'kra_backup_password'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > if [ "${pki_kra_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_kra_token_password'!\n" > usage_errors=`expr ${usage_errors} + 1` > fi > if [ "${pki_kra_backup_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_kra_backup_password'!\n" > usage_errors=`expr ${usage_errors} + 1` 381,382c392,393 < printf "${usage_error_preamble} 'pki_email_name'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_email_name'!\n" > usage_errors=`expr ${usage_errors} + 1` 385,386c396,397 < printf "${usage_error_preamble} 'pki_email_company'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_email_company'!\n" > usage_errors=`expr ${usage_errors} + 1` 389,390c400,401 < printf "${usage_error_preamble} 'pki_email_domain'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_email_domain'!\n" > usage_errors=`expr ${usage_errors} + 1` 393,394c404,405 < printf "${usage_error_preamble} 'pki_silent_admin_password'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_silent_admin_password'!\n" > usage_errors=`expr ${usage_errors} + 1` 406,408c417,419 < if [ ! -f "/var/lib/${kra_instance_name}/conf/CS.cfg" ] ; then < printf "${existence_error_preamble} '${kra_instance_name}' EXISTS!\n" < existence_errors=`expr ${existence_errors} + 1` --- > if [ ! -f "/var/lib/${pki_kra_instance_name}/conf/CS.cfg" ] ; then > printf "${existence_error_preamble} '${pki_kra_instance_name}' EXISTS!\n" > existence_errors=`expr ${existence_errors} + 1` 410,415c421,426 < kra_configuration_check=`grep -c preop /var/lib/${kra_instance_name}/conf/CS.cfg` < if [ ${kra_configuration_check} -eq 0 ] ; then < printf "${configuration_error_preamble} '${kra_instance_name}' " < printf "${configuration_error_postamble}\n" < configuration_errors=`expr ${configuration_errors} + 1` < fi --- > kra_configuration_check=`grep -c preop /var/lib/${pki_kra_instance_name}/conf/CS.cfg` > if [ ${kra_configuration_check} -eq 0 ] ; then > printf "${configuration_error_preamble} '${pki_kra_instance_name}' " > printf "${configuration_error_postamble}\n" > configuration_errors=`expr ${configuration_errors} + 1` > fi 419,425c430,436 < if [ ${usage_errors} -ne 0 ] || < [ ${existence_errors} -ne 0 ] || < [ ${configuration_errors} -ne 0 ] ; then < printf "\n" < printf "Please correct ALL errors listed above and re-run\n" < printf "the '$0' script!\n\n" < exit 255 --- > if [ ${usage_errors} -ne 0 ] || > [ ${existence_errors} -ne 0 ] || > [ ${configuration_errors} -ne 0 ] ; then > printf "\n" > printf "Please correct ALL errors listed above and re-run\n" > printf "the '$0' script!\n\n" > exit 255 431,434c442,445 < printf "\n" < printf "ERROR: Please install the 'pki-silent' package and re-run\n" < printf "the '$0' script!\n\n" < exit 255 --- > printf "\n" > printf "ERROR: Please install the 'pki-silent' package and re-run\n" > printf "the '$0' script!\n\n" > exit 255 439,451c450,459 < ## Instead, inform the user and exit this script. < if [ -f "${pki_silent_security_database_repository}/cert8.db" ] || < [ -f "${pki_silent_security_database_repository}/key3.db" ] || < [ -f "${pki_silent_security_database_repository}/secmod.db" ] ; then < printf "\n" < printf "WARNING: At least one of the security databases\n" < printf " (i. e. - 'cert8.db', 'key3.db', and/or 'secmod.db')\n" < printf " required by '${pki_silent_script}' exists at the\n" < printf " specified location '${pki_silent_security_database_repository}'.\n" < printf "\n" < printf " Please MANUALLY move or erase these security database(s),\n" < printf " or specify a different location before re-running this script.\n\n" < exit 255 --- > ## Instead, just inform the user. > if [ -f "${pki_silent_security_database_repository}/cert8.db" ] || > [ -f "${pki_silent_security_database_repository}/key3.db" ] || > [ -f "${pki_silent_security_database_repository}/secmod.db" ] ; then > printf "\n" > printf "WARNING: The existing security databases\n" > printf " (i. e. - 'cert8.db', 'key3.db', and/or 'secmod.db')\n" > printf " required by '${pki_silent_script}' at the\n" > printf " specified location '${pki_silent_security_database_repository}'\n" > printf " will be used.\n\n" 455c463 < ## (5) Remove ALL old PKI Silent log files --- > ## (5) Remove any old PKI Silent log file named '${pki_silent_kra_log}' 458,460c466,468 < printf " Removing old '${pki_silent_kra_log}' . . . " < rm ${pki_silent_kra_log} < printf "done.\n" --- > printf " Removing old '${pki_silent_kra_log}' . . . " > rm ${pki_silent_kra_log} > printf "done.\n" 471,472c479,480 < kra_preop_pin=`cat /var/lib/${kra_instance_name}/conf/CS.cfg \ < | grep preop.pin | grep -v grep | awk -F= '{print $2}'` --- > kra_preop_pin=`cat /var/lib/${pki_kra_instance_name}/conf/CS.cfg \ > | grep preop.pin | grep -v grep | awk -F= '{print $2}'` 481c489 < ## execute '/sbin/service ${kra_instance_name} status': --- > ## execute '/sbin/service ${pki_kra_instance_name} status': 483c491 < ## ${kra_instance_name} (pid 11723) is running ... --- > ## ${pki_kra_instance_name} (pid 11723) is running ... 500c508 < printf "'${pki_silent_script}': Configuring '${kra_instance_name}' . . .\n" --- > printf "'${pki_silent_script}': Configuring '${pki_kra_instance_name}' . . .\n" 502,545c510,553 < -cs_hostname "${pki_kra_admin_host}" \ < -cs_port ${kra_admin_port} \ < -sd_hostname "${pki_security_domain_host}" \ < -sd_ssl_port ${ca_ee_port} \ < -sd_agent_port ${ca_agent_port} \ < -sd_admin_port ${ca_admin_port} \ < -sd_admin_name "${pki_security_domain_admin_name}" \ < -sd_admin_password ${pki_security_domain_admin_password} \ < -ca_hostname ${pki_ca_ee_host} \ < -ca_port ${ca_nonssl_port} \ < -ca_ssl_port ${ca_ee_port} \ < -client_certdb_dir ${pki_silent_security_database_repository} \ < -client_certdb_pwd ${pki_silent_security_database_password} \ < -client_token_name ${pki_silent_security_token_name} \ < -preop_pin ${kra_preop_pin} \ < -domain_name "${pki_security_domain_name}" \ < -admin_user ${pki_silent_admin_user} \ < -admin_password ${pki_silent_admin_password} \ < -admin_email "${pki_silent_admin_email}" \ < -agent_name ${kra_agent_name} \ < -ldap_host ${pki_ldap_host} \ < -ldap_port ${pki_ldap_port} \ < -bind_dn "${pki_bind_dn}" \ < -bind_password ${pki_bind_password} \ < -base_dn "${kra_base_dn}" \ < -db_name "${kra_db_name}" \ < -remove_data "${pki_remove_data}" \ < -key_size ${kra_key_size} \ < -key_type ${kra_key_type} \ < -token_name ${kra_token_name} \ < -token_pwd ${kra_token_password} \ < -agent_key_size ${kra_agent_key_size} \ < -agent_key_type ${kra_agent_key_type} \ < -agent_cert_subject "${kra_agent_cert_subject}" \ < -subsystem_name ${kra_subsystem_name} \ < -save_p12 ${kra_save_p12} \ < -backup_pwd ${kra_backup_password} \ < -drm_transport_cert_subject_name "${kra_transport_cert_subject_name}" \ < -drm_subsystem_cert_subject_name "${kra_subsystem_cert_subject_name}" \ < -drm_storage_cert_subject_name "${kra_storage_cert_subject_name}" \ < -drm_server_cert_subject_name "${kra_server_cert_subject_name}" \ < -drm_audit_signing_cert_subject_name \ < "${kra_audit_signing_cert_subject_name}" \ < | tee ${pki_silent_kra_log} --- > -cs_hostname "${pki_kra_admin_host}" \ > -cs_port ${pki_kra_admin_port} \ > -sd_hostname "${pki_security_domain_host}" \ > -sd_ssl_port ${pki_ca_ee_port} \ > -sd_agent_port ${pki_ca_agent_port} \ > -sd_admin_port ${pki_ca_admin_port} \ > -sd_admin_name "${pki_security_domain_admin_name}" \ > -sd_admin_password ${pki_security_domain_admin_password} \ > -ca_hostname ${pki_ca_ee_host} \ > -ca_port ${pki_ca_nonssl_port} \ > -ca_ssl_port ${pki_ca_ee_port} \ > -client_certdb_dir ${pki_silent_security_database_repository} \ > -client_certdb_pwd ${pki_silent_security_token_password} \ > -client_token_name ${pki_silent_security_token_name} \ > -preop_pin ${kra_preop_pin} \ > -domain_name "${pki_security_domain_name}" \ > -admin_user ${pki_silent_admin_user} \ > -admin_password ${pki_silent_admin_password} \ > -admin_email "${pki_silent_admin_email}" \ > -agent_name ${kra_agent_name} \ > -ldap_host ${pki_ldap_host} \ > -ldap_port ${pki_ldap_port} \ > -bind_dn "${pki_bind_dn}" \ > -bind_password ${pki_bind_password} \ > -base_dn "${kra_base_dn}" \ > -db_name "${kra_db_name}" \ > -remove_data "${pki_remove_data}" \ > -key_size ${kra_key_size} \ > -key_type ${kra_key_type} \ > -token_name ${pki_kra_token_name} \ > -token_pwd ${pki_kra_token_password} \ > -agent_key_size ${kra_agent_key_size} \ > -agent_key_type ${kra_agent_key_type} \ > -agent_cert_subject "${kra_agent_cert_subject}" \ > -subsystem_name ${pki_kra_subsystem_name} \ > -save_p12 ${kra_save_p12} \ > -backup_pwd ${pki_kra_backup_password} \ > -drm_transport_cert_subject_name "${kra_transport_cert_subject_name}" \ > -drm_subsystem_cert_subject_name "${kra_subsystem_cert_subject_name}" \ > -drm_storage_cert_subject_name "${kra_storage_cert_subject_name}" \ > -drm_server_cert_subject_name "${kra_server_cert_subject_name}" \ > -drm_audit_signing_cert_subject_name \ > "${kra_audit_signing_cert_subject_name}" \ > | tee ${pki_silent_kra_log} 548c556 < /sbin/service ${kra_instance_name} restart --- > /sbin/service ${pki_kra_instance_name} restart diff -r 20130410/pki/base/silent/templates/silent_ocsp_ip_port.template 20130413/pki/base/silent/templates/silent_ocsp_ip_port.template 17,33c17,35 < if [ "${pki_silent_script}" = "silent_ocsp_ip_port.template" ] ; then < printf "\n" < printf "Usage: (1) Install AND configure a directory server instance.\n\n" < printf " (2) Install, but do NOT configure a\n" < printf " 'default' PKI OCSP instance\n" < printf " using the IP Port Separation Mode.\n\n" < printf " (3) Install the 'pki-silent' package.\n\n" < printf " (4) Copy '$0' to a new script name\n" < printf " without the '.template' extension.\n" < printf " (e .g. - 'configure_default_pki_ocsp_ip_port_instance')\n\n" < printf " (5) Fill in all MANDATORY user-defined variables\n" < printf " in the new script.\n\n" < printf " (6) Change any OPTIONAL user-defined variables\n" < printf " in the new script as desired.\n\n" < printf " (7) Become the 'root' user, and execute the new script to\n" < printf " configure this 'default' PKI OCSP subsystem instance.\n\n" < exit 255 --- > if [ "${pki_silent_script}" = "silent_ocsp_ip_port.template" ] ; then > printf "\n" > printf "Usage: (1) Install AND configure a directory server instance.\n\n" > printf " (2) Install AND configure a Root CA subsystem instance\n" > printf " that is its own security domain.\n\n" > printf " (3) Install, but do NOT configure a\n" > printf " PKI OCSP instance\n" > printf " using the IP Port Separation Mode.\n\n" > printf " (4) Install the 'pki-silent' package.\n\n" > printf " (5) Copy '$0' to a new script name\n" > printf " without the '.template' extension\n" > printf " (e .g. - 'configure_ocsp_ip_port_instance').\n\n" > printf " (6) Fill in all MANDATORY user-defined variables\n" > printf " in the new script.\n\n" > printf " (7) Change any OPTIONAL user-defined variables\n" > printf " in the new script as desired.\n\n" > printf " (8) Become the 'root' user, and execute the new script to\n" > printf " configure this PKI OCSP subsystem instance.\n\n" > exit 255 45,47c47,49 < MY_EUID=`/usr/bin/id -u` < MY_UID=`/usr/bin/id -ur` < USERNAME=`/usr/bin/id -un` --- > MY_EUID=`/usr/bin/id -u` > MY_UID=`/usr/bin/id -ur` > USERNAME=`/usr/bin/id -un` 49,50c51,52 < printf "ERROR: Unsupported operating system '${OS}'!\n" < exit 255 --- > printf "ERROR: Unsupported operating system '${OS}'!\n" > exit 255 53,56c55,58 < if [ "${MY_UID}" != "${ROOTUID}" ] && < [ "${MY_EUID}" != "${ROOTUID}" ] ; then < printf "ERROR: The '$0' script must be run as root!\n" < exit 255 --- > if [ "${MY_UID}" != "${ROOTUID}" ] && > [ "${MY_EUID}" != "${ROOTUID}" ] ; then > printf "ERROR: The '$0' script must be run as root!\n" > exit 255 81c83 < ## PKI Subsystem Hosts (FQDN) --- > ## PKI CA Subsystem Hosts (FQDN) 84c86,87 < pki_ocsp_agent_host= --- > > ## PKI OCSP Subsystem Hosts (FQDN) 85a89 > pki_ocsp_agent_host= 87a92,126 > ## > ## NOTE: Default PKI CA Instance Ports > ## > ## 9180 - non-secure port (not role specific) > ## 9701 - non-secure Tomcat port > ## 9443 - secure EE port > ## 9444 - secure Agent port > ## 9445 - secure Admin port > ## 9446 - secure EE Client Auth port (not necessarily labeled) > ## > ## NOTE: Default PKI OCSP Instance Ports > ## > ## 11180 - non-secure port (not role specific) > ## 11701 - non-secure Tomcat port > ## 11443 - secure EE port > ## 11444 - secure Agent port > ## 11445 - secure Admin port > ## > ## For Example: > ## > ## semanage port -l | grep pki > ## > ## pki_ca_port_t tcp 9180, 9701, 9443, 9444, 9445 > ## pki_ocsp_port_t tcp 11180, 11701, 11443, 11444, 11445 > ## > > ## PKI CA ports > pki_ca_nonssl_port= > pki_ca_ee_port= > pki_ca_agent_port= > pki_ca_admin_port= > > ## PKI OCSP ports > pki_ocsp_admin_port= > 91c130 < pki_silent_security_database_password= --- > pki_silent_security_token_password= 121,122c160,161 < ## For testing, however, it is often convenient to simply OVERWRITE any exiting < ## data in the LDAP database. If this is desirable, set: --- > ## For testing, however, it is often convenient to simply OVERWRITE any > ## existing data in the LDAP database. If this is desirable, set: 130,131c169,170 < ocsp_token_name=internal < ocsp_token_password= --- > pki_ocsp_token_name=internal > pki_ocsp_token_password= 135c174 < ocsp_backup_password= --- > pki_ocsp_backup_password= 155,160d193 < < < ############################################################################## < ## P R E - D E F I N E D " D E F A U L T " V A R I A B L E S ## < ############################################################################## < 162c195 < ocsp_subsystem_name="OCSP\ Responder" --- > pki_ocsp_subsystem_name="OCSP\ Responder" 165c198 < ocsp_instance_name="pki-ocsp" --- > pki_ocsp_instance_name="pki-ocsp" 167,206c200,201 < ## < ## NOTE: Default CA Instance Ports < ## < ## *180 - non-secure port (not role specific) < ## *701 - non-secure Tomcat port < ## *443 - secure EE port < ## *444 - secure Agent port < ## *445 - secure Admin port < ## *446 - secure EE Client Auth port < ## < ## NOTE: Default OCSP Instance Ports < ## < ## *180 - non-secure port (not role specific) < ## *701 - non-secure Tomcat port < ## *443 - secure EE port < ## *444 - secure Agent port < ## *445 - secure Admin port < ## < ## For Example: < ## < ## semanage port -l | grep pki < ## < ## pki_ca_port_t tcp 9180, 9701, 9443, 9444, 9445, 9446 < ## pki_ocsp_port_t tcp 11180, 11701, 11443, 11444, 11445 < ## < < ## CA ports < ca_nonssl_port=9180 < ca_agent_port=9443 < ca_ee_port=9444 < ca_admin_port=9445 < ca_ee_ca_port=9446 < ca_tomcat_server_port=9701 < < ## OCSP ports < ocsp_nonssl_port=11180 < ocsp_agent_port=11443 < ocsp_ee_port=11444 < ocsp_admin_port=11445 < ocsp_tomcat_server_port=11701 --- > ## PKI Silent Log Files > pki_silent_ocsp_log=/tmp/ocsp.log 214,217d208 < ## PKI Silent Log Files < pki_silent_ocsp_log=/tmp/ocsp.log < < 228c219 < ## OCSP Administrator of Instance ${ocsp_instance_name}'s --- > ## OCSP Administrator of Instance ${pki_ocsp_instance_name}'s 239c230 < ## + "${ocsp_instance_name}'s " --- > ## + "${pki_ocsp_instance_name}'s " 242c233 < ## + "${ocsp_instance_name}," --- > ## + "${pki_ocsp_instance_name}," 255,256c246,247 < ## "/var/lib/${ocsp_instance_name}/alias/" security libraries would be < ## something similar to this: --- > ## "/var/lib/${pki_ocsp_instance_name}/alias/" security libraries would > ## be something similar to this: 261,262c252,253 < ## ocspSigningCert cert-${ocsp_instance_name} CTu,Cu,Cu < ## subsystemCert cert-${ocsp_instance_name} u,u,u --- > ## ocspSigningCert cert-${pki_ocsp_instance_name} CTu,Cu,Cu > ## subsystemCert cert-${pki_ocsp_instance_name} u,u,u 264,265c255,256 < ## Server-Cert cert-${ocsp_instance_name} u,u,u < ## auditSigningCert cert-${ocsp_instance_name} u,u,u --- > ## Server-Cert cert-${pki_ocsp_instance_name} u,u,u > ## auditSigningCert cert-${pki_ocsp_instance_name} u,u,u 269c260 < ## Nickname: "ocspSigningCert cert-${ocsp_instance_name}" --- > ## Nickname: "ocspSigningCert cert-${pki_ocsp_instance_name}" 273c264 < ## Nickname: "subsystemCert cert-${ocsp_instance_name}" --- > ## Nickname: "subsystemCert cert-${pki_ocsp_instance_name}" 282c273 < ## Nickname: "Server-Cert cert-${ocsp_instance_name}" --- > ## Nickname: "Server-Cert cert-${pki_ocsp_instance_name}" 286c277 < ## Nickname: "auditSigningCert cert-${ocsp_instance_name}" --- > ## Nickname: "auditSigningCert cert-${pki_ocsp_instance_name}" 291c282 < ocsp_agent_name="OCSP\ Administrator\ of\ Instance\ ${ocsp_instance_name}\'s\ ${pki_security_domain_name}\ ID" --- > ocsp_agent_name="OCSP\ Administrator\ of\ Instance\ ${pki_ocsp_instance_name}\'s\ ${pki_security_domain_name}\ ID" 294,296c285,287 < ocsp_agent_cert_subject="cn=OCSP\ Administrator\ of\ Instance\ ${ocsp_instance_name},uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}" < ocsp_base_dn="dc=${pki_ocsp_admin_host}-${ocsp_instance_name}" < ocsp_db_name="${pki_ocsp_admin_host}-${ocsp_instance_name}" --- > ocsp_agent_cert_subject="cn=OCSP\ Administrator\ of\ Instance\ ${pki_ocsp_instance_name},uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}" > ocsp_base_dn="dc=${pki_ocsp_admin_host}-${pki_ocsp_instance_name}" > ocsp_db_name="${pki_ocsp_admin_host}-${pki_ocsp_instance_name}" 325,326c316,317 < printf "${usage_error_preamble} 'pki_ca_ee_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_ca_ee_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 329,330c320,321 < printf "${usage_error_preamble} 'pki_ca_admin_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_ca_admin_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 333,334c324,325 < printf "${usage_error_preamble} 'pki_ocsp_agent_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_ocsp_agent_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 337,338c328,329 < printf "${usage_error_preamble} 'pki_ocsp_ee_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_ocsp_ee_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 341,342c332,333 < printf "${usage_error_preamble} 'pki_ocsp_admin_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_ocsp_admin_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 344,346c335,357 < if [ "${pki_silent_security_database_password}" = "" ] ; then < printf "${usage_error_preamble} 'pki_silent_security_database_password'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > if [ "${pki_ca_nonssl_port}" = "" ] ; then > printf "${usage_error_preamble} 'pki_ca_nonssl_port'!\n" > usage_errors=`expr ${usage_errors} + 1` > fi > if [ "${pki_ca_agent_port}" = "" ] ; then > printf "${usage_error_preamble} 'pki_ca_agent_port'!\n" > usage_errors=`expr ${usage_errors} + 1` > fi > if [ "${pki_ca_ee_port}" = "" ] ; then > printf "${usage_error_preamble} 'pki_ca_ee_port'!\n" > usage_errors=`expr ${usage_errors} + 1` > fi > if [ "${pki_ca_admin_port}" = "" ] ; then > printf "${usage_error_preamble} 'pki_ca_admin_port'!\n" > usage_errors=`expr ${usage_errors} + 1` > fi > if [ "${pki_ocsp_admin_port}" = "" ] ; then > printf "${usage_error_preamble} 'pki_ocsp_admin_port'!\n" > usage_errors=`expr ${usage_errors} + 1` > fi > if [ "${pki_silent_security_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n" > usage_errors=`expr ${usage_errors} + 1` 349,350c360,361 < printf "${usage_error_preamble} 'pki_security_domain_name'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_security_domain_name'!\n" > usage_errors=`expr ${usage_errors} + 1` 353,354c364,365 < printf "${usage_error_preamble} 'pki_security_domain_admin_password'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_security_domain_admin_password'!\n" > usage_errors=`expr ${usage_errors} + 1` 357,358c368,369 < printf "${usage_error_preamble} 'pki_ldap_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_ldap_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 361,362c372,373 < printf "${usage_error_preamble} 'pki_bind_password'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_bind_password'!\n" > usage_errors=`expr ${usage_errors} + 1` 365,366c376,377 < printf "${usage_error_preamble} 'pki_remove_data'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_remove_data'!\n" > usage_errors=`expr ${usage_errors} + 1` 368,374c379,385 < if [ "${ocsp_token_password}" = "" ] ; then < printf "${usage_error_preamble} 'ocsp_token_password'!\n" < usage_errors=`expr ${usage_errors} + 1` < fi < if [ "${ocsp_backup_password}" = "" ] ; then < printf "${usage_error_preamble} 'ocsp_backup_password'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > if [ "${pki_ocsp_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_ocsp_token_password'!\n" > usage_errors=`expr ${usage_errors} + 1` > fi > if [ "${pki_ocsp_backup_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_ocsp_backup_password'!\n" > usage_errors=`expr ${usage_errors} + 1` 377,378c388,389 < printf "${usage_error_preamble} 'pki_email_name'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_email_name'!\n" > usage_errors=`expr ${usage_errors} + 1` 381,382c392,393 < printf "${usage_error_preamble} 'pki_email_company'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_email_company'!\n" > usage_errors=`expr ${usage_errors} + 1` 385,386c396,397 < printf "${usage_error_preamble} 'pki_email_domain'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_email_domain'!\n" > usage_errors=`expr ${usage_errors} + 1` 389,390c400,401 < printf "${usage_error_preamble} 'pki_silent_admin_password'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_silent_admin_password'!\n" > usage_errors=`expr ${usage_errors} + 1` 402,404c413,415 < if [ ! -f "/var/lib/${ocsp_instance_name}/conf/CS.cfg" ] ; then < printf "${existence_error_preamble} '${ocsp_instance_name}' EXISTS!\n" < existence_errors=`expr ${existence_errors} + 1` --- > if [ ! -f "/var/lib/${pki_ocsp_instance_name}/conf/CS.cfg" ] ; then > printf "${existence_error_preamble} '${pki_ocsp_instance_name}' EXISTS!\n" > existence_errors=`expr ${existence_errors} + 1` 406,411c417,422 < ocsp_configuration_check=`grep -c preop /var/lib/${ocsp_instance_name}/conf/CS.cfg` < if [ ${ocsp_configuration_check} -eq 0 ] ; then < printf "${configuration_error_preamble} '${ocsp_instance_name}' " < printf "${configuration_error_postamble}\n" < configuration_errors=`expr ${configuration_errors} + 1` < fi --- > ocsp_configuration_check=`grep -c preop /var/lib/${pki_ocsp_instance_name}/conf/CS.cfg` > if [ ${ocsp_configuration_check} -eq 0 ] ; then > printf "${configuration_error_preamble} '${pki_ocsp_instance_name}' " > printf "${configuration_error_postamble}\n" > configuration_errors=`expr ${configuration_errors} + 1` > fi 415,421c426,432 < if [ ${usage_errors} -ne 0 ] || < [ ${existence_errors} -ne 0 ] || < [ ${configuration_errors} -ne 0 ] ; then < printf "\n" < printf "Please correct ALL errors listed above and re-run\n" < printf "the '$0' script!\n\n" < exit 255 --- > if [ ${usage_errors} -ne 0 ] || > [ ${existence_errors} -ne 0 ] || > [ ${configuration_errors} -ne 0 ] ; then > printf "\n" > printf "Please correct ALL errors listed above and re-run\n" > printf "the '$0' script!\n\n" > exit 255 427,430c438,441 < printf "\n" < printf "ERROR: Please install the 'pki-silent' package and re-run\n" < printf "the '$0' script!\n\n" < exit 255 --- > printf "\n" > printf "ERROR: Please install the 'pki-silent' package and re-run\n" > printf "the '$0' script!\n\n" > exit 255 435,447c446,455 < ## Instead, inform the user and exit this script. < if [ -f "${pki_silent_security_database_repository}/cert8.db" ] || < [ -f "${pki_silent_security_database_repository}/key3.db" ] || < [ -f "${pki_silent_security_database_repository}/secmod.db" ] ; then < printf "\n" < printf "WARNING: At least one of the security databases\n" < printf " (i. e. - 'cert8.db', 'key3.db', and/or 'secmod.db')\n" < printf " required by '${pki_silent_script}' exists at the\n" < printf " specified location '${pki_silent_security_database_repository}'.\n" < printf "\n" < printf " Please MANUALLY move or erase these security database(s),\n" < printf " or specify a different location before re-running this script.\n\n" < exit 255 --- > ## Instead, just inform the user. > if [ -f "${pki_silent_security_database_repository}/cert8.db" ] || > [ -f "${pki_silent_security_database_repository}/key3.db" ] || > [ -f "${pki_silent_security_database_repository}/secmod.db" ] ; then > printf "\n" > printf "WARNING: The existing security databases\n" > printf " (i. e. - 'cert8.db', 'key3.db', and/or 'secmod.db')\n" > printf " required by '${pki_silent_script}' at the\n" > printf " specified location '${pki_silent_security_database_repository}'\n" > printf " will be used.\n\n" 451c459 < ## (5) Remove ALL old PKI Silent log files --- > ## (5) Remove any old PKI Silent log file named '${pki_silent_ocsp_log}' 454,456c462,464 < printf " Removing old '${pki_silent_ocsp_log}' . . . " < rm ${pki_silent_ocsp_log} < printf "done.\n" --- > printf " Removing old '${pki_silent_ocsp_log}' . . . " > rm ${pki_silent_ocsp_log} > printf "done.\n" 467,468c475,476 < ocsp_preop_pin=`cat /var/lib/${ocsp_instance_name}/conf/CS.cfg \ < | grep preop.pin | grep -v grep | awk -F= '{print $2}'` --- > ocsp_preop_pin=`cat /var/lib/${pki_ocsp_instance_name}/conf/CS.cfg \ > | grep preop.pin | grep -v grep | awk -F= '{print $2}'` 477c485 < ## execute '/sbin/service ${ocsp_instance_name} status': --- > ## execute '/sbin/service ${pki_ocsp_instance_name} status': 479c487 < ## ${ocsp_instance_name} (pid 13058) is running ... --- > ## ${pki_ocsp_instance_name} (pid 13058) is running ... 490c498 < printf "'${pki_silent_script}': Configuring '${ocsp_instance_name}' . . .\n" --- > printf "'${pki_silent_script}': Configuring '${pki_ocsp_instance_name}' . . .\n" 492,534c500,542 < -cs_hostname "${pki_ocsp_admin_host}" \ < -cs_port ${ocsp_admin_port} \ < -sd_hostname "${pki_security_domain_host}" \ < -sd_ssl_port ${ca_ee_port} \ < -sd_agent_port ${ca_agent_port} \ < -sd_admin_port ${ca_admin_port} \ < -sd_admin_name "${pki_security_domain_admin_name}" \ < -sd_admin_password ${pki_security_domain_admin_password} \ < -ca_hostname ${pki_ca_ee_host} \ < -ca_port ${ca_nonssl_port} \ < -ca_ssl_port ${ca_ee_port} \ < -client_certdb_dir ${pki_silent_security_database_repository} \ < -client_certdb_pwd ${pki_silent_security_database_password} \ < -client_token_name ${pki_silent_security_token_name} \ < -preop_pin ${ocsp_preop_pin} \ < -domain_name "${pki_security_domain_name}" \ < -admin_user ${pki_silent_admin_user} \ < -admin_password ${pki_silent_admin_password} \ < -admin_email "${pki_silent_admin_email}" \ < -agent_name ${ocsp_agent_name} \ < -ldap_host ${pki_ldap_host} \ < -ldap_port ${pki_ldap_port} \ < -bind_dn "${pki_bind_dn}" \ < -bind_password ${pki_bind_password} \ < -base_dn "${ocsp_base_dn}" \ < -db_name "${ocsp_db_name}" \ < -remove_data "${pki_remove_data}" \ < -key_size ${ocsp_key_size} \ < -key_type ${ocsp_key_type} \ < -token_name ${ocsp_token_name} \ < -token_pwd ${ocsp_token_password} \ < -agent_key_size ${ocsp_agent_key_size} \ < -agent_key_type ${ocsp_agent_key_type} \ < -agent_cert_subject "${ocsp_agent_cert_subject}" \ < -subsystem_name ${ocsp_subsystem_name} \ < -save_p12 ${ocsp_save_p12} \ < -backup_pwd ${ocsp_backup_password} \ < -ocsp_sign_cert_subject_name "${ocsp_sign_cert_subject_name}" \ < -ocsp_subsystem_cert_subject_name "${ocsp_subsystem_cert_subject_name}" \ < -ocsp_server_cert_subject_name "${ocsp_server_cert_subject_name}" \ < -ocsp_audit_signing_cert_subject_name \ < "${ocsp_audit_signing_cert_subject_name}" \ < | tee ${pki_silent_ocsp_log} --- > -cs_hostname "${pki_ocsp_admin_host}" \ > -cs_port ${pki_ocsp_admin_port} \ > -sd_hostname "${pki_security_domain_host}" \ > -sd_ssl_port ${pki_ca_ee_port} \ > -sd_agent_port ${pki_ca_agent_port} \ > -sd_admin_port ${pki_ca_admin_port} \ > -sd_admin_name "${pki_security_domain_admin_name}" \ > -sd_admin_password ${pki_security_domain_admin_password} \ > -ca_hostname ${pki_ca_ee_host} \ > -ca_port ${pki_ca_nonssl_port} \ > -ca_ssl_port ${pki_ca_ee_port} \ > -client_certdb_dir ${pki_silent_security_database_repository} \ > -client_certdb_pwd ${pki_silent_security_token_password} \ > -client_token_name ${pki_silent_security_token_name} \ > -preop_pin ${ocsp_preop_pin} \ > -domain_name "${pki_security_domain_name}" \ > -admin_user ${pki_silent_admin_user} \ > -admin_password ${pki_silent_admin_password} \ > -admin_email "${pki_silent_admin_email}" \ > -agent_name ${ocsp_agent_name} \ > -ldap_host ${pki_ldap_host} \ > -ldap_port ${pki_ldap_port} \ > -bind_dn "${pki_bind_dn}" \ > -bind_password ${pki_bind_password} \ > -base_dn "${ocsp_base_dn}" \ > -db_name "${ocsp_db_name}" \ > -remove_data "${pki_remove_data}" \ > -key_size ${ocsp_key_size} \ > -key_type ${ocsp_key_type} \ > -token_name ${pki_ocsp_token_name} \ > -token_pwd ${pki_ocsp_token_password} \ > -agent_key_size ${ocsp_agent_key_size} \ > -agent_key_type ${ocsp_agent_key_type} \ > -agent_cert_subject "${ocsp_agent_cert_subject}" \ > -subsystem_name ${pki_ocsp_subsystem_name} \ > -save_p12 ${ocsp_save_p12} \ > -backup_pwd ${pki_ocsp_backup_password} \ > -ocsp_sign_cert_subject_name "${ocsp_sign_cert_subject_name}" \ > -ocsp_subsystem_cert_subject_name "${ocsp_subsystem_cert_subject_name}" \ > -ocsp_server_cert_subject_name "${ocsp_server_cert_subject_name}" \ > -ocsp_audit_signing_cert_subject_name \ > "${ocsp_audit_signing_cert_subject_name}" \ > | tee ${pki_silent_ocsp_log} 537c545 < /sbin/service ${ocsp_instance_name} restart --- > /sbin/service ${pki_ocsp_instance_name} restart Only in 20130413/pki/base/silent/templates: silent_ra_to_ip_port.template diff -r 20130410/pki/base/silent/templates/silent_tks_ip_port.template 20130413/pki/base/silent/templates/silent_tks_ip_port.template 17,33c17,35 < if [ "${pki_silent_script}" = "silent_tks_ip_port.template" ] ; then < printf "\n" < printf "Usage: (1) Install AND configure a directory server instance.\n\n" < printf " (2) Install, but do NOT configure a\n" < printf " 'default' PKI TKS instance\n" < printf " using the IP Port Separation Mode.\n\n" < printf " (3) Install the 'pki-silent' package.\n\n" < printf " (4) Copy '$0' to a new script name\n" < printf " without the '.template' extension.\n" < printf " (e .g. - 'configure_default_pki_tks_ip_port_instance')\n\n" < printf " (5) Fill in all MANDATORY user-defined variables\n" < printf " in the new script.\n\n" < printf " (6) Change any OPTIONAL user-defined variables\n" < printf " in the new script as desired.\n\n" < printf " (7) Become the 'root' user, and execute the new script to\n" < printf " configure this 'default' PKI TKS subsystem instance.\n\n" < exit 255 --- > if [ "${pki_silent_script}" = "silent_tks_ip_port.template" ] ; then > printf "\n" > printf "Usage: (1) Install AND configure a directory server instance.\n\n" > printf " (2) Install AND configure a Root CA subsystem instance\n" > printf " that is its own security domain.\n\n" > printf " (3) Install, but do NOT configure a\n" > printf " PKI TKS instance\n" > printf " using the IP Port Separation Mode.\n\n" > printf " (4) Install the 'pki-silent' package.\n\n" > printf " (5) Copy '$0' to a new script name\n" > printf " without the '.template' extension\n" > printf " (e .g. - 'configure_tks_ip_port_instance').\n\n" > printf " (6) Fill in all MANDATORY user-defined variables\n" > printf " in the new script.\n\n" > printf " (7) Change any OPTIONAL user-defined variables\n" > printf " in the new script as desired.\n\n" > printf " (8) Become the 'root' user, and execute the new script to\n" > printf " configure this PKI TKS subsystem instance.\n\n" > exit 255 45,47c47,49 < MY_EUID=`/usr/bin/id -u` < MY_UID=`/usr/bin/id -ur` < USERNAME=`/usr/bin/id -un` --- > MY_EUID=`/usr/bin/id -u` > MY_UID=`/usr/bin/id -ur` > USERNAME=`/usr/bin/id -un` 49,50c51,52 < printf "ERROR: Unsupported operating system '${OS}'!\n" < exit 255 --- > printf "ERROR: Unsupported operating system '${OS}'!\n" > exit 255 53,56c55,58 < if [ "${MY_UID}" != "${ROOTUID}" ] && < [ "${MY_EUID}" != "${ROOTUID}" ] ; then < printf "ERROR: The '$0' script must be run as root!\n" < exit 255 --- > if [ "${MY_UID}" != "${ROOTUID}" ] && > [ "${MY_EUID}" != "${ROOTUID}" ] ; then > printf "ERROR: The '$0' script must be run as root!\n" > exit 255 81c83 < ## PKI Subsystem Hosts (FQDN) --- > ## PKI CA Subsystem Hosts (FQDN) 83a86,87 > > ## PKI TKS Subsystem Hosts (FQDN) 87a92,126 > ## > ## NOTE: Default PKI CA Instance Ports > ## > ## 9180 - non-secure port (not role specific) > ## 9701 - non-secure Tomcat port > ## 9443 - secure EE port > ## 9444 - secure Agent port > ## 9445 - secure Admin port > ## 9446 - secure EE Client Auth port (not necessarily labeled) > ## > ## NOTE: Default PKI TKS Instance Ports > ## > ## 13180 - non-secure port (not role specific) > ## 13701 - non-secure Tomcat port > ## 13443 - secure EE port > ## 13444 - secure Agent port > ## 13445 - secure Admin port > ## > ## For Example: > ## > ## semanage port -l | grep pki > ## > ## pki_ca_port_t tcp 9180, 9701, 9443, 9444, 9445 > ## pki_tks_port_t tcp 13180, 13701, 13443, 13444, 13445 > ## > > ## PKI CA ports > pki_ca_nonssl_port= > pki_ca_ee_port= > pki_ca_agent_port= > pki_ca_admin_port= > > ## PKI TKS ports > pki_tks_admin_port= > 91c130 < pki_silent_security_database_password= --- > pki_silent_security_token_password= 120,121c159,160 < ## For testing, however, it is often convenient to simply OVERWRITE any exiting < ## data in the LDAP database. If this is desirable, set: --- > ## For testing, however, it is often convenient to simply OVERWRITE any > ## existing data in the LDAP database. If this is desirable, set: 129,130c168,169 < tks_token_name=internal < tks_token_password= --- > pki_tks_token_name=internal > pki_tks_token_password= 134c173 < tks_backup_password= --- > pki_tks_backup_password= 154,159d192 < < < ############################################################################## < ## P R E - D E F I N E D " D E F A U L T " V A R I A B L E S ## < ############################################################################## < 161c194 < tks_subsystem_name="Token\ Key\ Service" --- > pki_tks_subsystem_name="Token\ Key\ Service" 164c197 < tks_instance_name="pki-tks" --- > pki_tks_instance_name="pki-tks" 166,205c199,200 < ## < ## NOTE: Default CA Instance Ports < ## < ## *180 - non-secure port (not role specific) < ## *701 - non-secure Tomcat port < ## *443 - secure EE port < ## *444 - secure Agent port < ## *445 - secure Admin port < ## *446 - secure EE Client Auth port < ## < ## NOTE: Default TKS Instance Ports < ## < ## *180 - non-secure port (not role specific) < ## *701 - non-secure Tomcat port < ## *443 - secure EE port < ## *444 - secure Agent port < ## *445 - secure Admin port < ## < ## For Example: < ## < ## semanage port -l | grep pki < ## < ## pki_ca_port_t tcp 9180, 9701, 9443, 9444, 9445, 9446 < ## pki_tks_port_t tcp 13180, 13701, 13443, 13444, 13445 < ## < < ## CA ports < ca_nonssl_port=9180 < ca_agent_port=9443 < ca_ee_port=9444 < ca_admin_port=9445 < ca_ee_ca_port=9446 < ca_tomcat_server_port=9701 < < ## TKS ports < tks_nonssl_port=13180 < tks_agent_port=13443 < tks_ee_port=13444 < tks_admin_port=13445 < tks_tomcat_server_port=13701 --- > ## PKI Silent Log Files > pki_silent_tks_log=/tmp/tks.log 213,216d207 < ## PKI Silent Log Files < pki_silent_tks_log=/tmp/tks.log < < 227c218 < ## TKS Administrator of Instance ${tks_instance_name}'s --- > ## TKS Administrator of Instance ${pki_tks_instance_name}'s 238c229 < ## + "${tks_instance_name}'s " --- > ## + "${pki_tks_instance_name}'s " 241c232 < ## + "${tks_instance_name}," --- > ## + "${pki_tks_instance_name}," 254,255c245,246 < ## "/var/lib/${tks_instance_name}/alias/" security libraries would be < ## something similar to this: --- > ## "/var/lib/${pki_tks_instance_name}/alias/" security libraries would > ## be something similar to this: 260c251 < ## subsystemCert cert-${tks_instance_name} u,u,u --- > ## subsystemCert cert-${pki_tks_instance_name} u,u,u 263,264c254,255 < ## Server-Cert cert-${tks_instance_name} u,u,u < ## auditSigningCert cert-${tks_instance_name} u,u,u --- > ## Server-Cert cert-${pki_tks_instance_name} u,u,u > ## auditSigningCert cert-${pki_tks_instance_name} u,u,u 268c259 < ## Nickname: "subsystemCert cert-${tks_instance_name}" --- > ## Nickname: "subsystemCert cert-${pki_tks_instance_name}" 282c273 < ## Nickname: "Server-Cert cert-${tks_instance_name}" --- > ## Nickname: "Server-Cert cert-${pki_tks_instance_name}" 286c277 < ## Nickname: "auditSigningCert cert-${tks_instance_name}" --- > ## Nickname: "auditSigningCert cert-${pki_tks_instance_name}" 291c282 < tks_agent_name="TKS\ Administrator\ of\ Instance\ ${tks_instance_name}\'s\ ${pki_security_domain_name}\ ID" --- > tks_agent_name="TKS\ Administrator\ of\ Instance\ ${pki_tks_instance_name}\'s\ ${pki_security_domain_name}\ ID" 294,296c285,287 < tks_agent_cert_subject="cn=TKS\ Administrator\ of\ Instance\ ${tks_instance_name},uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}" < tks_base_dn="dc=${pki_tks_admin_host}-${tks_instance_name}" < tks_db_name="${pki_tks_admin_host}-${tks_instance_name}" --- > tks_agent_cert_subject="cn=TKS\ Administrator\ of\ Instance\ ${pki_tks_instance_name},uid=admin,e=${pki_silent_admin_email},o=${pki_security_domain_name}" > tks_base_dn="dc=${pki_tks_admin_host}-${pki_tks_instance_name}" > tks_db_name="${pki_tks_admin_host}-${pki_tks_instance_name}" 323,324c314,315 < printf "${usage_error_preamble} 'pki_ca_ee_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_ca_ee_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 327,328c318,319 < printf "${usage_error_preamble} 'pki_ca_admin_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_ca_admin_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 331,332c322,323 < printf "${usage_error_preamble} 'pki_tks_agent_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_tks_agent_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 335,336c326,327 < printf "${usage_error_preamble} 'pki_tks_ee_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_tks_ee_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 339,340c330,331 < printf "${usage_error_preamble} 'pki_tks_admin_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_tks_admin_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 342,344c333,355 < if [ "${pki_silent_security_database_password}" = "" ] ; then < printf "${usage_error_preamble} 'pki_silent_security_database_password'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > if [ "${pki_ca_nonssl_port}" = "" ] ; then > printf "${usage_error_preamble} 'pki_ca_nonssl_port'!\n" > usage_errors=`expr ${usage_errors} + 1` > fi > if [ "${pki_ca_agent_port}" = "" ] ; then > printf "${usage_error_preamble} 'pki_ca_agent_port'!\n" > usage_errors=`expr ${usage_errors} + 1` > fi > if [ "${pki_ca_ee_port}" = "" ] ; then > printf "${usage_error_preamble} 'pki_ca_ee_port'!\n" > usage_errors=`expr ${usage_errors} + 1` > fi > if [ "${pki_ca_admin_port}" = "" ] ; then > printf "${usage_error_preamble} 'pki_ca_admin_port'!\n" > usage_errors=`expr ${usage_errors} + 1` > fi > if [ "${pki_tks_admin_port}" = "" ] ; then > printf "${usage_error_preamble} 'pki_tks_admin_port'!\n" > usage_errors=`expr ${usage_errors} + 1` > fi > if [ "${pki_silent_security_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n" > usage_errors=`expr ${usage_errors} + 1` 347,348c358,359 < printf "${usage_error_preamble} 'pki_security_domain_name'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_security_domain_name'!\n" > usage_errors=`expr ${usage_errors} + 1` 351,352c362,363 < printf "${usage_error_preamble} 'pki_security_domain_admin_password'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_security_domain_admin_password'!\n" > usage_errors=`expr ${usage_errors} + 1` 355,356c366,367 < printf "${usage_error_preamble} 'pki_ldap_host'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_ldap_host'!\n" > usage_errors=`expr ${usage_errors} + 1` 359,360c370,371 < printf "${usage_error_preamble} 'pki_bind_password'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_bind_password'!\n" > usage_errors=`expr ${usage_errors} + 1` 363,364c374,375 < printf "${usage_error_preamble} 'pki_remove_data'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_remove_data'!\n" > usage_errors=`expr ${usage_errors} + 1` 366,372c377,383 < if [ "${tks_token_password}" = "" ] ; then < printf "${usage_error_preamble} 'tks_token_password'!\n" < usage_errors=`expr ${usage_errors} + 1` < fi < if [ "${tks_backup_password}" = "" ] ; then < printf "${usage_error_preamble} 'tks_backup_password'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > if [ "${pki_tks_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_tks_token_password'!\n" > usage_errors=`expr ${usage_errors} + 1` > fi > if [ "${pki_tks_backup_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_tks_backup_password'!\n" > usage_errors=`expr ${usage_errors} + 1` 375,376c386,387 < printf "${usage_error_preamble} 'pki_email_name'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_email_name'!\n" > usage_errors=`expr ${usage_errors} + 1` 379,380c390,391 < printf "${usage_error_preamble} 'pki_email_company'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_email_company'!\n" > usage_errors=`expr ${usage_errors} + 1` 383,384c394,395 < printf "${usage_error_preamble} 'pki_email_domain'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_email_domain'!\n" > usage_errors=`expr ${usage_errors} + 1` 387,388c398,399 < printf "${usage_error_preamble} 'pki_silent_admin_password'!\n" < usage_errors=`expr ${usage_errors} + 1` --- > printf "${usage_error_preamble} 'pki_silent_admin_password'!\n" > usage_errors=`expr ${usage_errors} + 1` 400,402c411,413 < if [ ! -f "/var/lib/${tks_instance_name}/conf/CS.cfg" ] ; then < printf "${existence_error_preamble} '${tks_instance_name}' EXISTS!\n" < existence_errors=`expr ${existence_errors} + 1` --- > if [ ! -f "/var/lib/${pki_tks_instance_name}/conf/CS.cfg" ] ; then > printf "${existence_error_preamble} '${pki_tks_instance_name}' EXISTS!\n" > existence_errors=`expr ${existence_errors} + 1` 404,409c415,420 < tks_configuration_check=`grep -c preop /var/lib/${tks_instance_name}/conf/CS.cfg` < if [ ${tks_configuration_check} -eq 0 ] ; then < printf "${configuration_error_preamble} '${tks_instance_name}' " < printf "${configuration_error_postamble}\n" < configuration_errors=`expr ${configuration_errors} + 1` < fi --- > tks_configuration_check=`grep -c preop /var/lib/${pki_tks_instance_name}/conf/CS.cfg` > if [ ${tks_configuration_check} -eq 0 ] ; then > printf "${configuration_error_preamble} '${pki_tks_instance_name}' " > printf "${configuration_error_postamble}\n" > configuration_errors=`expr ${configuration_errors} + 1` > fi 413,419c424,430 < if [ ${usage_errors} -ne 0 ] || < [ ${existence_errors} -ne 0 ] || < [ ${configuration_errors} -ne 0 ] ; then < printf "\n" < printf "Please correct ALL errors listed above and re-run\n" < printf "the '$0' script!\n\n" < exit 255 --- > if [ ${usage_errors} -ne 0 ] || > [ ${existence_errors} -ne 0 ] || > [ ${configuration_errors} -ne 0 ] ; then > printf "\n" > printf "Please correct ALL errors listed above and re-run\n" > printf "the '$0' script!\n\n" > exit 255 425,428c436,439 < printf "\n" < printf "ERROR: Please install the 'pki-silent' package and re-run\n" < printf "the '$0' script!\n\n" < exit 255 --- > printf "\n" > printf "ERROR: Please install the 'pki-silent' package and re-run\n" > printf "the '$0' script!\n\n" > exit 255 433,445c444,453 < ## Instead, inform the user and exit this script. < if [ -f "${pki_silent_security_database_repository}/cert8.db" ] || < [ -f "${pki_silent_security_database_repository}/key3.db" ] || < [ -f "${pki_silent_security_database_repository}/secmod.db" ] ; then < printf "\n" < printf "WARNING: At least one of the security databases\n" < printf " (i. e. - 'cert8.db', 'key3.db', and/or 'secmod.db')\n" < printf " required by '${pki_silent_script}' exists at the\n" < printf " specified location '${pki_silent_security_database_repository}'.\n" < printf "\n" < printf " Please MANUALLY move or erase these security database(s),\n" < printf " or specify a different location before re-running this script.\n\n" < exit 255 --- > ## Instead, just inform the user. > if [ -f "${pki_silent_security_database_repository}/cert8.db" ] || > [ -f "${pki_silent_security_database_repository}/key3.db" ] || > [ -f "${pki_silent_security_database_repository}/secmod.db" ] ; then > printf "\n" > printf "WARNING: The existing security databases\n" > printf " (i. e. - 'cert8.db', 'key3.db', and/or 'secmod.db')\n" > printf " required by '${pki_silent_script}' at the\n" > printf " specified location '${pki_silent_security_database_repository}'\n" > printf " will be used.\n\n" 449c457 < ## (5) Remove ALL old PKI Silent log files --- > ## (5) Remove any old PKI Silent log file named '${pki_silent_tks_log}' 452,454c460,462 < printf " Removing old '${pki_silent_tks_log}' . . . " < rm ${pki_silent_tks_log} < printf "done.\n" --- > printf " Removing old '${pki_silent_tks_log}' . . . " > rm ${pki_silent_tks_log} > printf "done.\n" 465,466c473,474 < tks_preop_pin=`cat /var/lib/${tks_instance_name}/conf/CS.cfg \ < | grep preop.pin | grep -v grep | awk -F= '{print $2}'` --- > tks_preop_pin=`cat /var/lib/${pki_tks_instance_name}/conf/CS.cfg \ > | grep preop.pin | grep -v grep | awk -F= '{print $2}'` 475c483 < ## execute '/sbin/service ${tks_instance_name} status': --- > ## execute '/sbin/service ${pki_tks_instance_name} status': 477c485 < ## ${tks_instance_name} (pid 14129) is running ... --- > ## ${pki_tks_instance_name} (pid 14129) is running ... 494c502 < printf "'${pki_silent_script}': Configuring '${tks_instance_name}' . . .\n" --- > printf "'${pki_silent_script}': Configuring '${pki_tks_instance_name}' . . .\n" 496,537c504,545 < -cs_hostname "${pki_tks_admin_host}" \ < -cs_port ${tks_admin_port} \ < -sd_hostname "${pki_security_domain_host}" \ < -sd_ssl_port ${ca_ee_port} \ < -sd_agent_port ${ca_agent_port} \ < -sd_admin_port ${ca_admin_port} \ < -sd_admin_name "${pki_security_domain_admin_name}" \ < -sd_admin_password ${pki_security_domain_admin_password} \ < -ca_hostname ${pki_ca_ee_host} \ < -ca_port ${ca_nonssl_port} \ < -ca_ssl_port ${ca_ee_port} \ < -client_certdb_dir ${pki_silent_security_database_repository} \ < -client_certdb_pwd ${pki_silent_security_database_password} \ < -client_token_name ${pki_silent_security_token_name} \ < -preop_pin ${tks_preop_pin} \ < -domain_name "${pki_security_domain_name}" \ < -admin_user ${pki_silent_admin_user} \ < -admin_password ${pki_silent_admin_password} \ < -admin_email "${pki_silent_admin_email}" \ < -agent_name ${tks_agent_name} \ < -ldap_host ${pki_ldap_host} \ < -ldap_port ${pki_ldap_port} \ < -bind_dn "${pki_bind_dn}" \ < -bind_password ${pki_bind_password} \ < -base_dn "${tks_base_dn}" \ < -db_name "${tks_db_name}" \ < -remove_data "${pki_remove_data}" \ < -key_size ${tks_key_size} \ < -key_type ${tks_key_type} \ < -token_name ${tks_token_name} \ < -token_pwd ${tks_token_password} \ < -agent_key_size ${tks_agent_key_size} \ < -agent_key_type ${tks_agent_key_type} \ < -agent_cert_subject "${tks_agent_cert_subject}" \ < -subsystem_name ${tks_subsystem_name} \ < -save_p12 ${tks_save_p12} \ < -backup_pwd ${tks_backup_password} \ < -tks_subsystem_cert_subject_name "${tks_subsystem_cert_subject_name}" \ < -tks_server_cert_subject_name "${tks_server_cert_subject_name}" \ < -tks_audit_signing_cert_subject_name \ < "${tks_audit_signing_cert_subject_name}" \ < | tee ${pki_silent_tks_log} --- > -cs_hostname "${pki_tks_admin_host}" \ > -cs_port ${pki_tks_admin_port} \ > -sd_hostname "${pki_security_domain_host}" \ > -sd_ssl_port ${pki_ca_ee_port} \ > -sd_agent_port ${pki_ca_agent_port} \ > -sd_admin_port ${pki_ca_admin_port} \ > -sd_admin_name "${pki_security_domain_admin_name}" \ > -sd_admin_password ${pki_security_domain_admin_password} \ > -ca_hostname ${pki_ca_ee_host} \ > -ca_port ${pki_ca_nonssl_port} \ > -ca_ssl_port ${pki_ca_ee_port} \ > -client_certdb_dir ${pki_silent_security_database_repository} \ > -client_certdb_pwd ${pki_silent_security_token_password} \ > -client_token_name ${pki_silent_security_token_name} \ > -preop_pin ${tks_preop_pin} \ > -domain_name "${pki_security_domain_name}" \ > -admin_user ${pki_silent_admin_user} \ > -admin_password ${pki_silent_admin_password} \ > -admin_email "${pki_silent_admin_email}" \ > -agent_name ${tks_agent_name} \ > -ldap_host ${pki_ldap_host} \ > -ldap_port ${pki_ldap_port} \ > -bind_dn "${pki_bind_dn}" \ > -bind_password ${pki_bind_password} \ > -base_dn "${tks_base_dn}" \ > -db_name "${tks_db_name}" \ > -remove_data "${pki_remove_data}" \ > -key_size ${tks_key_size} \ > -key_type ${tks_key_type} \ > -token_name ${pki_tks_token_name} \ > -token_pwd ${pki_tks_token_password} \ > -agent_key_size ${tks_agent_key_size} \ > -agent_key_type ${tks_agent_key_type} \ > -agent_cert_subject "${tks_agent_cert_subject}" \ > -subsystem_name ${pki_tks_subsystem_name} \ > -save_p12 ${tks_save_p12} \ > -backup_pwd ${pki_tks_backup_password} \ > -tks_subsystem_cert_subject_name "${tks_subsystem_cert_subject_name}" \ > -tks_server_cert_subject_name "${tks_server_cert_subject_name}" \ > -tks_audit_signing_cert_subject_name \ > "${tks_audit_signing_cert_subject_name}" \ > | tee ${pki_silent_tks_log} 540c548 < /sbin/service ${tks_instance_name} restart --- > /sbin/service ${pki_tks_instance_name} restart Only in 20130413/pki/base/silent/templates: silent_tps_to_ip_port.template diff -r 20130410/pki/base/silent/templates/subca_silent.template 20130413/pki/base/silent/templates/subca_silent.template 86c86 < pki_silent_security_database_password= --- > pki_silent_security_token_password= 317,318c317,318 < if [ "${pki_silent_security_database_password}" = "" ] ; then < printf "${usage_error_preamble} 'pki_silent_security_database_password'!\n" --- > if [ "${pki_silent_security_token_password}" = "" ] ; then > printf "${usage_error_preamble} 'pki_silent_security_token_password'!\n" 475c475 < -client_certdb_pwd ${pki_silent_security_database_password} \ --- > -client_certdb_pwd ${pki_silent_security_token_password} \ diff -r 20130410/pki/base/symkey/.svn/entries 20130413/pki/base/symkey/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/symkey/config/.svn/entries 20130413/pki/base/symkey/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/symkey/m4/.svn/entries 20130413/pki/base/symkey/m4/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/symkey/src/.svn/entries 20130413/pki/base/symkey/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/symkey/src/com/.svn/entries 20130413/pki/base/symkey/src/com/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/symkey/src/com/netscape/.svn/entries 20130413/pki/base/symkey/src/com/netscape/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/symkey/src/com/netscape/symkey/.svn/entries 20130413/pki/base/symkey/src/com/netscape/symkey/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/.svn/entries 20130413/pki/base/tks/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/config/.svn/entries 20130413/pki/base/tks/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/doc/.svn/entries 20130413/pki/base/tks/doc/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/setup/.svn/entries 20130413/pki/base/tks/setup/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/shared/.svn/entries 20130413/pki/base/tks/shared/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/shared/alias/.svn/entries 20130413/pki/base/tks/shared/alias/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/shared/conf/.svn/entries 20130413/pki/base/tks/shared/conf/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/shared/etc/.svn/entries 20130413/pki/base/tks/shared/etc/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/shared/etc/init.d/.svn/entries 20130413/pki/base/tks/shared/etc/init.d/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/shared/logs/.svn/entries 20130413/pki/base/tks/shared/logs/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/shared/logs/signedAudit/.svn/entries 20130413/pki/base/tks/shared/logs/signedAudit/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/shared/shared/.svn/entries 20130413/pki/base/tks/shared/shared/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/shared/shared/classes/.svn/entries 20130413/pki/base/tks/shared/shared/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/shared/shared/lib/.svn/entries 20130413/pki/base/tks/shared/shared/lib/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/shared/temp/.svn/entries 20130413/pki/base/tks/shared/temp/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/shared/webapps/.svn/entries 20130413/pki/base/tks/shared/webapps/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/shared/webapps/ROOT/.svn/entries 20130413/pki/base/tks/shared/webapps/ROOT/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/shared/webapps/ROOT/WEB-INF/.svn/entries 20130413/pki/base/tks/shared/webapps/ROOT/WEB-INF/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/shared/webapps/tks/.svn/entries 20130413/pki/base/tks/shared/webapps/tks/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/shared/webapps/tks/WEB-INF/.svn/entries 20130413/pki/base/tks/shared/webapps/tks/WEB-INF/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/shared/webapps/tks/WEB-INF/classes/.svn/entries 20130413/pki/base/tks/shared/webapps/tks/WEB-INF/classes/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/shared/work/.svn/entries 20130413/pki/base/tks/shared/work/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/src/.svn/entries 20130413/pki/base/tks/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/src/com/.svn/entries 20130413/pki/base/tks/src/com/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/src/com/netscape/.svn/entries 20130413/pki/base/tks/src/com/netscape/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tks/src/com/netscape/tks/.svn/entries 20130413/pki/base/tks/src/com/netscape/tks/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/.svn/entries 20130413/pki/base/tps/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/alias/.svn/entries 20130413/pki/base/tps/alias/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/apache/.svn/entries 20130413/pki/base/tps/apache/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/apache/conf/.svn/entries 20130413/pki/base/tps/apache/conf/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/applets/.svn/entries 20130413/pki/base/tps/applets/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/config/.svn/entries 20130413/pki/base/tps/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/doc/.svn/entries 20130413/pki/base/tps/doc/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/etc/.svn/entries 20130413/pki/base/tps/etc/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/etc/init.d/.svn/entries 20130413/pki/base/tps/etc/init.d/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/.svn/entries 20130413/pki/base/tps/forms/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/esc/.svn/entries 20130413/pki/base/tps/forms/esc/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/esc/cgi-bin/.svn/entries 20130413/pki/base/tps/forms/esc/cgi-bin/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/esc/cgi-bin/demo/.svn/entries 20130413/pki/base/tps/forms/esc/cgi-bin/demo/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/esc/cgi-bin/home/.svn/entries 20130413/pki/base/tps/forms/esc/cgi-bin/home/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/esc/cgi-bin/so/.svn/entries 20130413/pki/base/tps/forms/esc/cgi-bin/so/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/esc/cgi-bin/sow/.svn/entries 20130413/pki/base/tps/forms/esc/cgi-bin/sow/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/esc/demo/.svn/entries 20130413/pki/base/tps/forms/esc/demo/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/esc/home/.svn/entries 20130413/pki/base/tps/forms/esc/home/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/esc/images/.svn/entries 20130413/pki/base/tps/forms/esc/images/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/esc/so/.svn/entries 20130413/pki/base/tps/forms/esc/so/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/esc/sow/.svn/entries 20130413/pki/base/tps/forms/esc/sow/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/esc/sow/css/.svn/entries 20130413/pki/base/tps/forms/esc/sow/css/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/esc/sow/images/.svn/entries 20130413/pki/base/tps/forms/esc/sow/images/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/esc/sow/js/.svn/entries 20130413/pki/base/tps/forms/esc/sow/js/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/tps/.svn/entries 20130413/pki/base/tps/forms/tps/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/tps/admin/.svn/entries 20130413/pki/base/tps/forms/tps/admin/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/tps/admin/console/.svn/entries 20130413/pki/base/tps/forms/tps/admin/console/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/tps/admin/console/config/.svn/entries 20130413/pki/base/tps/forms/tps/admin/console/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/tps/admin/console/css/.svn/entries 20130413/pki/base/tps/forms/tps/admin/console/css/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/tps/admin/console/img/.svn/entries 20130413/pki/base/tps/forms/tps/admin/console/img/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/tps/admin/console/js/.svn/entries 20130413/pki/base/tps/forms/tps/admin/console/js/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/forms/tus/.svn/entries 20130413/pki/base/tps/forms/tus/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/lib/.svn/entries 20130413/pki/base/tps/lib/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/lib/perl/.svn/entries 20130413/pki/base/tps/lib/perl/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/lib/perl/PKI/.svn/entries 20130413/pki/base/tps/lib/perl/PKI/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/lib/perl/PKI/Base/.svn/entries 20130413/pki/base/tps/lib/perl/PKI/Base/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/lib/perl/PKI/Service/.svn/entries 20130413/pki/base/tps/lib/perl/PKI/Service/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/lib/perl/PKI/TPS/.svn/entries 20130413/pki/base/tps/lib/perl/PKI/TPS/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/lib/perl/PKI/TPS/CAInfoPanel.pm 20130413/pki/base/tps/lib/perl/PKI/TPS/CAInfoPanel.pm 81c81 < $::symbol{errorString} = "No CA information provided. CA, TKS and optionally DRM must be installed prior to TPS installation"; --- > $::symbol{errorString} = "No CA information provided. CA, TKS, and optionally DRM must be installed prior to TPS installation"; 85a86,87 > &PKI::TPS::Wizard::debug_log("CAInfoPanel: update - selected ca= $count"); > 87c89,91 < my $host = ""; --- > my $ca_ee_host = ""; > my $ca_agent_host = ""; > my $ca_admin_host = ""; 94a99,103 > &PKI::TPS::Wizard::debug_log("CAInfoPanel: update - It is believed " > . "that 'pkisilent' no longer utilizes " > . "this code path, so this message " > . "should not appear in the log!"); > 96,98c105,107 < $host = defined($info->host) ? $info->host : ""; < if ($host eq "") { < $::symbol{errorString} = "No CA host provided."; --- > $ca_ee_host = defined($info->host) ? $info->host : ""; > if ($ca_ee_host eq "") { > $::symbol{errorString} = "No CA EE host provided."; 108c117 < $domain_xml = get_domain_xml($host, $https_ee_port); --- > $domain_xml = get_domain_xml($ca_ee_host, $https_ee_port); 110c119 < $::symbol{errorString} = "missing security domain. CA, TKS and optionally DRM must be installed prior to TPS installation"; --- > $::symbol{errorString} = "missing security domain. CA, TKS, and optionally DRM must be installed prior to TPS installation"; 114,118c123,130 < $https_agent_port = get_secure_agent_port_from_domain_xml($domain_xml, $host, $https_ee_port); < $https_admin_port = get_secure_admin_port_from_domain_xml($domain_xml, $host, $https_ee_port); < < if(($https_admin_port eq "") || ($https_agent_port eq "")) { < $::symbol{errorString} = "secure CA admin or agent port information not provided by security domain."; --- > $ca_agent_host = get_agent_host_from_domain_xml($domain_xml, $ca_ee_host, $https_ee_port); > $https_agent_port = get_secure_agent_port_from_domain_xml($domain_xml, $ca_ee_host, $https_ee_port); > $ca_admin_host = get_admin_host_from_domain_xml($domain_xml, $ca_ee_host, $https_ee_port); > $https_admin_port = get_secure_admin_port_from_domain_xml($domain_xml, $ca_ee_host, $https_ee_port); > > if(($ca_admin_host eq "") || ($https_admin_port eq "") || > ($ca_agent_host eq "") || ($https_agent_port eq "")) { > $::symbol{errorString} = "missing secure CA admin or agent host/port information not provided by security domain. CA, TKS, and optionally DRM must be installed prior to TPS installation."; 122,123c134,138 < $host = defined($::config->get("preop.securitydomain.ca$count.host")) ? < $::config->get("preop.securitydomain.ca$count.host") : ""; --- > &PKI::TPS::Wizard::debug_log("CAInfoPanel: update - " > . "Obtaining CA Info from 'CS.cfg'."); > > $ca_ee_host = defined($::config->get("preop.securitydomain.ca$count.eehost")) ? > $::config->get("preop.securitydomain.ca$count.eehost") : ""; 125a141,142 > $ca_agent_host = defined($::config->get("preop.securitydomain.ca$count.agenthost")) ? > $::config->get("preop.securitydomain.ca$count.agenthost") : ""; 127a145,146 > $ca_admin_host = defined($::config->get("preop.securitydomain.ca$count.adminhost")) ? > $::config->get("preop.securitydomain.ca$count.adminhost") : ""; 132,133c151,154 < if (($host eq "") || ($https_ee_port eq "") || ($https_admin_port eq "") || ($https_agent_port eq "")) { < $::symbol{errorString} = "no CA found. CA, TKS and optionally DRM must be installed prior to TPS installation"; --- > if (($ca_ee_host eq "") || ($https_ee_port eq "") || > ($ca_agent_host eq "") || ($https_agent_port eq "") || > ($ca_admin_host eq "") || ($https_admin_port eq "")) { > $::symbol{errorString} = "no CA found. CA, TKS, and optionally DRM must be installed prior to TPS installation"; 137c158 < &PKI::TPS::Wizard::debug_log("CAInfoPanel: update - host= $host, https_ee_port= $https_ee_port"); --- > &PKI::TPS::Wizard::debug_log("CAInfoPanel: update - ca_ee_host= $ca_ee_host, https_ee_port= $https_ee_port"); 139c160 < $::config->put("preop.cainfo.select", "https://$host:$https_admin_port"); --- > $::config->put("preop.cainfo.select", "https://$ca_admin_host:$https_admin_port"); 144,146c165,167 < $::config->put("conn.ca1.hostport", $host . ":" . $https_ee_port); < $::config->put("conn.ca1.hostagentport", $host . ":" . $https_agent_port); < $::config->put("conn.ca1.hostadminport", $host . ":" . $https_admin_port); --- > $::config->put("conn.ca1.hostport", $ca_ee_host . ":" . $https_ee_port); > $::config->put("conn.ca1.hostagentport", $ca_agent_host . ":" . $https_agent_port); > $::config->put("conn.ca1.hostadminport", $ca_admin_host . ":" . $https_admin_port); 156c177 < system("/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$serverCertNickName\" -r \"/ca/ee/ca/getCertChain\" $host:$https_ee_port > $tmpfile"); --- > system("/usr/bin/sslget -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$serverCertNickName\" -r \"/ca/ee/ca/getCertChain\" $ca_ee_host:$https_ee_port > $tmpfile"); 204,206c225,227 < my $host = ""; < $host = $::config->get("preop.securitydomain.ca$count.host"); < if ($host eq "") { --- > my $ca_ee_host = ""; > $ca_ee_host = $::config->get("preop.securitydomain.ca$count.eehost"); > if ($ca_ee_host eq "") { 211,212c232,233 < my $item = $name . " - https://" . $host . ":" . $https_ee_port; < # my $item = "https://" . $host . ":" . $https_ee_port; --- > my $item = $name . " - https://" . $ca_ee_host . ":" . $https_ee_port; > # my $item = "https://" . $ca_ee_host . ":" . $https_ee_port; 236c257 < my $host = $1; --- > my $ca_ee_host = $1; 260c281 < my $host = $2; --- > my $ca_ee_host = $2; 264c285 < # to the selected host and secure ee port. --- > # to the selected EE host and secure ee port. 272c293 < if( ( $host eq $c->{'Host'}[0] ) && --- > if( ( $ca_ee_host eq $c->{'Host'}[0] ) && 286c307 < my $host = $2; --- > my $ca_ee_host = $2; 290c311 < # to the selected host and secure ee port. --- > # to the selected EE host and secure ee port. 298c319 < if( ( $host eq $c->{'Host'}[0] ) && --- > if( ( $ca_ee_host eq $c->{'Host'}[0] ) && 308a330,393 > sub get_admin_host_from_domain_xml > { > my $content = $1; > my $ca_ee_host = $2; > my $https_ee_port = $3; > > # Retrieve the admin host corresponding > # to the selected EE host and secure ee port. > my $parser = XML::Simple->new(); > my $response = $parser->XMLin($content); > my $xml = $parser->XMLin( $response->{'DomainInfo'}, > ForceArray => 1 ); > my $ca_admin_host = ""; > my $count = 0; > foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) { > if( ( $ca_ee_host eq $c->{'Host'}[0] ) && > ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { > if( $c->{'AdminHost'}[0] ne "" ) { > # IP Port Separation Schema > $ca_admin_host = https_$c->{'AdminHost'}[0]; > } else { > # Port Separation Schema > $ca_admin_host = https_$c->{'Host'}[0]; > } > } > > $count++; > } > > return $ca_admin_host; > } > > sub get_agent_host_from_domain_xml > { > my $content = $1; > my $ca_ee_host = $2; > my $https_ee_port = $3; > > # Retrieve the agent host corresponding > # to the selected EE host and secure ee port. > my $parser = XML::Simple->new(); > my $response = $parser->XMLin($content); > my $xml = $parser->XMLin( $response->{'DomainInfo'}, > ForceArray => 1 ); > my $ca_agent_host = ""; > my $count = 0; > foreach my $c (@{$xml->{'CAList'}[0]->{'CA'}}) { > if( ( $ca_ee_host eq $c->{'Host'}[0] ) && > ( $https_ee_port eq $c->{'SecurePort'}[0] ) ) { > if( $c->{'AgentHost'}[0] ne "" ) { > # IP Port Separation Schema > $ca_agent_host = https_$c->{'AgentHost'}[0]; > } else { > # Port Separation Schema > $ca_agent_host = https_$c->{'Host'}[0]; > } > } > > $count++; > } > > return $ca_agent_host; > } > diff -r 20130410/pki/base/tps/lib/perl/PKI/TPS/DRMInfoPanel.pm 20130413/pki/base/tps/lib/perl/PKI/TPS/DRMInfoPanel.pm 88c88,89 < my $host = ""; --- > my $kra_agent_host = ""; > my $kra_admin_host = ""; 93a95,99 > &PKI::TPS::Wizard::debug_log("DRMInfoPanel: update - It is believed " > . "that 'pkisilent' no longer utilizes " > . "this code path, so this message " > . "should not appear in the log!"); > 95c101 < $host = defined($info->host) ? $info->host : ""; --- > $kra_agent_host = defined($info->host) ? $info->host : ""; 96a103 > $kra_admin_host = defined($q->param('adminhost'))? $q->param('adminhost') : ""; 99,100c106,110 < $host = defined($::config->get("preop.securitydomain.kra$count.host")) ? < $::config->get("preop.securitydomain.kra$count.host") : ""; --- > &PKI::TPS::Wizard::debug_log("DRMInfoPanel: update - " > . "Obtaining DRM Info from 'CS.cfg'."); > > $kra_agent_host = defined($::config->get("preop.securitydomain.kra$count.agenthost")) ? > $::config->get("preop.securitydomain.kra$count.agenthost") : ""; 102a113,114 > $kra_admin_host = defined($::config->get("preop.securitydomain.kra$count.adminhost")) ? > $::config->get("preop.securitydomain.kra$count.adminhost") : ""; 108c120 < if (($host eq "") || ($https_agent_port eq "")) { --- > if (($kra_agent_host eq "") || ($https_agent_port eq "")) { 123c135 < $::config->put("preop.krainfo.select", "https://$host:$https_admin_port"); --- > $::config->put("preop.krainfo.select", "https://$kra_admin_host:$https_admin_port"); 125c137 < $::config->put("conn.drm1.hostport", $host . ":" . $https_agent_port); --- > $::config->put("conn.drm1.hostport", $kra_agent_host . ":" . $https_agent_port); 159,161c171,173 < my $host = ""; < $host = $::config->get("preop.securitydomain.kra$count.host"); < if ($host eq "") { --- > my $kra_agent_host = ""; > $kra_agent_host = $::config->get("preop.securitydomain.kra$count.agenthost"); > if ($kra_agent_host eq "") { 166c178 < $::symbol{urls}[$count++] = $name . " - https://" . $host . ":" . $https_agent_port; --- > $::symbol{urls}[$count++] = $name . " - https://" . $kra_agent_host . ":" . $https_agent_port; diff -r 20130410/pki/base/tps/lib/perl/PKI/TPS/DisplayCertChainPanel.pm 20130413/pki/base/tps/lib/perl/PKI/TPS/DisplayCertChainPanel.pm 254,256c254,260 < $c->{'EEClientAuthPort'}[0]); < // Account for a Security Domain using either an IP Port Separation < // Schema, or a Port Separation Schema --- > $c->{'SecureEEClientAuthPort'}[0]); > # Account for a Security Domain using either an IP Port Separation > # Schema, or a Port Separation Schema > my $ca_agent_hostname = ""; > my $ca_ee_hostname = ""; > my $ca_admin_hostname = ""; > my $ca_eeca_hostname = ""; 259a264 > $ca_agent_hostname = $c->{'AgentHost'}[0]; 262a268 > $ca_agent_hostname = $c->{'Host'}[0]; 266a273 > $ca_ee_hostname = $c->{'EEHost'}[0]; 269a277 > $ca_ee_hostname = $c->{'Host'}[0]; 273a282 > $ca_admin_hostname = $c->{'AdminHost'}[0]; 276a286 > $ca_admin_hostname = $c->{'Host'}[0]; 280a291 > $ca_eeca_hostname = $c->{'EEClientAuthHost'}[0]; 283a295 > $ca_eeca_hostname = $c->{'Host'}[0]; 290,291c302 < if( ( $sd_host eq $c-> $::config->put("preop.securitydomain.ca" . < $count . ".adminhost") ) && --- > if( ( $sd_host eq $ca_admin_hostname ) && 294,311c305,310 < my $http_ee_port = "http://" < . $::config->get("preop.securitydomain.ca" . < $count . ".eehost") < . ":" < . $c->{'UnSecurePort'}[0]; < my $https_agent_port = "https://" < . $::config->get("preop.securitydomain.ca" . < $count . ".agenthost") < . ":" < . $c->{'SecureAgentPort'}[0]; < my $https_ee_port = "https://" < . $::config->get("preop.securitydomain.ca" . < $count . ".eehost") < . ":" < . $c->{'SecurePort'}[0]; < my $https_eeca_port = "https://" < . $::config->get("preop.securitydomain.ca" . < $count . ".eecahost") --- > my $http_ee_url = "http://" > . $ca_ee_hostname > . ":" > . $c->{'UnSecurePort'}[0]; > my $https_agent_url = "https://" > . $ca_agent_hostname 313c312,320 < . $c->{'EEClientAuthPort'}[0]; --- > . $c->{'SecureAgentPort'}[0]; > my $https_ee_url = "https://" > . $ca_ee_hostname > . ":" > . $c->{'SecurePort'}[0]; > my $https_eeca_url = "https://" > . $ca_eeca_hostname > . ":" > . $c->{'SecureEEClientAuthPort'}[0]; 316,319c323,326 < $::config->put( "config.sdomainHttpURL", $http_ee_port ); < $::config->put( "config.sdomainAgentURL", $https_agent_port ); < $::config->put( "config.sdomainEEURL", $https_ee_port ); < $::config->put( "config.sdomainEECAURL", $https_eeca_port ); --- > $::config->put( "config.sdomainHttpURL", $http_ee_url ); > $::config->put( "config.sdomainAgentURL", $https_agent_url ); > $::config->put( "config.sdomainEEURL", $https_ee_url ); > $::config->put( "config.sdomainEECAURL", $https_eeca_url ); 328c335 < $::config->put( "securitydomain.eehost", --- > $::config->put( "securitydomain.eecahost", 336a344,345 > $::config->put( "securitydomain.httpseecaport", > $c->{'SecureEEClientAuthPort'}[0] ); 356,357c365,366 < // Account for a Security Domain using either an IP Port Separation < // Schema, or a Port Separation Schema --- > # Account for a Security Domain using either an IP Port Separation > # Schema, or a Port Separation Schema 396,397c405,406 < // Account for a Security Domain using either an IP Port Separation < // Schema, or a Port Separation Schema --- > # Account for a Security Domain using either an IP Port Separation > # Schema, or a Port Separation Schema diff -r 20130410/pki/base/tps/lib/perl/PKI/TPS/NamePanel.pm 20130413/pki/base/tps/lib/perl/PKI/TPS/NamePanel.pm 88c88 < my $host = ""; --- > my $ca_ee_host = ""; 94c94 < $host = $info->host; --- > $ca_ee_host = $info->host; 97,98c97,98 < $host = $::config->get("preop.securitydomain.ca$count.host"); < if ($host eq "") { --- > $ca_ee_host = $::config->get("preop.securitydomain.ca$count.eehost"); > if ($ca_ee_host eq "") { 102c102 < &PKI::TPS::Wizard::debug_log("NamePanel: update - host= $host, https_ee_port= $https_ee_port"); --- > &PKI::TPS::Wizard::debug_log("NamePanel: update - ca_ee_host= $ca_ee_host, https_ee_port= $https_ee_port"); 107c107 < $::config->put("preop.ca.url", "https://" . $host . ":" . $https_ee_port); --- > $::config->put("preop.ca.url", "https://" . $ca_ee_host . ":" . $https_ee_port); 303c303 < $host = $sdom_url->host; --- > $ca_ee_host = $sdom_url->host; 308,309c308,309 < $req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port"; < $debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port"; --- > $req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; > $debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; 312,313c312,313 < $req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port"; < $debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$https_ee_port"; --- > $req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; > $debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $ca_ee_host:$https_ee_port"; 519,520c519,520 < my $host = $::config->get("preop.securitydomain.ca$count.host") || ""; < if ($host eq "") { --- > my $ca_ee_host = $::config->get("preop.securitydomain.ca$count.eehost") || ""; > if ($ca_ee_host eq "") { 525c525 < my $item = $name . " - https://" . $host . ":" . $https_ee_port; --- > my $item = $name . " - https://" . $ca_ee_host . ":" . $https_ee_port; diff -r 20130410/pki/base/tps/lib/perl/PKI/TPS/TKSInfoPanel.pm 20130413/pki/base/tps/lib/perl/PKI/TPS/TKSInfoPanel.pm 78c78 < $::symbol{errorString} = "no TKS info provided. CA, TKS and optionally DRM must be installed prior to TPS installation"; --- > $::symbol{errorString} = "no TKS info provided. CA, TKS, and optionally DRM must be installed prior to TPS installation"; 84c84,85 < my $host = ""; --- > my $tks_agent_host = ""; > my $tks_admin_host = ""; 89a91,95 > &PKI::TPS::Wizard::debug_log("TKSInfoPanel: update - It is believed " > . "that 'pkisilent' no longer utilizes " > . "this code path, so this message " > . "should not appear in the log!"); > 91c97 < $host = defined($info->host) ? $info->host : ""; --- > $tks_agent_host = defined($info->host) ? $info->host : ""; 92a99 > $tks_admin_host = defined($q->param('adminhost')) ? $q->param('adminhost') : ""; 95,96c102,106 < $host = defined($::config->get("preop.securitydomain.tks$count.host")) ? < $::config->get("preop.securitydomain.tks$count.host") : ""; --- > &PKI::TPS::Wizard::debug_log("TKSInfoPanel: update - " > . "Obtaining TKS Info from 'CS.cfg'."); > > $tks_admin_host = defined($::config->get("preop.securitydomain.tks$count.adminhost")) ? > $::config->get("preop.securitydomain.tks$count.adminhost") : ""; 98a109,110 > $tks_agent_host = defined($::config->get("preop.securitydomain.tks$count.agenthost")) ? > $::config->get("preop.securitydomain.tks$count.agenthost") : ""; 103,104c115,116 < if (($host eq "") || ($https_agent_port eq "")) { < $::symbol{errorString} = "no TKS found. CA, TKS and optionally DRM must be installed prior to TPS installation"; --- > if (($tks_agent_host eq "") || ($https_agent_port eq "")) { > $::symbol{errorString} = "no TKS found. CA, TKS, and optionally DRM must be installed prior to TPS installation"; 108c120 < if ($https_admin_port eq "") { --- > if (($tks_admin_host eq "") || ($https_admin_port eq "")) { 118c130 < $::config->put("preop.tksinfo.select", "https://$host:$https_admin_port"); --- > $::config->put("preop.tksinfo.select", "https://$tks_admin_host:$https_admin_port"); 120c132 < $::config->put("conn.tks1.hostport", $host . ":" . $https_agent_port); --- > $::config->put("conn.tks1.hostport", $tks_agent_host . ":" . $https_agent_port); 134,136c146,148 < my $host = ""; < $host = $::config->get("preop.securitydomain.tks$count.host"); < if ($host eq "") { --- > my $tks_agent_host = ""; > $tks_agent_host = $::config->get("preop.securitydomain.tks$count.agenthost"); > if ($tks_agent_host eq "") { 141c153 < $::symbol{urls}[$count++] = $name . " - https://" . $host . ":" . $https_agent_port; --- > $::symbol{urls}[$count++] = $name . " - https://" . $tks_agent_host . ":" . $https_agent_port; 146c158 < $::symbol{errorString} = "no TKS found. CA, TKS and optionally DRM must be installed prior to TPS installation"; --- > $::symbol{errorString} = "no TKS found. CA, TKS, and optionally DRM must be installed prior to TPS installation"; diff -r 20130410/pki/base/tps/lib/perl/Template/.svn/entries 20130413/pki/base/tps/lib/perl/Template/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/logs/.svn/entries 20130413/pki/base/tps/logs/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/logs/signedAudit/.svn/entries 20130413/pki/base/tps/logs/signedAudit/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/m4/.svn/entries 20130413/pki/base/tps/m4/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/scripts/.svn/entries 20130413/pki/base/tps/scripts/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/setup/.svn/entries 20130413/pki/base/tps/setup/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/.svn/entries 20130413/pki/base/tps/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/apdu/.svn/entries 20130413/pki/base/tps/src/apdu/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/authentication/.svn/entries 20130413/pki/base/tps/src/authentication/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/channel/.svn/entries 20130413/pki/base/tps/src/channel/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/cms/.svn/entries 20130413/pki/base/tps/src/cms/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/engine/.svn/entries 20130413/pki/base/tps/src/engine/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/httpClient/.svn/entries 20130413/pki/base/tps/src/httpClient/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/include/.svn/entries 20130413/pki/base/tps/src/include/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/include/apdu/.svn/entries 20130413/pki/base/tps/src/include/apdu/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/include/authentication/.svn/entries 20130413/pki/base/tps/src/include/authentication/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/include/channel/.svn/entries 20130413/pki/base/tps/src/include/channel/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/include/cms/.svn/entries 20130413/pki/base/tps/src/include/cms/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/include/engine/.svn/entries 20130413/pki/base/tps/src/include/engine/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/include/httpClient/.svn/entries 20130413/pki/base/tps/src/include/httpClient/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/include/httpClient/httpc/.svn/entries 20130413/pki/base/tps/src/include/httpClient/httpc/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/include/main/.svn/entries 20130413/pki/base/tps/src/include/main/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/include/modules/.svn/entries 20130413/pki/base/tps/src/include/modules/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/include/modules/tps/.svn/entries 20130413/pki/base/tps/src/include/modules/tps/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/include/msg/.svn/entries 20130413/pki/base/tps/src/include/msg/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/include/processor/.svn/entries 20130413/pki/base/tps/src/include/processor/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/include/publisher/.svn/entries 20130413/pki/base/tps/src/include/publisher/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/include/selftests/.svn/entries 20130413/pki/base/tps/src/include/selftests/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/include/service/.svn/entries 20130413/pki/base/tps/src/include/service/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/include/tus/.svn/entries 20130413/pki/base/tps/src/include/tus/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/main/.svn/entries 20130413/pki/base/tps/src/main/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/modules/.svn/entries 20130413/pki/base/tps/src/modules/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/modules/tokendb/.svn/entries 20130413/pki/base/tps/src/modules/tokendb/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/modules/tps/.svn/entries 20130413/pki/base/tps/src/modules/tps/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/msg/.svn/entries 20130413/pki/base/tps/src/msg/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/processor/.svn/entries 20130413/pki/base/tps/src/processor/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/selftests/.svn/entries 20130413/pki/base/tps/src/selftests/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/test/.svn/entries 20130413/pki/base/tps/src/test/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/src/tus/.svn/entries 20130413/pki/base/tps/src/tus/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/stubs/.svn/entries 20130413/pki/base/tps/stubs/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/stubs/modules/.svn/entries 20130413/pki/base/tps/stubs/modules/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/stubs/modules/nss/.svn/entries 20130413/pki/base/tps/stubs/modules/nss/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/tools/.svn/entries 20130413/pki/base/tps/tools/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/tools/raclient/.svn/entries 20130413/pki/base/tps/tools/raclient/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/tools/tus/.svn/entries 20130413/pki/base/tps/tools/tus/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/ui/.svn/entries 20130413/pki/base/tps/ui/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/ui/perl/.svn/entries 20130413/pki/base/tps/ui/perl/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/tps/wrappers/.svn/entries 20130413/pki/base/tps/wrappers/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/.svn/entries 20130413/pki/base/util/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/config/.svn/entries 20130413/pki/base/util/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/.svn/entries 20130413/pki/base/util/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/com/.svn/entries 20130413/pki/base/util/src/com/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/com/netscape/.svn/entries 20130413/pki/base/util/src/com/netscape/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/com/netscape/cmsutil/.svn/entries 20130413/pki/base/util/src/com/netscape/cmsutil/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/com/netscape/cmsutil/crypto/.svn/entries 20130413/pki/base/util/src/com/netscape/cmsutil/crypto/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/com/netscape/cmsutil/http/.svn/entries 20130413/pki/base/util/src/com/netscape/cmsutil/http/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/com/netscape/cmsutil/ldap/.svn/entries 20130413/pki/base/util/src/com/netscape/cmsutil/ldap/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/com/netscape/cmsutil/net/.svn/entries 20130413/pki/base/util/src/com/netscape/cmsutil/net/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/com/netscape/cmsutil/ocsp/.svn/entries 20130413/pki/base/util/src/com/netscape/cmsutil/ocsp/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/com/netscape/cmsutil/password/.svn/entries 20130413/pki/base/util/src/com/netscape/cmsutil/password/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/com/netscape/cmsutil/radius/.svn/entries 20130413/pki/base/util/src/com/netscape/cmsutil/radius/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/com/netscape/cmsutil/scep/.svn/entries 20130413/pki/base/util/src/com/netscape/cmsutil/scep/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/com/netscape/cmsutil/util/.svn/entries 20130413/pki/base/util/src/com/netscape/cmsutil/util/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/com/netscape/cmsutil/xml/.svn/entries 20130413/pki/base/util/src/com/netscape/cmsutil/xml/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/netscape/.svn/entries 20130413/pki/base/util/src/netscape/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/netscape/net/.svn/entries 20130413/pki/base/util/src/netscape/net/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/netscape/net/smtp/.svn/entries 20130413/pki/base/util/src/netscape/net/smtp/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/netscape/security/.svn/entries 20130413/pki/base/util/src/netscape/security/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/netscape/security/acl/.svn/entries 20130413/pki/base/util/src/netscape/security/acl/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/netscape/security/extensions/.svn/entries 20130413/pki/base/util/src/netscape/security/extensions/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/netscape/security/pkcs/.svn/entries 20130413/pki/base/util/src/netscape/security/pkcs/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/netscape/security/provider/.svn/entries 20130413/pki/base/util/src/netscape/security/provider/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/netscape/security/util/.svn/entries 20130413/pki/base/util/src/netscape/security/util/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/base/util/src/netscape/security/x509/.svn/entries 20130413/pki/base/util/src/netscape/security/x509/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/.svn/entries 20130413/pki/dogtag/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ca/.svn/entries 20130413/pki/dogtag/ca/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ca/config/.svn/entries 20130413/pki/dogtag/ca/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ca/config-ext/.svn/entries 20130413/pki/dogtag/ca/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ca-ui/.svn/entries 20130413/pki/dogtag/ca-ui/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ca-ui/config/.svn/entries 20130413/pki/dogtag/ca-ui/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ca-ui/config-ext/.svn/entries 20130413/pki/dogtag/ca-ui/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ca-ui/shared/.svn/entries 20130413/pki/dogtag/ca-ui/shared/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ca-ui/shared/webapps/.svn/entries 20130413/pki/dogtag/ca-ui/shared/webapps/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ca-ui/shared/webapps/ROOT/.svn/entries 20130413/pki/dogtag/ca-ui/shared/webapps/ROOT/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ca-ui/shared/webapps/ca/.svn/entries 20130413/pki/dogtag/ca-ui/shared/webapps/ca/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ca-ui/shared/webapps/ca/admin/.svn/entries 20130413/pki/dogtag/ca-ui/shared/webapps/ca/admin/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ca-ui/shared/webapps/ca/admin/ca/.svn/entries 20130413/pki/dogtag/ca-ui/shared/webapps/ca/admin/ca/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ca-ui/shared/webapps/ca/admin/graphics/.svn/entries 20130413/pki/dogtag/ca-ui/shared/webapps/ca/admin/graphics/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ca-ui/shared/webapps/ca/agent/.svn/entries 20130413/pki/dogtag/ca-ui/shared/webapps/ca/agent/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/.svn/entries 20130413/pki/dogtag/ca-ui/shared/webapps/ca/agent/ca/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ca-ui/shared/webapps/ca/agent/graphics/.svn/entries 20130413/pki/dogtag/ca-ui/shared/webapps/ca/agent/graphics/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ca-ui/shared/webapps/ca/ee/.svn/entries 20130413/pki/dogtag/ca-ui/shared/webapps/ca/ee/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/.svn/entries 20130413/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/policyEnrollment/.svn/entries 20130413/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/policyEnrollment/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/profileEnrollment/.svn/entries 20130413/pki/dogtag/ca-ui/shared/webapps/ca/ee/ca/profileEnrollment/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ca-ui/shared/webapps/ca/ee/graphics/.svn/entries 20130413/pki/dogtag/ca-ui/shared/webapps/ca/ee/graphics/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/common/.svn/entries 20130413/pki/dogtag/common/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/common/config/.svn/entries 20130413/pki/dogtag/common/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/common/config-ext/.svn/entries 20130413/pki/dogtag/common/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/common-ui/.svn/entries 20130413/pki/dogtag/common-ui/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/common-ui/config/.svn/entries 20130413/pki/dogtag/common-ui/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/common-ui/config-ext/.svn/entries 20130413/pki/dogtag/common-ui/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/common-ui/shared/.svn/entries 20130413/pki/dogtag/common-ui/shared/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/common-ui/shared/admin/.svn/entries 20130413/pki/dogtag/common-ui/shared/admin/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/common-ui/shared/admin/console/.svn/entries 20130413/pki/dogtag/common-ui/shared/admin/console/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/common-ui/shared/admin/console/config/.svn/entries 20130413/pki/dogtag/common-ui/shared/admin/console/config/.svn/entries 4c4 < 2556 --- > 2564 diff -r 20130410/pki/dogtag/common-ui/shared/admin/console/css/.svn/entries 20130413/pki/dogtag/common-ui/shared/admin/console/css/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/common-ui/shared/admin/console/img/.svn/entries 20130413/pki/dogtag/common-ui/shared/admin/console/img/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/common-ui/shared/admin/console/js/.svn/entries 20130413/pki/dogtag/common-ui/shared/admin/console/js/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/config-ext/.svn/entries 20130413/pki/dogtag/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/console/.svn/entries 20130413/pki/dogtag/console/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/console/config/.svn/entries 20130413/pki/dogtag/console/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/console/config-ext/.svn/entries 20130413/pki/dogtag/console/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/console-ui/.svn/entries 20130413/pki/dogtag/console-ui/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/console-ui/config/.svn/entries 20130413/pki/dogtag/console-ui/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/console-ui/config-ext/.svn/entries 20130413/pki/dogtag/console-ui/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/console-ui/src/.svn/entries 20130413/pki/dogtag/console-ui/src/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/console-ui/src/com/.svn/entries 20130413/pki/dogtag/console-ui/src/com/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/console-ui/src/com/netscape/.svn/entries 20130413/pki/dogtag/console-ui/src/com/netscape/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/console-ui/src/com/netscape/admin/.svn/entries 20130413/pki/dogtag/console-ui/src/com/netscape/admin/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/console-ui/src/com/netscape/admin/certsrv/.svn/entries 20130413/pki/dogtag/console-ui/src/com/netscape/admin/certsrv/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/console-ui/src/com/netscape/admin/certsrv/theme/.svn/entries 20130413/pki/dogtag/console-ui/src/com/netscape/admin/certsrv/theme/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/console-ui/src/com/netscape/management/.svn/entries 20130413/pki/dogtag/console-ui/src/com/netscape/management/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/console-ui/src/com/netscape/management/client/.svn/entries 20130413/pki/dogtag/console-ui/src/com/netscape/management/client/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/console-ui/src/com/netscape/management/client/theme/.svn/entries 20130413/pki/dogtag/console-ui/src/com/netscape/management/client/theme/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/console-ui/src/com/netscape/management/client/theme/images/.svn/entries 20130413/pki/dogtag/console-ui/src/com/netscape/management/client/theme/images/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/java-tools/.svn/entries 20130413/pki/dogtag/java-tools/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/java-tools/config/.svn/entries 20130413/pki/dogtag/java-tools/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/java-tools/config-ext/.svn/entries 20130413/pki/dogtag/java-tools/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/kra/.svn/entries 20130413/pki/dogtag/kra/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/kra/config/.svn/entries 20130413/pki/dogtag/kra/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/kra/config-ext/.svn/entries 20130413/pki/dogtag/kra/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/kra-ui/.svn/entries 20130413/pki/dogtag/kra-ui/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/kra-ui/config/.svn/entries 20130413/pki/dogtag/kra-ui/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/kra-ui/config-ext/.svn/entries 20130413/pki/dogtag/kra-ui/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/kra-ui/shared/.svn/entries 20130413/pki/dogtag/kra-ui/shared/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/kra-ui/shared/webapps/.svn/entries 20130413/pki/dogtag/kra-ui/shared/webapps/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/kra-ui/shared/webapps/ROOT/.svn/entries 20130413/pki/dogtag/kra-ui/shared/webapps/ROOT/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/kra-ui/shared/webapps/kra/.svn/entries 20130413/pki/dogtag/kra-ui/shared/webapps/kra/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/kra-ui/shared/webapps/kra/agent/.svn/entries 20130413/pki/dogtag/kra-ui/shared/webapps/kra/agent/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/kra-ui/shared/webapps/kra/agent/graphics/.svn/entries 20130413/pki/dogtag/kra-ui/shared/webapps/kra/agent/graphics/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/.svn/entries 20130413/pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/manage/.svn/entries 20130413/pki/dogtag/manage/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/manage/config/.svn/entries 20130413/pki/dogtag/manage/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/manage/config-ext/.svn/entries 20130413/pki/dogtag/manage/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/migrate/.svn/entries 20130413/pki/dogtag/migrate/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/migrate/config/.svn/entries 20130413/pki/dogtag/migrate/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/migrate/config-ext/.svn/entries 20130413/pki/dogtag/migrate/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/native-tools/.svn/entries 20130413/pki/dogtag/native-tools/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/native-tools/config/.svn/entries 20130413/pki/dogtag/native-tools/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/native-tools/config-ext/.svn/entries 20130413/pki/dogtag/native-tools/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ocsp/.svn/entries 20130413/pki/dogtag/ocsp/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ocsp/config/.svn/entries 20130413/pki/dogtag/ocsp/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ocsp/config-ext/.svn/entries 20130413/pki/dogtag/ocsp/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ocsp-ui/.svn/entries 20130413/pki/dogtag/ocsp-ui/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ocsp-ui/config/.svn/entries 20130413/pki/dogtag/ocsp-ui/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ocsp-ui/config-ext/.svn/entries 20130413/pki/dogtag/ocsp-ui/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ocsp-ui/shared/.svn/entries 20130413/pki/dogtag/ocsp-ui/shared/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ocsp-ui/shared/webapps/.svn/entries 20130413/pki/dogtag/ocsp-ui/shared/webapps/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ocsp-ui/shared/webapps/ROOT/.svn/entries 20130413/pki/dogtag/ocsp-ui/shared/webapps/ROOT/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ocsp-ui/shared/webapps/ocsp/.svn/entries 20130413/pki/dogtag/ocsp-ui/shared/webapps/ocsp/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/.svn/entries 20130413/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/graphics/.svn/entries 20130413/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/graphics/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/.svn/entries 20130413/pki/dogtag/ocsp-ui/shared/webapps/ocsp/agent/ocsp/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/osutil/.svn/entries 20130413/pki/dogtag/osutil/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/osutil/config/.svn/entries 20130413/pki/dogtag/osutil/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/osutil/config-ext/.svn/entries 20130413/pki/dogtag/osutil/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra/.svn/entries 20130413/pki/dogtag/ra/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra/config/.svn/entries 20130413/pki/dogtag/ra/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra/config-ext/.svn/entries 20130413/pki/dogtag/ra/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/.svn/entries 20130413/pki/dogtag/ra-ui/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/config/.svn/entries 20130413/pki/dogtag/ra-ui/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/config-ext/.svn/entries 20130413/pki/dogtag/ra-ui/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/shared/.svn/entries 20130413/pki/dogtag/ra-ui/shared/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/shared/docroot/.svn/entries 20130413/pki/dogtag/ra-ui/shared/docroot/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/shared/docroot/admin/.svn/entries 20130413/pki/dogtag/ra-ui/shared/docroot/admin/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/shared/docroot/admin/group/.svn/entries 20130413/pki/dogtag/ra-ui/shared/docroot/admin/group/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/shared/docroot/admin/user/.svn/entries 20130413/pki/dogtag/ra-ui/shared/docroot/admin/user/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/shared/docroot/agent/.svn/entries 20130413/pki/dogtag/ra-ui/shared/docroot/agent/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/shared/docroot/agent/cert/.svn/entries 20130413/pki/dogtag/ra-ui/shared/docroot/agent/cert/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/shared/docroot/agent/request/.svn/entries 20130413/pki/dogtag/ra-ui/shared/docroot/agent/request/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/shared/docroot/css/.svn/entries 20130413/pki/dogtag/ra-ui/shared/docroot/css/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/shared/docroot/ee/.svn/entries 20130413/pki/dogtag/ra-ui/shared/docroot/ee/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/shared/docroot/ee/agent/.svn/entries 20130413/pki/dogtag/ra-ui/shared/docroot/ee/agent/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/shared/docroot/ee/request/.svn/entries 20130413/pki/dogtag/ra-ui/shared/docroot/ee/request/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/shared/docroot/ee/scep/.svn/entries 20130413/pki/dogtag/ra-ui/shared/docroot/ee/scep/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/shared/docroot/ee/server/.svn/entries 20130413/pki/dogtag/ra-ui/shared/docroot/ee/server/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/shared/docroot/ee/user/.svn/entries 20130413/pki/dogtag/ra-ui/shared/docroot/ee/user/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/shared/docroot/images/.svn/entries 20130413/pki/dogtag/ra-ui/shared/docroot/images/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/shared/docroot/ra/.svn/entries 20130413/pki/dogtag/ra-ui/shared/docroot/ra/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/shared/docroot/ra/admin/.svn/entries 20130413/pki/dogtag/ra-ui/shared/docroot/ra/admin/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/shared/docroot/ra/admin/console/.svn/entries 20130413/pki/dogtag/ra-ui/shared/docroot/ra/admin/console/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/shared/docroot/ra/admin/console/config/.svn/entries 20130413/pki/dogtag/ra-ui/shared/docroot/ra/admin/console/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/shared/docroot/ra/admin/console/img/.svn/entries 20130413/pki/dogtag/ra-ui/shared/docroot/ra/admin/console/img/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/ra-ui/shared/docroot/ra/admin/console/js/.svn/entries 20130413/pki/dogtag/ra-ui/shared/docroot/ra/admin/console/js/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/scripts/.svn/entries 20130413/pki/dogtag/scripts/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/selinux/.svn/entries 20130413/pki/dogtag/selinux/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/selinux/config/.svn/entries 20130413/pki/dogtag/selinux/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/selinux/config-ext/.svn/entries 20130413/pki/dogtag/selinux/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/setup/.svn/entries 20130413/pki/dogtag/setup/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/setup/config/.svn/entries 20130413/pki/dogtag/setup/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/setup/config-ext/.svn/entries 20130413/pki/dogtag/setup/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/silent/.svn/entries 20130413/pki/dogtag/silent/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/silent/config/.svn/entries 20130413/pki/dogtag/silent/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/silent/config-ext/.svn/entries 20130413/pki/dogtag/silent/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/symkey/.svn/entries 20130413/pki/dogtag/symkey/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/symkey/config/.svn/entries 20130413/pki/dogtag/symkey/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/symkey/config-ext/.svn/entries 20130413/pki/dogtag/symkey/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tks/.svn/entries 20130413/pki/dogtag/tks/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tks/config/.svn/entries 20130413/pki/dogtag/tks/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tks/config-ext/.svn/entries 20130413/pki/dogtag/tks/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tks-ui/.svn/entries 20130413/pki/dogtag/tks-ui/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tks-ui/config/.svn/entries 20130413/pki/dogtag/tks-ui/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tks-ui/config-ext/.svn/entries 20130413/pki/dogtag/tks-ui/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tks-ui/shared/.svn/entries 20130413/pki/dogtag/tks-ui/shared/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tks-ui/shared/webapps/.svn/entries 20130413/pki/dogtag/tks-ui/shared/webapps/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tks-ui/shared/webapps/ROOT/.svn/entries 20130413/pki/dogtag/tks-ui/shared/webapps/ROOT/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tks-ui/shared/webapps/tks/.svn/entries 20130413/pki/dogtag/tks-ui/shared/webapps/tks/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tks-ui/shared/webapps/tks/agent/.svn/entries 20130413/pki/dogtag/tks-ui/shared/webapps/tks/agent/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tks-ui/shared/webapps/tks/agent/graphics/.svn/entries 20130413/pki/dogtag/tks-ui/shared/webapps/tks/agent/graphics/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tks-ui/shared/webapps/tks/agent/tks/.svn/entries 20130413/pki/dogtag/tks-ui/shared/webapps/tks/agent/tks/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps/.svn/entries 20130413/pki/dogtag/tps/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps/config/.svn/entries 20130413/pki/dogtag/tps/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps/config-ext/.svn/entries 20130413/pki/dogtag/tps/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/.svn/entries 20130413/pki/dogtag/tps-ui/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/config/.svn/entries 20130413/pki/dogtag/tps-ui/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/config-ext/.svn/entries 20130413/pki/dogtag/tps-ui/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/.svn/entries 20130413/pki/dogtag/tps-ui/shared/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/cgi-bin/.svn/entries 20130413/pki/dogtag/tps-ui/shared/cgi-bin/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/cgi-bin/demo/.svn/entries 20130413/pki/dogtag/tps-ui/shared/cgi-bin/demo/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/cgi-bin/home/.svn/entries 20130413/pki/dogtag/tps-ui/shared/cgi-bin/home/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/cgi-bin/so/.svn/entries 20130413/pki/dogtag/tps-ui/shared/cgi-bin/so/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/cgi-bin/sow/.svn/entries 20130413/pki/dogtag/tps-ui/shared/cgi-bin/sow/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/docroot/.svn/entries 20130413/pki/dogtag/tps-ui/shared/docroot/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/docroot/css/.svn/entries 20130413/pki/dogtag/tps-ui/shared/docroot/css/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/docroot/esc/.svn/entries 20130413/pki/dogtag/tps-ui/shared/docroot/esc/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/docroot/esc/demo/.svn/entries 20130413/pki/dogtag/tps-ui/shared/docroot/esc/demo/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/docroot/esc/home/.svn/entries 20130413/pki/dogtag/tps-ui/shared/docroot/esc/home/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/docroot/esc/images/.svn/entries 20130413/pki/dogtag/tps-ui/shared/docroot/esc/images/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/docroot/esc/so/.svn/entries 20130413/pki/dogtag/tps-ui/shared/docroot/esc/so/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/docroot/esc/so/images/.svn/entries 20130413/pki/dogtag/tps-ui/shared/docroot/esc/so/images/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/docroot/esc/sow/.svn/entries 20130413/pki/dogtag/tps-ui/shared/docroot/esc/sow/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/docroot/esc/sow/css/.svn/entries 20130413/pki/dogtag/tps-ui/shared/docroot/esc/sow/css/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/docroot/esc/sow/images/.svn/entries 20130413/pki/dogtag/tps-ui/shared/docroot/esc/sow/images/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/docroot/esc/sow/js/.svn/entries 20130413/pki/dogtag/tps-ui/shared/docroot/esc/sow/js/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/docroot/tokendb/.svn/entries 20130413/pki/dogtag/tps-ui/shared/docroot/tokendb/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/docroot/tps/.svn/entries 20130413/pki/dogtag/tps-ui/shared/docroot/tps/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/docroot/tps/admin/.svn/entries 20130413/pki/dogtag/tps-ui/shared/docroot/tps/admin/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/docroot/tps/admin/console/.svn/entries 20130413/pki/dogtag/tps-ui/shared/docroot/tps/admin/console/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/docroot/tps/admin/console/config/.svn/entries 20130413/pki/dogtag/tps-ui/shared/docroot/tps/admin/console/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/docroot/tps/admin/console/img/.svn/entries 20130413/pki/dogtag/tps-ui/shared/docroot/tps/admin/console/img/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/tps-ui/shared/docroot/tps/admin/console/js/.svn/entries 20130413/pki/dogtag/tps-ui/shared/docroot/tps/admin/console/js/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/util/.svn/entries 20130413/pki/dogtag/util/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/util/config/.svn/entries 20130413/pki/dogtag/util/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/dogtag/util/config-ext/.svn/entries 20130413/pki/dogtag/util/config-ext/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/.svn/all-wcprops 20130413/pki/redhat/.svn/all-wcprops 4c4 < /repos/pki/!svn/ver/16072/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat --- > /repos/pki/!svn/ver/16074/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat diff -r 20130410/pki/redhat/.svn/entries 20130413/pki/redhat/.svn/entries 4c4 < 16073 --- > 16075 10,11c10,11 < 2013-04-04T19:24:00.009643Z < 16072 --- > 2013-04-10T13:42:53.844212Z > 16074 38c38 < tps-ui --- > symkey 41c41 < symkey --- > tps-ui 50,52d49 < selinux < dir < 56c53 < common --- > selinux 59c56 < kra-ui --- > migrate 65c62 < migrate --- > kra-ui 68c65 < silent --- > common 74c71 < setup --- > silent 77c74 < tks --- > setup 80c77 < ra --- > tks 86c83 < common-ui --- > ra 91a89,91 > common-ui > dir > 101c101 < util --- > kra 104c104 < ra-ui --- > console-ui 107c107 < console-ui --- > ra-ui 110c110 < kra --- > util diff -r 20130410/pki/redhat/ca/.svn/entries 20130413/pki/redhat/ca/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ca/config/.svn/entries 20130413/pki/redhat/ca/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/ca/config-ext/.svn/entries 20130413/pki/redhat/ca/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ca-ui/.svn/entries 20130413/pki/redhat/ca-ui/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ca-ui/config/.svn/entries 20130413/pki/redhat/ca-ui/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/ca-ui/config-ext/.svn/entries 20130413/pki/redhat/ca-ui/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ca-ui/shared/.svn/entries 20130413/pki/redhat/ca-ui/shared/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ca-ui/shared/webapps/.svn/entries 20130413/pki/redhat/ca-ui/shared/webapps/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ca-ui/shared/webapps/ROOT/.svn/entries 20130413/pki/redhat/ca-ui/shared/webapps/ROOT/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ca-ui/shared/webapps/ca/.svn/entries 20130413/pki/redhat/ca-ui/shared/webapps/ca/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ca-ui/shared/webapps/ca/admin/.svn/entries 20130413/pki/redhat/ca-ui/shared/webapps/ca/admin/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ca-ui/shared/webapps/ca/admin/ca/.svn/entries 20130413/pki/redhat/ca-ui/shared/webapps/ca/admin/ca/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ca-ui/shared/webapps/ca/admin/graphics/.svn/entries 20130413/pki/redhat/ca-ui/shared/webapps/ca/admin/graphics/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ca-ui/shared/webapps/ca/agent/.svn/entries 20130413/pki/redhat/ca-ui/shared/webapps/ca/agent/.svn/entries 4c4 < 16073 --- > 16075 29c29 < ports.template --- > index.template 35,39c35,39 < 2013-02-06T23:00:33.000000Z < 52f2613da32880204c3afc596567c8a0 < 2010-08-04T06:57:05.648720Z < 15780 < mharmsen at REDHAT.COM --- > 2013-04-02T21:34:49.000000Z > cc0f83c4d5fb6ea1606787675bf9c8e1 > 2013-03-25T13:54:52.957655Z > 16066 > alee at REDHAT.COM 61c61 < 4923 --- > 6282 63c63 < index.template --- > ports.template 69,73c69,73 < 2013-04-02T21:34:49.000000Z < cc0f83c4d5fb6ea1606787675bf9c8e1 < 2013-03-25T13:54:52.957655Z < 16066 < alee at REDHAT.COM --- > 2013-02-06T23:00:33.000000Z > 52f2613da32880204c3afc596567c8a0 > 2010-08-04T06:57:05.648720Z > 15780 > mharmsen at REDHAT.COM 95c95 < 6282 --- > 4923 202c202 < GenRejected.template --- > funcs.js 208,212c208,212 < 2013-02-06T23:00:34.000000Z < 0fc39aee3711c292c5156353befccb1e < 2010-08-04T06:57:05.648720Z < 15780 < mharmsen at REDHAT.COM --- > 2013-02-06T23:00:33.000000Z > 8d9f355be16fa15d0beb7239789e5c0b > 2012-09-19T19:04:45.610151Z > 16055 > awnuk at REDHAT.COM 234c234 < 2693 --- > 20890 236c236 < funcs.js --- > GenRejected.template 242,246c242,246 < 2013-02-06T23:00:33.000000Z < 8d9f355be16fa15d0beb7239789e5c0b < 2012-09-19T19:04:45.610151Z < 16055 < awnuk at REDHAT.COM --- > 2013-02-06T23:00:34.000000Z > 0fc39aee3711c292c5156353befccb1e > 2010-08-04T06:57:05.648720Z > 15780 > mharmsen at REDHAT.COM 268c268 < 20890 --- > 2693 270c270 < GenError.template --- > xenroll.dll 277,280c277,280 < 6de8faeb10ee93ee37a153e36979acfb < 2010-08-04T06:57:05.648720Z < 15780 < mharmsen at REDHAT.COM --- > 8905cf1297282a015219792cf34de8ad > 2007-05-17T21:47:41.386203Z > 14777 > nkwan 302c302 < 2570 --- > 172664 304c304 < xenroll.dll --- > GenError.template 311,314c311,314 < 8905cf1297282a015219792cf34de8ad < 2007-05-17T21:47:41.386203Z < 14777 < nkwan --- > 6de8faeb10ee93ee37a153e36979acfb > 2010-08-04T06:57:05.648720Z > 15780 > mharmsen at REDHAT.COM 336c336 < 172664 --- > 2570 diff -r 20130410/pki/redhat/ca-ui/shared/webapps/ca/agent/ca/.svn/entries 20130413/pki/redhat/ca-ui/shared/webapps/ca/agent/ca/.svn/entries 4c4 < 16073 --- > 16075 63c63 < frameSearch.html --- > menuRevoke.html 70c70 < 6dc364b3f8b13e2ce25f020b6ff25b28 --- > f8c0ebdd820af2ab96f4e2d7fb4bbd10 95c95 < 1373 --- > 3247 97c97 < menuRevoke.html --- > frameSearch.html 104c104 < f8c0ebdd820af2ab96f4e2d7fb4bbd10 --- > 6dc364b3f8b13e2ce25f020b6ff25b28 129c129 < 3247 --- > 1373 403c403 < ImportCert.template --- > bulkissuance.template 410,413c410,413 < 1bf487827ed9e773d3b58aac5c26da34 < 2012-08-06T19:50:47.698850Z < 16030 < awnuk at REDHAT.COM --- > e1abc4e4bd27c104affc289a9b54ebd7 > 2007-09-22T01:46:24.363575Z > 15102 > nkwan 435c435 < 8043 --- > 970 437c437 < bulkissuance.template --- > ImportCert.template 444,447c444,447 < e1abc4e4bd27c104affc289a9b54ebd7 < 2007-09-22T01:46:24.363575Z < 15102 < nkwan --- > 1bf487827ed9e773d3b58aac5c26da34 > 2012-08-06T19:50:47.698850Z > 16030 > awnuk at REDHAT.COM 469c469 < 970 --- > 8043 1287c1287 < notImplemented.html --- > srchCert.template 1294,1297c1294,1297 < ab44f1b96cb5a7b039184496c379557b < 2007-09-22T01:46:24.363575Z < 15102 < nkwan --- > e976edb0816716096a7137056d00e79c > 2009-08-06T23:55:22.341380Z > 15631 > awnuk at REDHAT.COM 1319c1319 < 1337 --- > 14942 1321c1321 < srchCert.template --- > notImplemented.html 1328,1331c1328,1331 < e976edb0816716096a7137056d00e79c < 2009-08-06T23:55:22.341380Z < 15631 < awnuk at REDHAT.COM --- > ab44f1b96cb5a7b039184496c379557b > 2007-09-22T01:46:24.363575Z > 15102 > nkwan 1353c1353 < 14942 --- > 1337 1423c1423 < frameDir.html --- > menuOCSP.html 1430c1430 < c902a0cb3158dec929bf6c6defe70885 --- > b037b3253662c656ee5eea60240643a2 1455c1455 < 1371 --- > 3453 1457c1457 < menuOCSP.html --- > frameDir.html 1464c1464 < b037b3253662c656ee5eea60240643a2 --- > c902a0cb3158dec929bf6c6defe70885 1489c1489 < 3453 --- > 1371 1729c1729 < reasonToRevoke.template --- > displayCRL.template 1735,1739c1735,1739 < 2013-02-06T23:00:32.000000Z < 9c68ae91e3697fa0b79fbc62d1a12e49 < 2012-09-19T19:04:45.610151Z < 16055 < awnuk at REDHAT.COM --- > 2013-04-02T21:34:49.000000Z > 347539a44ad2f822e3a5b69acdfa2a4f > 2013-03-25T13:54:52.957655Z > 16066 > alee at REDHAT.COM 1761c1761 < 17115 --- > 10242 1763c1763 < displayCRL.template --- > reasonToRevoke.template 1769,1773c1769,1773 < 2013-04-02T21:34:49.000000Z < 347539a44ad2f822e3a5b69acdfa2a4f < 2013-03-25T13:54:52.957655Z < 16066 < alee at REDHAT.COM --- > 2013-02-06T23:00:32.000000Z > 9c68ae91e3697fa0b79fbc62d1a12e49 > 2012-09-19T19:04:45.610151Z > 16055 > awnuk at REDHAT.COM 1795c1795 < 10242 --- > 17115 1865c1865 < UpdateDir.html --- > frameDisplayCRL.html 1872,1875c1872,1875 < 838df36b0b6dc0ee2e1338566e127133 < 2011-05-20T19:21:13.897828Z < 15885 < alee at REDHAT.COM --- > edd5ad02580d5ccc7e2e8a14801b9600 > 2007-09-22T01:46:24.363575Z > 15102 > nkwan 1897c1897 < 11993 --- > 1402 1899c1899 < frameDisplayCRL.html --- > UpdateDir.html 1906,1909c1906,1909 < edd5ad02580d5ccc7e2e8a14801b9600 < 2007-09-22T01:46:24.363575Z < 15102 < nkwan --- > 838df36b0b6dc0ee2e1338566e127133 > 2011-05-20T19:21:13.897828Z > 15885 > alee at REDHAT.COM 1931c1931 < 1402 --- > 11993 1967c1967 < displayCertFromRequest.template --- > monitor.html 1974c1974 < 8691de88a52c5d6d414d64c503f827bc --- > 36959c5b1f7e77c1923d6d0f9d417a80 1999c1999 < 5972 --- > 2693 2001c2001 < monitor.html --- > displayCertFromRequest.template 2008c2008 < 36959c5b1f7e77c1923d6d0f9d417a80 --- > 8691de88a52c5d6d414d64c503f827bc 2033c2033 < 2693 --- > 5972 diff -r 20130410/pki/redhat/ca-ui/shared/webapps/ca/agent/graphics/.svn/entries 20130413/pki/redhat/ca-ui/shared/webapps/ca/agent/graphics/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ca-ui/shared/webapps/ca/ee/.svn/entries 20130413/pki/redhat/ca-ui/shared/webapps/ca/ee/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ca-ui/shared/webapps/ca/ee/ca/.svn/entries 20130413/pki/redhat/ca-ui/shared/webapps/ca/ee/ca/.svn/entries 4c4 < 16073 --- > 16075 539c539 < ProfileSubmit.template --- > EnrollSuccess.template 546c546 < 2d70b22060a42c98b5e210db7fae3316 --- > d2ad389bcfef844ef52ff5196f42a29b 571c571 < 5578 --- > 9573 573c573 < EnrollSuccess.template --- > ProfileSubmit.template 580c580 < d2ad389bcfef844ef52ff5196f42a29b --- > 2d70b22060a42c98b5e210db7fae3316 605,608c605 < 9573 < < policyEnrollment < dir --- > 5578 643a641,643 > policyEnrollment > dir > 647c647 < displayCaCert.template --- > revocationMenu.html 654c654 < b658c608ff47b94b063783fe99d33bec --- > 76b8b847bcd1aa30bc77ca6769a60c88 679c679 < 4756 --- > 1068 681c681 < revocationMenu.html --- > displayCaCert.template 688c688 < 76b8b847bcd1aa30bc77ca6769a60c88 --- > b658c608ff47b94b063783fe99d33bec 713c713 < 1068 --- > 4756 783c783 < ProfileList.template --- > requestStatus.template 790,793c790,793 < 1b00b083c1a7ea9ba184db1ec3d92dad < 2007-09-22T01:46:24.363575Z < 15102 < nkwan --- > 09dbddff4c5a0bfe6c07690dd2354a0d > 2012-08-03T00:07:00.763807Z > 16027 > awnuk at REDHAT.COM 815c815 < 2707 --- > 8676 817c817 < requestStatus.template --- > ProfileList.template 824,827c824,827 < 09dbddff4c5a0bfe6c07690dd2354a0d < 2012-08-03T00:07:00.763807Z < 16027 < awnuk at REDHAT.COM --- > 1b00b083c1a7ea9ba184db1ec3d92dad > 2007-09-22T01:46:24.363575Z > 15102 > nkwan 849c849 < 8676 --- > 2707 953c953 < ImportAdminCert.template --- > UserRevocation.html 959,963c959,963 < 2013-02-06T23:00:27.000000Z < cc63ecf5fbd6c9dec53b75848322ab62 < 2007-09-22T01:46:24.363575Z < 15102 < nkwan --- > 2013-04-02T21:34:48.000000Z > 866980630741c16b163722fea37f3f67 > 2013-03-25T13:54:52.957655Z > 16066 > alee at REDHAT.COM 985c985 < 2177 --- > 4608 987c987 < UserRevocation.html --- > ImportAdminCert.template 993,997c993,997 < 2013-04-02T21:34:48.000000Z < 866980630741c16b163722fea37f3f67 < 2013-03-25T13:54:52.957655Z < 16066 < alee at REDHAT.COM --- > 2013-02-06T23:00:27.000000Z > cc63ecf5fbd6c9dec53b75848322ab62 > 2007-09-22T01:46:24.363575Z > 15102 > nkwan 1019c1019 < 4608 --- > 2177 diff -r 20130410/pki/redhat/ca-ui/shared/webapps/ca/ee/ca/policyEnrollment/.svn/entries 20130413/pki/redhat/ca-ui/shared/webapps/ca/ee/ca/policyEnrollment/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ca-ui/shared/webapps/ca/ee/ca/profileEnrollment/.svn/entries 20130413/pki/redhat/ca-ui/shared/webapps/ca/ee/ca/profileEnrollment/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ca-ui/shared/webapps/ca/ee/graphics/.svn/entries 20130413/pki/redhat/ca-ui/shared/webapps/ca/ee/graphics/.svn/entries 4c4 < 16073 --- > 16075 29c29 < gray90.gif --- > folder.gif 36c36 < c1e51cedb40f481e48fe6a81ebdf6919 --- > a2b77438cc9a48f709fc32cec8eba45e 61c61 < 66 --- > 112 63c63 < folder.gif --- > gray90.gif 70c70 < a2b77438cc9a48f709fc32cec8eba45e --- > c1e51cedb40f481e48fe6a81ebdf6919 95c95 < 112 --- > 66 diff -r 20130410/pki/redhat/common/.svn/entries 20130413/pki/redhat/common/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/common/config/.svn/entries 20130413/pki/redhat/common/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/common/config-ext/.svn/entries 20130413/pki/redhat/common/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/common-ui/.svn/entries 20130413/pki/redhat/common-ui/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/common-ui/config/.svn/entries 20130413/pki/redhat/common-ui/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/common-ui/config-ext/.svn/entries 20130413/pki/redhat/common-ui/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/common-ui/shared/.svn/entries 20130413/pki/redhat/common-ui/shared/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/common-ui/shared/admin/.svn/entries 20130413/pki/redhat/common-ui/shared/admin/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/common-ui/shared/admin/console/.svn/entries 20130413/pki/redhat/common-ui/shared/admin/console/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/common-ui/shared/admin/console/config/.svn/all-wcprops 20130413/pki/redhat/common-ui/shared/admin/console/config/.svn/all-wcprops 6c6 < hierarchypanel.vm --- > certchainpanel.vm 10c10 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/hierarchypanel.vm --- > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/certchainpanel.vm 12c12,30 < footer.vm --- > databasepanel.vm > K 25 > svn:wc:ra_dav:version-url > V 122 > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/databasepanel.vm > END > config_clone.vm > K 25 > svn:wc:ra_dav:version-url > V 121 > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/config_clone.vm > END > certrequestpanel.vm > K 25 > svn:wc:ra_dav:version-url > V 125 > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/certrequestpanel.vm > END > header.vm 16c34 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/footer.vm --- > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/header.vm 18c36 < importcachainpanel.vm --- > sizepanel.vm 21,22c39,40 < V 127 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/importcachainpanel.vm --- > V 118 > /repos/pki/!svn/ver/16000/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/sizepanel.vm 24c42 < savepkcs12panel.vm --- > restorekeycertpanel.vm 27,28c45,46 < V 124 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/savepkcs12panel.vm --- > V 128 > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/restorekeycertpanel.vm 30c48,54 < createsubsystempanel.vm --- > wizard.vm > K 25 > svn:wc:ra_dav:version-url > V 115 > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/wizard.vm > END > certprettyprintpanel.vm 34c58,64 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/createsubsystempanel.vm --- > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/certprettyprintpanel.vm > END > savepkcs12panel.vm > K 25 > svn:wc:ra_dav:version-url > V 124 > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/savepkcs12panel.vm 53a84,95 > adminauthenticatepanel.vm > K 25 > svn:wc:ra_dav:version-url > V 131 > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/adminauthenticatepanel.vm > END > securitydomainloginpanel.vm > K 25 > svn:wc:ra_dav:version-url > V 133 > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/securitydomainloginpanel.vm > END 60c102 < adminpanel.vm --- > sidemenu.vm 63,64c105,106 < V 119 < /repos/pki/!svn/ver/16002/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/adminpanel.vm --- > V 117 > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/sidemenu.vm 72,78c114 < backupkeycertpanel.vm < K 25 < svn:wc:ra_dav:version-url < V 127 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/backupkeycertpanel.vm < END < config_hsm.vm --- > welcomepanel.vm 81,82c117,118 < V 119 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/config_hsm.vm --- > V 121 > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/welcomepanel.vm 89a126,131 > agentauthenticatepanel.vm > K 25 > svn:wc:ra_dav:version-url > V 131 > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/agentauthenticatepanel.vm > END 96c138 < certchainpanel.vm --- > importadmincertpanel.vm 99,100c141,142 < V 123 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/certchainpanel.vm --- > V 129 > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/importadmincertpanel.vm 114,120c156 < config_clone.vm < K 25 < svn:wc:ra_dav:version-url < V 121 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/config_clone.vm < END < certrequestpanel.vm --- > config_hsmloginpanel.vm 123,124c159,160 < V 125 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/certrequestpanel.vm --- > V 129 > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/config_hsmloginpanel.vm 132,138c168 < header.vm < K 25 < svn:wc:ra_dav:version-url < V 115 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/header.vm < END < namepanel.vm --- > hierarchypanel.vm 141,142c171,172 < V 118 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/namepanel.vm --- > V 123 > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/hierarchypanel.vm 144c174 < wizard.vm --- > footer.vm 148c178 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/wizard.vm --- > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/footer.vm 156,180c186 < certprettyprintpanel.vm < K 25 < svn:wc:ra_dav:version-url < V 129 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/certprettyprintpanel.vm < END < adminauthenticatepanel.vm < K 25 < svn:wc:ra_dav:version-url < V 131 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/adminauthenticatepanel.vm < END < securitydomainloginpanel.vm < K 25 < svn:wc:ra_dav:version-url < V 133 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/securitydomainloginpanel.vm < END < sidemenu.vm < K 25 < svn:wc:ra_dav:version-url < V 117 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/sidemenu.vm < END < welcomepanel.vm --- > namepanel.vm 183,184c189,190 < V 121 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/welcomepanel.vm --- > V 118 > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/namepanel.vm 186c192 < agentauthenticatepanel.vm --- > importcachainpanel.vm 189,190c195,196 < V 131 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/agentauthenticatepanel.vm --- > V 127 > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/importcachainpanel.vm 192c198 < importadmincertpanel.vm --- > createsubsystempanel.vm 196,202c202 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/importadmincertpanel.vm < END < databasepanel.vm < K 25 < svn:wc:ra_dav:version-url < V 122 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/databasepanel.vm --- > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/createsubsystempanel.vm 204c204 < config_hsmloginpanel.vm --- > adminpanel.vm 207,208c207,208 < V 129 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/config_hsmloginpanel.vm --- > V 119 > /repos/pki/!svn/ver/16002/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/adminpanel.vm 210c210 < sizepanel.vm --- > backupkeycertpanel.vm 213,214c213,214 < V 118 < /repos/pki/!svn/ver/16000/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/sizepanel.vm --- > V 127 > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/backupkeycertpanel.vm 216c216 < restorekeycertpanel.vm --- > config_hsm.vm 219,220c219,220 < V 128 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/restorekeycertpanel.vm --- > V 119 > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/common-ui/shared/admin/console/config/config_hsm.vm diff -r 20130410/pki/redhat/common-ui/shared/admin/console/config/.svn/entries 20130413/pki/redhat/common-ui/shared/admin/console/config/.svn/entries 97c97 < importcachainpanel.vm --- > namepanel.vm 104,107c104,107 < 8478eacd0f398ace3a9da32ebea1774c < 2009-05-13T01:39:31.073526Z < 15492 < mharmsen at REDHAT.COM --- > e593f5594ef351870739c36210dd7854 > 2009-02-27T17:49:21.091588Z > 15433 > alee at REDHAT.COM 129c129 < 2133 --- > 3795 131c131 < savepkcs12panel.vm --- > xml.vm 138,141c138,141 < 1377c99e43f731e990dc1dab65575207 < 2007-09-22T01:46:24.363575Z < 15102 < nkwan --- > 4ba759406bd097c46db558c58becea0c > 2011-01-20T23:10:17.714646Z > 15835 > mharmsen at REDHAT.COM 163c163 < 1608 --- > 875 165c165 < createsubsystempanel.vm --- > importcachainpanel.vm 172,174c172,174 < 38ef3a4b2e2aebc611d32cb2215c397d < 2009-05-07T22:41:45.790133Z < 15483 --- > 8478eacd0f398ace3a9da32ebea1774c > 2009-05-13T01:39:31.073526Z > 15492 197c197 < 3559 --- > 2133 199c199 < modulepanel.vm --- > createsubsystempanel.vm 206,209c206,209 < 5f6cfc03dbaf7e3768f1d8fc0527023f < 2010-10-04T16:42:14.502918Z < 15814 < cfu at REDHAT.COM --- > 38ef3a4b2e2aebc611d32cb2215c397d > 2009-05-07T22:41:45.790133Z > 15483 > mharmsen at REDHAT.COM 231c231 < 6587 --- > 3559 233c233 < donepanel.vm --- > adminpanel.vm 240,242c240,242 < 6f531ce2008a83fae4617810d794beda < 2012-08-17T23:47:03.220073Z < 16035 --- > 364b43c407571aa5511f98b5221af94f > 2012-03-06T01:17:57.577853Z > 16002 265c265 < 2829 --- > 6892 267c267 < displaycertchainpanel.vm --- > backupkeycertpanel.vm 274c274 < ec4791d93e0f7be12a92d37a42f7c159 --- > d90eb10ecb25b61ed0ba482fded8da43 299c299 < 1517 --- > 2571 301c301 < login.vm --- > config_hsm.vm 308c308 < 51b584fda834aebc24645776305a8d2c --- > 9c03ac1c24ec08dbf6d381c4b6fe3f7b 333c333 < 2971 --- > 4580 335c335 < adminpanel.vm --- > certchainpanel.vm 342,345c342,345 < 364b43c407571aa5511f98b5221af94f < 2012-03-06T01:17:57.577853Z < 16002 < awnuk at REDHAT.COM --- > 55ae1a017dd413c77e6aa6bab28a28b3 > 2007-09-22T01:46:24.363575Z > 15102 > nkwan 367c367 < 6892 --- > 1472 369c369 < config_db.vm --- > databasepanel.vm 376,378c376,378 < 01f81c628b83f7b6d0b5feb3077f3909 < 2010-11-24T17:17:48.765841Z < 15831 --- > 28e236d90ff55bf5b8c0cfa8e8b3f2be > 2011-03-09T07:10:59.316217Z > 15839 401c401 < 4340 --- > 4010 403c403 < backupkeycertpanel.vm --- > config_clone.vm 410,413c410,413 < d90eb10ecb25b61ed0ba482fded8da43 < 2007-09-22T01:46:24.363575Z < 15102 < nkwan --- > 7621e438ac042716133c5454a42b055d > 2010-11-24T17:17:48.765841Z > 15831 > alee at REDHAT.COM 435c435 < 2571 --- > 3918 437c437 < config_hsm.vm --- > certrequestpanel.vm 444,447c444,447 < 9c03ac1c24ec08dbf6d381c4b6fe3f7b < 2010-11-24T17:17:48.765841Z < 15831 < alee at REDHAT.COM --- > b03f869ddca1a40e1e18d3700c567d14 > 2007-09-22T01:46:24.363575Z > 15102 > nkwan 469c469 < 4580 --- > 7491 471c471 < config_rootca.vm --- > header.vm 478,481c478,481 < 87c986d47717285a4e522c4f2a0135f9 < 2010-11-24T17:17:48.765841Z < 15831 < alee at REDHAT.COM --- > b5f91da6e08de42b5839fc44404ef3ed > 2009-03-25T23:56:04.292449Z > 15454 > mharmsen at REDHAT.COM 503c503 < 3333 --- > 1228 505c505 < securitydomainpanel.vm --- > sizepanel.vm 511,515c511,515 < 2013-02-06T23:00:37.000000Z < 566486e14ce17b81a36bc6a15280d6e8 < 2009-06-01T20:35:47.594177Z < 15532 < mharmsen at REDHAT.COM --- > 2013-04-12T04:24:43.000000Z > 9c8cedc69d51048540aa5456d7bc7208 > 2012-02-29T19:02:40.367564Z > 16000 > awnuk at REDHAT.COM 537c537 < 4496 --- > 20297 539c539 < certchainpanel.vm --- > restorekeycertpanel.vm 546,549c546,549 < 55ae1a017dd413c77e6aa6bab28a28b3 < 2007-09-22T01:46:24.363575Z < 15102 < nkwan --- > fcdad5dfa8aa39bab5058035cf21b5dc > 2010-10-07T19:21:04.755038Z > 15815 > alee at REDHAT.COM 571c571 < 1472 --- > 2402 573c573 < config_join.vm --- > wizard.vm 580c580 < 772dcafb9c2391da35ff71c4618c94d9 --- > 7c5904ec9953615f55cbb2a19b33d249 605c605 < 4111 --- > 3604 607c607 < config_clone.vm --- > certprettyprintpanel.vm 614,617c614,617 < 7621e438ac042716133c5454a42b055d < 2010-11-24T17:17:48.765841Z < 15831 < alee at REDHAT.COM --- > 779c4dcbeede45e95c773aa4834c1a8f > 2007-09-22T01:46:24.363575Z > 15102 > nkwan 639c639 < 3918 --- > 1481 641c641 < config_addhsm.vm --- > savepkcs12panel.vm 648,651c648,651 < db6b8039e207cb6a4c6335b447c5c4a8 < 2010-11-24T17:17:48.765841Z < 15831 < alee at REDHAT.COM --- > 1377c99e43f731e990dc1dab65575207 > 2007-09-22T01:46:24.363575Z > 15102 > nkwan 673c673 < 2830 --- > 1608 675c675 < certrequestpanel.vm --- > modulepanel.vm 682,685c682,685 < b03f869ddca1a40e1e18d3700c567d14 < 2007-09-22T01:46:24.363575Z < 15102 < nkwan --- > 5f6cfc03dbaf7e3768f1d8fc0527023f > 2010-10-04T16:42:14.502918Z > 15814 > cfu at REDHAT.COM 707c707 < 7491 --- > 6587 709c709 < topmenu.vm --- > donepanel.vm 716,719c716,719 < 6672a85c98bea86b1db87930091322df < 2007-09-22T01:46:24.363575Z < 15102 < nkwan --- > 6f531ce2008a83fae4617810d794beda > 2012-08-17T23:47:03.220073Z > 16035 > awnuk at REDHAT.COM 741c741 < 920 --- > 2829 743c743 < header.vm --- > displaycertchainpanel.vm 750,753c750,753 < b5f91da6e08de42b5839fc44404ef3ed < 2009-03-25T23:56:04.292449Z < 15454 < mharmsen at REDHAT.COM --- > ec4791d93e0f7be12a92d37a42f7c159 > 2007-09-22T01:46:24.363575Z > 15102 > nkwan 775c775 < 1228 --- > 1517 777c777 < xml.vm --- > adminauthenticatepanel.vm 784,786c784,786 < 4ba759406bd097c46db558c58becea0c < 2011-01-20T23:10:17.714646Z < 15835 --- > b7cc3dd868e9fae12d677a9cebd90ae8 > 2009-02-12T18:41:07.051725Z > 15418 809c809 < 875 --- > 1745 811c811 < wizard.vm --- > securitydomainloginpanel.vm 818c818 < 7c5904ec9953615f55cbb2a19b33d249 --- > ef3b318da33ea64d9b9ff0a8329882f9 843c843 < 3604 --- > 3904 845c845 < namepanel.vm --- > login.vm 852,854c852,854 < e593f5594ef351870739c36210dd7854 < 2009-02-27T17:49:21.091588Z < 15433 --- > 51b584fda834aebc24645776305a8d2c > 2010-11-24T17:17:48.765841Z > 15831 877c877 < 3795 --- > 2971 879c879 < certprettyprintpanel.vm --- > sidemenu.vm 886c886 < 779c4dcbeede45e95c773aa4834c1a8f --- > 5c1de1a72ab13bb89f1550afe887055f 911c911 < 1481 --- > 1213 913c913 < adminauthenticatepanel.vm --- > config_db.vm 920,923c920,923 < b7cc3dd868e9fae12d677a9cebd90ae8 < 2009-02-12T18:41:07.051725Z < 15418 < mharmsen at REDHAT.COM --- > 01f81c628b83f7b6d0b5feb3077f3909 > 2010-11-24T17:17:48.765841Z > 15831 > alee at REDHAT.COM 945c945 < 1745 --- > 4340 947c947 < securitydomainloginpanel.vm --- > welcomepanel.vm 954,957c954,957 < ef3b318da33ea64d9b9ff0a8329882f9 < 2010-11-24T17:17:48.765841Z < 15831 < alee at REDHAT.COM --- > e44540d15915662d4d57d67e9c485a4a > 2007-09-22T01:46:24.363575Z > 15102 > nkwan 979c979 < 3904 --- > 2438 981c981 < sidemenu.vm --- > config_rootca.vm 988,991c988,991 < 5c1de1a72ab13bb89f1550afe887055f < 2007-09-22T01:46:24.363575Z < 15102 < nkwan --- > 87c986d47717285a4e522c4f2a0135f9 > 2010-11-24T17:17:48.765841Z > 15831 > alee at REDHAT.COM 1013c1013 < 1213 --- > 3333 1015c1015 < welcomepanel.vm --- > agentauthenticatepanel.vm 1022,1025c1022,1025 < e44540d15915662d4d57d67e9c485a4a < 2007-09-22T01:46:24.363575Z < 15102 < nkwan --- > 6572df1a9cb20512e76fb60c2125d878 > 2009-02-12T18:41:07.051725Z > 15418 > mharmsen at REDHAT.COM 1047c1047 < 2438 --- > 1663 1049c1049 < agentauthenticatepanel.vm --- > securitydomainpanel.vm 1056,1058c1056,1058 < 6572df1a9cb20512e76fb60c2125d878 < 2009-02-12T18:41:07.051725Z < 15418 --- > 566486e14ce17b81a36bc6a15280d6e8 > 2009-06-01T20:35:47.594177Z > 15532 1081c1081 < 1663 --- > 4496 1117c1117 < databasepanel.vm --- > config_join.vm 1124,1126c1124,1126 < 28e236d90ff55bf5b8c0cfa8e8b3f2be < 2011-03-09T07:10:59.316217Z < 15839 --- > 772dcafb9c2391da35ff71c4618c94d9 > 2010-11-24T17:17:48.765841Z > 15831 1149c1149 < 4010 --- > 4111 1151c1151 < config_hsmloginpanel.vm --- > config_addhsm.vm 1158,1161c1158,1161 < b61e13d13f01d865592bde79cd1a7ce2 < 2007-09-22T01:46:24.363575Z < 15102 < nkwan --- > db6b8039e207cb6a4c6335b447c5c4a8 > 2010-11-24T17:17:48.765841Z > 15831 > alee at REDHAT.COM 1183c1183 < 2118 --- > 2830 1185c1185 < sizepanel.vm --- > config_hsmloginpanel.vm 1192,1195c1192,1195 < 9c8cedc69d51048540aa5456d7bc7208 < 2012-02-29T19:02:40.367564Z < 16000 < awnuk at REDHAT.COM --- > b61e13d13f01d865592bde79cd1a7ce2 > 2007-09-22T01:46:24.363575Z > 15102 > nkwan 1217c1217 < 20297 --- > 2118 1219c1219 < restorekeycertpanel.vm --- > topmenu.vm 1226,1229c1226,1229 < fcdad5dfa8aa39bab5058035cf21b5dc < 2010-10-07T19:21:04.755038Z < 15815 < alee at REDHAT.COM --- > 6672a85c98bea86b1db87930091322df > 2007-09-22T01:46:24.363575Z > 15102 > nkwan 1251c1251 < 2402 --- > 920 Only in 20130410/pki/redhat/common-ui/shared/admin/console/config: importadmincertpanel.vm.mlh diff -r 20130410/pki/redhat/common-ui/shared/admin/console/img/.svn/entries 20130413/pki/redhat/common-ui/shared/admin/console/img/.svn/entries 4c4 < 16073 --- > 16075 29c29 < icon_crit_update.gif --- > no-certificate.png 36c36 < 780c4b270412345e20be4a12d6c84f25 --- > 85d95ce8ae7d081d5cebfa4d2c0248a7 61c61 < 337 --- > 2342 97c97 < no-certificate.png --- > icon_crit_update.gif 104c104 < 85d95ce8ae7d081d5cebfa4d2c0248a7 --- > 780c4b270412345e20be4a12d6c84f25 129c129 < 2342 --- > 337 437c437 < key.png --- > lock.png 444c444 < c397aa889b75fb227f23f75544686873 --- > e258fd173069e299a56d155fbd4ffbdd 469c469 < 1753 --- > 1453 471c471 < lock.png --- > key.png 478c478 < e258fd173069e299a56d155fbd4ffbdd --- > c397aa889b75fb227f23f75544686873 503c503 < 1453 --- > 1753 diff -r 20130410/pki/redhat/common-ui/shared/admin/console/js/.svn/entries 20130413/pki/redhat/common-ui/shared/admin/console/js/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/common-ui/shared/css/.svn/entries 20130413/pki/redhat/common-ui/shared/css/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/common-ui/shared/img/.svn/entries 20130413/pki/redhat/common-ui/shared/img/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/config-ext/.svn/entries 20130413/pki/redhat/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/console/.svn/entries 20130413/pki/redhat/console/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/console/config/.svn/entries 20130413/pki/redhat/console/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/console/config-ext/.svn/entries 20130413/pki/redhat/console/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/console-ui/.svn/entries 20130413/pki/redhat/console-ui/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/console-ui/config/.svn/entries 20130413/pki/redhat/console-ui/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/console-ui/config-ext/.svn/entries 20130413/pki/redhat/console-ui/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/console-ui/src/.svn/entries 20130413/pki/redhat/console-ui/src/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/console-ui/src/com/.svn/entries 20130413/pki/redhat/console-ui/src/com/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/console-ui/src/com/netscape/.svn/entries 20130413/pki/redhat/console-ui/src/com/netscape/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/console-ui/src/com/netscape/admin/.svn/entries 20130413/pki/redhat/console-ui/src/com/netscape/admin/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/console-ui/src/com/netscape/admin/certsrv/.svn/entries 20130413/pki/redhat/console-ui/src/com/netscape/admin/certsrv/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/console-ui/src/com/netscape/admin/certsrv/theme/.svn/entries 20130413/pki/redhat/console-ui/src/com/netscape/admin/certsrv/theme/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/console-ui/src/com/netscape/management/.svn/entries 20130413/pki/redhat/console-ui/src/com/netscape/management/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/console-ui/src/com/netscape/management/client/.svn/entries 20130413/pki/redhat/console-ui/src/com/netscape/management/client/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/console-ui/src/com/netscape/management/client/theme/.svn/entries 20130413/pki/redhat/console-ui/src/com/netscape/management/client/theme/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/console-ui/src/com/netscape/management/client/theme/images/.svn/entries 20130413/pki/redhat/console-ui/src/com/netscape/management/client/theme/images/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/java-tools/.svn/entries 20130413/pki/redhat/java-tools/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/java-tools/config/.svn/entries 20130413/pki/redhat/java-tools/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/java-tools/config-ext/.svn/entries 20130413/pki/redhat/java-tools/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/kra/.svn/entries 20130413/pki/redhat/kra/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/kra/config/.svn/entries 20130413/pki/redhat/kra/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/kra/config-ext/.svn/entries 20130413/pki/redhat/kra/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/kra-ui/.svn/entries 20130413/pki/redhat/kra-ui/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/kra-ui/config/.svn/entries 20130413/pki/redhat/kra-ui/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/kra-ui/config-ext/.svn/entries 20130413/pki/redhat/kra-ui/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/kra-ui/shared/.svn/entries 20130413/pki/redhat/kra-ui/shared/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/kra-ui/shared/webapps/.svn/entries 20130413/pki/redhat/kra-ui/shared/webapps/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/kra-ui/shared/webapps/ROOT/.svn/entries 20130413/pki/redhat/kra-ui/shared/webapps/ROOT/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/kra-ui/shared/webapps/kra/.svn/entries 20130413/pki/redhat/kra-ui/shared/webapps/kra/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/kra-ui/shared/webapps/kra/agent/.svn/entries 20130413/pki/redhat/kra-ui/shared/webapps/kra/agent/.svn/entries 4c4 < 16073 --- > 16075 165c165 < GenRejected.template --- > funcs.js 172,175c172,175 < 34bf0b53649637f2f1b6235357bb5769 < 2010-08-04T06:57:05.648720Z < 15780 < mharmsen at REDHAT.COM --- > 6d4545a3c379731b30c89981ce8f1ff7 > 2007-09-22T01:46:24.363575Z > 15102 > nkwan 197c197 < 2678 --- > 19526 199c199 < funcs.js --- > GenRejected.template 206,209c206,209 < 6d4545a3c379731b30c89981ce8f1ff7 < 2007-09-22T01:46:24.363575Z < 15102 < nkwan --- > 34bf0b53649637f2f1b6235357bb5769 > 2010-08-04T06:57:05.648720Z > 15780 > mharmsen at REDHAT.COM 231c231 < 19526 --- > 2678 406c406 < GenSuccess.template --- > helpfun.js 413,416c413,416 < dcf94c3823a72b4f65ac087f402ae313 < 2010-08-04T06:57:05.648720Z < 15780 < mharmsen at REDHAT.COM --- > 372afafac5cd20f96bb3180f688acf9b > 2007-09-22T01:46:24.363575Z > 15102 > nkwan 438c438 < 1635 --- > 1117 440c440 < helpfun.js --- > GenSuccess.template 447,450c447,450 < 372afafac5cd20f96bb3180f688acf9b < 2007-09-22T01:46:24.363575Z < 15102 < nkwan --- > dcf94c3823a72b4f65ac087f402ae313 > 2010-08-04T06:57:05.648720Z > 15780 > mharmsen at REDHAT.COM 472c472 < 1117 --- > 1635 diff -r 20130410/pki/redhat/kra-ui/shared/webapps/kra/agent/graphics/.svn/entries 20130413/pki/redhat/kra-ui/shared/webapps/kra/agent/graphics/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/kra-ui/shared/webapps/kra/agent/kra/.svn/entries 20130413/pki/redhat/kra-ui/shared/webapps/kra/agent/kra/.svn/entries 4c4 < 16073 --- > 16075 573c573 < ListRequests.html --- > displayBySerial.template 580c580 < c55e03ac0c41b73ff27ca301b9e86b10 --- > a1d8a1ee05ce09eba00549e88c72895f 605c605 < 3569 --- > 5361 607c607 < displayBySerial.template --- > ListRequests.html 614c614 < a1d8a1ee05ce09eba00549e88c72895f --- > c55e03ac0c41b73ff27ca301b9e86b10 639c639 < 5361 --- > 3569 743c743 < queryKey.template --- > confirmRecoverBySerial.template 749,753c749,753 < 2013-04-02T21:34:46.000000Z < 8e44db5a2c96cbd51ec416b9e247c563 < 2013-03-25T13:54:52.957655Z < 16066 < alee at REDHAT.COM --- > 2013-02-06T23:00:20.000000Z > b1851d57503d3a28081b4cabfa938ca6 > 2007-05-17T22:47:22.839594Z > 14783 > nkwan 775c775 < 7722 --- > 2249 777c777 < confirmRecoverBySerial.template --- > queryKey.template 783,787c783,787 < 2013-02-06T23:00:20.000000Z < b1851d57503d3a28081b4cabfa938ca6 < 2007-05-17T22:47:22.839594Z < 14783 < nkwan --- > 2013-04-02T21:34:46.000000Z > 8e44db5a2c96cbd51ec416b9e247c563 > 2013-03-25T13:54:52.957655Z > 16066 > alee at REDHAT.COM 809c809 < 2249 --- > 7722 913c913 < processReq.template --- > displayBySerialForRecovery.template 920c920 < ecb1ba1b1c00398efc3a5cdb677cfa49 --- > 9580de93413161adb690400b1225d8ba 945c945 < 12527 --- > 10795 947c947 < displayBySerialForRecovery.template --- > processReq.template 954c954 < 9580de93413161adb690400b1225d8ba --- > ecb1ba1b1c00398efc3a5cdb677cfa49 979c979 < 10795 --- > 12527 1015c1015 < grantAsyncRecovery.template --- > getApprovalStatus.template 1022,1025c1022,1025 < 9f9e83f497f807302d0f6797ca07a6a7 < 2010-03-18T20:55:17.352743Z < 15744 < cfu at REDHAT.COM --- > fdf83c597f93c43e4f2143e10849267b > 2007-05-17T22:47:22.839594Z > 14783 > nkwan 1047c1047 < 1427 --- > 3708 1049c1049 < getApprovalStatus.template --- > grantAsyncRecovery.template 1056,1059c1056,1059 < fdf83c597f93c43e4f2143e10849267b < 2007-05-17T22:47:22.839594Z < 14783 < nkwan --- > 9f9e83f497f807302d0f6797ca07a6a7 > 2010-03-18T20:55:17.352743Z > 15744 > cfu at REDHAT.COM 1081c1081 < 3708 --- > 1427 diff -r 20130410/pki/redhat/manage/.svn/entries 20130413/pki/redhat/manage/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/manage/config/.svn/entries 20130413/pki/redhat/manage/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/manage/config-ext/.svn/entries 20130413/pki/redhat/manage/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/migrate/.svn/all-wcprops 20130413/pki/redhat/migrate/.svn/all-wcprops 4c4,10 < /repos/pki/!svn/ver/16058/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/migrate --- > /repos/pki/!svn/ver/16074/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/migrate > END > pki-migrate.spec > K 25 > svn:wc:ra_dav:version-url > V 92 > /repos/pki/!svn/ver/16074/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/migrate/pki-migrate.spec 30,35d35 < pki-migrate.spec < K 25 < svn:wc:ra_dav:version-url < V 92 < /repos/pki/!svn/ver/16058/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/migrate/pki-migrate.spec < END diff -r 20130410/pki/redhat/migrate/.svn/entries 20130413/pki/redhat/migrate/.svn/entries 4c4 < 16073 --- > 16075 10,12c10,12 < 2012-10-15T23:12:40.249096Z < 16058 < cfu at REDHAT.COM --- > 2013-04-10T13:42:53.844212Z > 16074 > alee at REDHAT.COM 35,39c35,39 < 2013-04-08T21:31:10.000000Z < 273cfdb64f70a11b8b650590df50edf6 < 2012-10-15T23:12:40.249096Z < 16058 < cfu at REDHAT.COM --- > 2013-04-11T02:45:33.000000Z > 1c1e352d66aa3b7626ed96e260470a2a > 2013-04-10T13:42:53.844212Z > 16074 > alee at REDHAT.COM 61c61 < 15973 --- > 16177 diff -r 20130410/pki/redhat/migrate/.svn/text-base/pki-migrate.spec.svn-base 20130413/pki/redhat/migrate/.svn/text-base/pki-migrate.spec.svn-base 37c37 < %define base_release 10%{?base_build_tag} --- > %define base_release 11%{?base_build_tag} 268a269 > %attr(-,root,root) %{_datadir}/%{base_prefix}/%{base_component}/80To81/81schema.ldif 275a277,279 > * Mon Apr 8 2013 Ade Lee 8.1.0-11 > - Bugzilla Bug #707069 - In-place migration from 8.1 to 8.1.2 > diff -r 20130410/pki/redhat/migrate/config/.svn/entries 20130413/pki/redhat/migrate/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/migrate/config-ext/.svn/all-wcprops 20130413/pki/redhat/migrate/config-ext/.svn/all-wcprops 5a6,11 > build_rhel4_pki > K 25 > svn:wc:ra_dav:version-url > V 94 > /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/config-ext/build_rhel4_pki > END 36,41d41 < build_rhel4_pki < K 25 < svn:wc:ra_dav:version-url < V 94 < /repos/pki/!svn/ver/15907/branches/PKI_8_1_ERRATA_BRANCH/pki/redhat/config-ext/build_rhel4_pki < END diff -r 20130410/pki/redhat/migrate/config-ext/.svn/entries 20130413/pki/redhat/migrate/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/migrate/pki-migrate.spec 20130413/pki/redhat/migrate/pki-migrate.spec 37c37 < %define base_release 10%{?base_build_tag} --- > %define base_release 11%{?base_build_tag} 268a269 > %attr(-,root,root) %{_datadir}/%{base_prefix}/%{base_component}/80To81/81schema.ldif 275a277,279 > * Mon Apr 8 2013 Ade Lee 8.1.0-11 > - Bugzilla Bug #707069 - In-place migration from 8.1 to 8.1.2 > diff -r 20130410/pki/redhat/native-tools/.svn/entries 20130413/pki/redhat/native-tools/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/native-tools/config/.svn/entries 20130413/pki/redhat/native-tools/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/native-tools/config-ext/.svn/entries 20130413/pki/redhat/native-tools/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ocsp/.svn/entries 20130413/pki/redhat/ocsp/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ocsp/config/.svn/entries 20130413/pki/redhat/ocsp/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/ocsp/config-ext/.svn/entries 20130413/pki/redhat/ocsp/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ocsp-ui/.svn/entries 20130413/pki/redhat/ocsp-ui/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ocsp-ui/config/.svn/entries 20130413/pki/redhat/ocsp-ui/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/ocsp-ui/config-ext/.svn/entries 20130413/pki/redhat/ocsp-ui/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ocsp-ui/shared/.svn/entries 20130413/pki/redhat/ocsp-ui/shared/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ocsp-ui/shared/webapps/.svn/entries 20130413/pki/redhat/ocsp-ui/shared/webapps/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ocsp-ui/shared/webapps/ROOT/.svn/entries 20130413/pki/redhat/ocsp-ui/shared/webapps/ROOT/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ocsp-ui/shared/webapps/ocsp/.svn/entries 20130413/pki/redhat/ocsp-ui/shared/webapps/ocsp/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ocsp-ui/shared/webapps/ocsp/agent/.svn/entries 20130413/pki/redhat/ocsp-ui/shared/webapps/ocsp/agent/.svn/entries 4c4 < 16073 --- > 16075 29c29 < ports.template --- > index.template 35,39c35,39 < 2013-02-06T23:00:03.000000Z < 46c311ab6a0354de32ae5228ac66a2c5 < 2010-08-04T06:57:05.648720Z < 15780 < mharmsen at REDHAT.COM --- > 2013-04-02T21:34:44.000000Z > 19a38066fcf105157fd97411bc475394 > 2013-03-25T13:54:52.957655Z > 16066 > alee at REDHAT.COM 61c61 < 4929 --- > 6290 63c63 < index.template --- > ports.template 69,73c69,73 < 2013-04-02T21:34:44.000000Z < 19a38066fcf105157fd97411bc475394 < 2013-03-25T13:54:52.957655Z < 16066 < alee at REDHAT.COM --- > 2013-02-06T23:00:03.000000Z > 46c311ab6a0354de32ae5228ac66a2c5 > 2010-08-04T06:57:05.648720Z > 15780 > mharmsen at REDHAT.COM 95c95 < 6290 --- > 4929 199c199 < funcs.js --- > GenRejected.template 206,209c206,209 < 6d4545a3c379731b30c89981ce8f1ff7 < 2007-09-22T01:46:24.363575Z < 15102 < nkwan --- > 5bfd3a26ad9efc39cf00fcb8e63c5315 > 2010-08-04T06:57:05.648720Z > 15780 > mharmsen at REDHAT.COM 231c231 < 19526 --- > 2679 233c233 < GenRejected.template --- > funcs.js 240,243c240,243 < 5bfd3a26ad9efc39cf00fcb8e63c5315 < 2010-08-04T06:57:05.648720Z < 15780 < mharmsen at REDHAT.COM --- > 6d4545a3c379731b30c89981ce8f1ff7 > 2007-09-22T01:46:24.363575Z > 15102 > nkwan 265c265 < 2679 --- > 19526 338,340d337 < ocsp < dir < 374a372,374 > ocsp > dir > diff -r 20130410/pki/redhat/ocsp-ui/shared/webapps/ocsp/agent/graphics/.svn/entries 20130413/pki/redhat/ocsp-ui/shared/webapps/ocsp/agent/graphics/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ocsp-ui/shared/webapps/ocsp/agent/ocsp/.svn/entries 20130413/pki/redhat/ocsp-ui/shared/webapps/ocsp/agent/ocsp/.svn/entries 4c4 < 16073 --- > 16075 233c233 < menuOCSP.html --- > AddCRL.html 239,243c239,243 < 2013-02-06T23:00:03.000000Z < fd7dc667b8fdf8e7cd03e1eeb268775c < 2007-09-22T01:46:24.363575Z < 15102 < nkwan --- > 2013-04-02T21:34:44.000000Z > 287b5879641e448b4e4876dbf99bad45 > 2013-03-25T13:54:52.957655Z > 16066 > alee at REDHAT.COM 265c265 < 2267 --- > 2927 267c267 < AddCRL.html --- > menuOCSP.html 273,277c273,277 < 2013-04-02T21:34:44.000000Z < 287b5879641e448b4e4876dbf99bad45 < 2013-03-25T13:54:52.957655Z < 16066 < alee at REDHAT.COM --- > 2013-02-06T23:00:03.000000Z > fd7dc667b8fdf8e7cd03e1eeb268775c > 2007-09-22T01:46:24.363575Z > 15102 > nkwan 299c299 < 2927 --- > 2267 diff -r 20130410/pki/redhat/osutil/.svn/entries 20130413/pki/redhat/osutil/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/osutil/config/.svn/entries 20130413/pki/redhat/osutil/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/osutil/config-ext/.svn/entries 20130413/pki/redhat/osutil/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra/.svn/entries 20130413/pki/redhat/ra/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra/config/.svn/entries 20130413/pki/redhat/ra/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/ra/config-ext/.svn/entries 20130413/pki/redhat/ra/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/.svn/entries 20130413/pki/redhat/ra-ui/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/config/.svn/entries 20130413/pki/redhat/ra-ui/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/ra-ui/config-ext/.svn/entries 20130413/pki/redhat/ra-ui/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/shared/.svn/entries 20130413/pki/redhat/ra-ui/shared/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/shared/docroot/.svn/entries 20130413/pki/redhat/ra-ui/shared/docroot/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/shared/docroot/admin/.svn/entries 20130413/pki/redhat/ra-ui/shared/docroot/admin/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/shared/docroot/admin/group/.svn/entries 20130413/pki/redhat/ra-ui/shared/docroot/admin/group/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/shared/docroot/admin/user/.svn/entries 20130413/pki/redhat/ra-ui/shared/docroot/admin/user/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/shared/docroot/agent/.svn/entries 20130413/pki/redhat/ra-ui/shared/docroot/agent/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/shared/docroot/agent/cert/.svn/entries 20130413/pki/redhat/ra-ui/shared/docroot/agent/cert/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/shared/docroot/agent/request/.svn/entries 20130413/pki/redhat/ra-ui/shared/docroot/agent/request/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/shared/docroot/css/.svn/entries 20130413/pki/redhat/ra-ui/shared/docroot/css/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/shared/docroot/ee/.svn/entries 20130413/pki/redhat/ra-ui/shared/docroot/ee/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/shared/docroot/ee/agent/.svn/entries 20130413/pki/redhat/ra-ui/shared/docroot/ee/agent/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/shared/docroot/ee/request/.svn/entries 20130413/pki/redhat/ra-ui/shared/docroot/ee/request/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/shared/docroot/ee/scep/.svn/entries 20130413/pki/redhat/ra-ui/shared/docroot/ee/scep/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/shared/docroot/ee/server/.svn/entries 20130413/pki/redhat/ra-ui/shared/docroot/ee/server/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/shared/docroot/ee/user/.svn/entries 20130413/pki/redhat/ra-ui/shared/docroot/ee/user/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/shared/docroot/images/.svn/entries 20130413/pki/redhat/ra-ui/shared/docroot/images/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/shared/docroot/ra/.svn/entries 20130413/pki/redhat/ra-ui/shared/docroot/ra/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/shared/docroot/ra/admin/.svn/entries 20130413/pki/redhat/ra-ui/shared/docroot/ra/admin/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/shared/docroot/ra/admin/console/.svn/entries 20130413/pki/redhat/ra-ui/shared/docroot/ra/admin/console/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/shared/docroot/ra/admin/console/config/.svn/entries 20130413/pki/redhat/ra-ui/shared/docroot/ra/admin/console/config/.svn/entries 4c4 < 16073 --- > 16075 641c641 < header.vm --- > displaycertchain2panel.vm 648,651c648,651 < 84ba049391a2546314411d1a4d1c4830 < 2009-03-25T23:56:04.292449Z < 15454 < mharmsen at REDHAT.COM --- > 668f85e99516e3ed6b61914c93357525 > 2007-09-22T01:46:24.363575Z > 15102 > nkwan 673c673 < 1190 --- > 1469 675c675 < displaycertchain2panel.vm --- > header.vm 682,685c682,685 < 668f85e99516e3ed6b61914c93357525 < 2007-09-22T01:46:24.363575Z < 15102 < nkwan --- > 84ba049391a2546314411d1a4d1c4830 > 2009-03-25T23:56:04.292449Z > 15454 > mharmsen at REDHAT.COM 707c707 < 1469 --- > 1190 743c743 < wizard.vm --- > namepanel.vm 750,753c750,753 < 77c00473ba5ca493e6c319aec9c565e6 < 2009-06-18T01:26:17.158558Z < 15555 < mharmsen at REDHAT.COM --- > ebe1d82cfcd777e12a890c038e4c3e0f > 2009-02-27T17:49:21.091588Z > 15433 > alee at REDHAT.COM 775c775 < 3350 --- > 3000 811c811 < namepanel.vm --- > wizard.vm 818,821c818,821 < ebe1d82cfcd777e12a890c038e4c3e0f < 2009-02-27T17:49:21.091588Z < 15433 < alee at REDHAT.COM --- > 77c00473ba5ca493e6c319aec9c565e6 > 2009-06-18T01:26:17.158558Z > 15555 > mharmsen at REDHAT.COM 843c843 < 3000 --- > 3350 diff -r 20130410/pki/redhat/ra-ui/shared/docroot/ra/admin/console/css/.svn/entries 20130413/pki/redhat/ra-ui/shared/docroot/ra/admin/console/css/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/ra-ui/shared/docroot/ra/admin/console/img/.svn/entries 20130413/pki/redhat/ra-ui/shared/docroot/ra/admin/console/img/.svn/entries 4c4 < 16073 --- > 16075 29c29 < icon_crit_update.gif --- > no-certificate.png 36c36 < 780c4b270412345e20be4a12d6c84f25 --- > 85d95ce8ae7d081d5cebfa4d2c0248a7 61c61 < 337 --- > 2342 97c97 < no-certificate.png --- > icon_crit_update.gif 104c104 < 85d95ce8ae7d081d5cebfa4d2c0248a7 --- > 780c4b270412345e20be4a12d6c84f25 129c129 < 2342 --- > 337 233c233 < button-clear.gif --- > pki-icon-home.gif 240c240 < 275ffc87e2e657909eb3c7f2325d3087 --- > b7152f4a6665d99f9a8e6cf303ffa0ad 265c265 < 647 --- > 657 301c301 < pki-icon-home.gif --- > button-clear.gif 308c308 < b7152f4a6665d99f9a8e6cf303ffa0ad --- > 275ffc87e2e657909eb3c7f2325d3087 333c333 < 657 --- > 647 335c335 < button-manage.gif --- > pki-icon-software.gif 342c342 < 75ebc12a210642bcc5c9a601ddb8ad7b --- > 2c256345e90fd8502d2f086ca04ca170 367c367 < 776 --- > 1146 403c403 < pki-icon-software.gif --- > button-manage.gif 410c410 < 2c256345e90fd8502d2f086ca04ca170 --- > 75ebc12a210642bcc5c9a601ddb8ad7b 435c435 < 1146 --- > 776 diff -r 20130410/pki/redhat/ra-ui/shared/docroot/ra/admin/console/js/.svn/entries 20130413/pki/redhat/ra-ui/shared/docroot/ra/admin/console/js/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/scripts/.svn/entries 20130413/pki/redhat/scripts/.svn/entries 4c4 < 16073 --- > 16075 Only in 20130413/pki/redhat/scripts: typescript diff -r 20130410/pki/redhat/selinux/.svn/entries 20130413/pki/redhat/selinux/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/selinux/config/.svn/entries 20130413/pki/redhat/selinux/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/selinux/config-ext/.svn/entries 20130413/pki/redhat/selinux/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/setup/.svn/entries 20130413/pki/redhat/setup/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/setup/config/.svn/entries 20130413/pki/redhat/setup/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/setup/config-ext/.svn/entries 20130413/pki/redhat/setup/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/silent/.svn/entries 20130413/pki/redhat/silent/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/silent/config/.svn/entries 20130413/pki/redhat/silent/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/silent/config-ext/.svn/entries 20130413/pki/redhat/silent/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/symkey/.svn/entries 20130413/pki/redhat/symkey/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/symkey/config/.svn/entries 20130413/pki/redhat/symkey/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/symkey/config-ext/.svn/entries 20130413/pki/redhat/symkey/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tks/.svn/entries 20130413/pki/redhat/tks/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tks/config/.svn/entries 20130413/pki/redhat/tks/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/tks/config-ext/.svn/entries 20130413/pki/redhat/tks/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tks-ui/.svn/entries 20130413/pki/redhat/tks-ui/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tks-ui/config/.svn/entries 20130413/pki/redhat/tks-ui/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/tks-ui/config-ext/.svn/entries 20130413/pki/redhat/tks-ui/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tks-ui/shared/.svn/entries 20130413/pki/redhat/tks-ui/shared/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tks-ui/shared/webapps/.svn/entries 20130413/pki/redhat/tks-ui/shared/webapps/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tks-ui/shared/webapps/ROOT/.svn/entries 20130413/pki/redhat/tks-ui/shared/webapps/ROOT/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tks-ui/shared/webapps/tks/.svn/entries 20130413/pki/redhat/tks-ui/shared/webapps/tks/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tks-ui/shared/webapps/tks/agent/.svn/entries 20130413/pki/redhat/tks-ui/shared/webapps/tks/agent/.svn/entries 4c4 < 16073 --- > 16075 29c29 < ports.template --- > index.template 35,39c35,39 < 2013-02-06T23:00:41.000000Z < d1f9b9cfffd30fedd73b5553c287e59a < 2010-08-04T06:57:05.648720Z < 15780 < mharmsen at REDHAT.COM --- > 2013-04-02T21:34:50.000000Z > 6ab3d15fb56722f9376fec4b9a26ed9f > 2013-03-25T13:54:52.957655Z > 16066 > alee at REDHAT.COM 61c61 < 4926 --- > 6286 63c63 < index.template --- > ports.template 69,73c69,73 < 2013-04-02T21:34:50.000000Z < 6ab3d15fb56722f9376fec4b9a26ed9f < 2013-03-25T13:54:52.957655Z < 16066 < alee at REDHAT.COM --- > 2013-02-06T23:00:41.000000Z > d1f9b9cfffd30fedd73b5553c287e59a > 2010-08-04T06:57:05.648720Z > 15780 > mharmsen at REDHAT.COM 95c95 < 6286 --- > 4926 199c199 < funcs.js --- > GenRejected.template 206,209c206,209 < 6d4545a3c379731b30c89981ce8f1ff7 < 2007-09-22T01:46:24.363575Z < 15102 < nkwan --- > 70fcb9af3ce04f91b0c9c9046690d59b > 2010-08-04T06:57:05.648720Z > 15780 > mharmsen at REDHAT.COM 231c231 < 19526 --- > 2678 233c233 < GenRejected.template --- > funcs.js 240,243c240,243 < 70fcb9af3ce04f91b0c9c9046690d59b < 2010-08-04T06:57:05.648720Z < 15780 < mharmsen at REDHAT.COM --- > 6d4545a3c379731b30c89981ce8f1ff7 > 2007-09-22T01:46:24.363575Z > 15102 > nkwan 265c265 < 2678 --- > 19526 diff -r 20130410/pki/redhat/tks-ui/shared/webapps/tks/agent/graphics/.svn/entries 20130413/pki/redhat/tks-ui/shared/webapps/tks/agent/graphics/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tks-ui/shared/webapps/tks/agent/tks/.svn/entries 20130413/pki/redhat/tks-ui/shared/webapps/tks/agent/tks/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps/.svn/entries 20130413/pki/redhat/tps/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps/config/.svn/entries 20130413/pki/redhat/tps/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/tps/config-ext/.svn/entries 20130413/pki/redhat/tps/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps-ui/.svn/entries 20130413/pki/redhat/tps-ui/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps-ui/config/.svn/entries 20130413/pki/redhat/tps-ui/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/tps-ui/config-ext/.svn/entries 20130413/pki/redhat/tps-ui/config-ext/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps-ui/shared/.svn/entries 20130413/pki/redhat/tps-ui/shared/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps-ui/shared/cgi-bin/.svn/entries 20130413/pki/redhat/tps-ui/shared/cgi-bin/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps-ui/shared/cgi-bin/demo/.svn/entries 20130413/pki/redhat/tps-ui/shared/cgi-bin/demo/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps-ui/shared/cgi-bin/home/.svn/entries 20130413/pki/redhat/tps-ui/shared/cgi-bin/home/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps-ui/shared/cgi-bin/so/.svn/entries 20130413/pki/redhat/tps-ui/shared/cgi-bin/so/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps-ui/shared/cgi-bin/sow/.svn/entries 20130413/pki/redhat/tps-ui/shared/cgi-bin/sow/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps-ui/shared/docroot/.svn/entries 20130413/pki/redhat/tps-ui/shared/docroot/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps-ui/shared/docroot/css/.svn/entries 20130413/pki/redhat/tps-ui/shared/docroot/css/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps-ui/shared/docroot/esc/.svn/entries 20130413/pki/redhat/tps-ui/shared/docroot/esc/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps-ui/shared/docroot/esc/demo/.svn/entries 20130413/pki/redhat/tps-ui/shared/docroot/esc/demo/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps-ui/shared/docroot/esc/home/.svn/entries 20130413/pki/redhat/tps-ui/shared/docroot/esc/home/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps-ui/shared/docroot/esc/images/.svn/entries 20130413/pki/redhat/tps-ui/shared/docroot/esc/images/.svn/entries 4c4 < 16073 --- > 16075 97c97 < PadLock.gif --- > SuspendButton.gif 104c104 < edfc38bca9d4a3418670f0fa0b4f5b1b --- > 3a80169353184fc8e064f6eef682df52 129c129 < 136 --- > 1425 131c131 < SuspendButton.gif --- > PadLock.gif 138c138 < 3a80169353184fc8e064f6eef682df52 --- > edfc38bca9d4a3418670f0fa0b4f5b1b 163c163 < 1425 --- > 136 165c165 < NetKeyLogo.gif --- > ContinueButton.gif 172c172 < 10e710158d8052338d756813b73535db --- > 8c38956081d90872c56876071b6de86d 197c197 < 426 --- > 1457 199c199 < ContinueButton.gif --- > NetKeyLogo.gif 206c206 < 8c38956081d90872c56876071b6de86d --- > 10e710158d8052338d756813b73535db 231c231 < 1457 --- > 426 335c335 < NetKeyProgress.gif --- > HelpButton.gif 342c342 < 6f5dd5b6feaa9e4b9cbd73ff24c25967 --- > 67b9c4b710ede79dd41d9b887b2e48ef 367c367 < 7018 --- > 1279 403c403 < HelpButton.gif --- > NetKeyProgress.gif 410c410 < 67b9c4b710ede79dd41d9b887b2e48ef --- > 6f5dd5b6feaa9e4b9cbd73ff24c25967 435c435 < 1279 --- > 7018 diff -r 20130410/pki/redhat/tps-ui/shared/docroot/esc/so/.svn/entries 20130413/pki/redhat/tps-ui/shared/docroot/esc/so/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps-ui/shared/docroot/esc/so/images/.svn/entries 20130413/pki/redhat/tps-ui/shared/docroot/esc/so/images/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps-ui/shared/docroot/esc/sow/.svn/entries 20130413/pki/redhat/tps-ui/shared/docroot/esc/sow/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps-ui/shared/docroot/esc/sow/css/.svn/entries 20130413/pki/redhat/tps-ui/shared/docroot/esc/sow/css/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps-ui/shared/docroot/esc/sow/images/.svn/entries 20130413/pki/redhat/tps-ui/shared/docroot/esc/sow/images/.svn/entries 4c4 < 16073 --- > 16075 29c29 < indicator.gif --- > prevlabel.gif 36c36 < 081a85491616ca381e7b7a847ab9e4cf --- > d935f4acf56e0b83218bbdb5835e4e23 61c61 < 701 --- > 371 97c97 < prevlabel.gif --- > indicator.gif 104c104 < d935f4acf56e0b83218bbdb5835e4e23 --- > 081a85491616ca381e7b7a847ab9e4cf 129c129 < 371 --- > 701 131c131 < Nside.jpg --- > loading.gif 138c138 < 17a0efa301d4e8e5645ba2b11300199c --- > 7e99e1159a3686f6aa4f90043c554483 163c163 < 3713 --- > 2767 165c165 < loading.gif --- > Nside.jpg 172c172 < 7e99e1159a3686f6aa4f90043c554483 --- > 17a0efa301d4e8e5645ba2b11300199c 197c197 < 2767 --- > 3713 199c199 < next.gif --- > nextlabel.gif 206c206 < 804543daa860e91aabe9ba634e64ed2b --- > 485d89b62f7af7f0ce9427bb9a636e7e 231c231 < 305 --- > 354 233c233 < nextlabel.gif --- > next.gif 240c240 < 485d89b62f7af7f0ce9427bb9a636e7e --- > 804543daa860e91aabe9ba634e64ed2b 265c265 < 354 --- > 305 335c335 < bg_grad.gif --- > right_bg.gif 342c342 < 0f64980ab8c2c098f7a324eac167e02c --- > 2ea45f9630a354a2bc36663d5f8d6f5c 367c367 < 829 --- > 1275 403c403 < right_bg.gif --- > bg_grad.gif 410c410 < 2ea45f9630a354a2bc36663d5f8d6f5c --- > 0f64980ab8c2c098f7a324eac167e02c 435c435 < 1275 --- > 829 471c471 < Untitled-3.gif --- > thumb-1.jpg 478c478 < 7dca4cba342f610c5aa0d30693c3fa84 --- > 9b1b923cd76561359f8886033a4f5848 503c503 < 1145 --- > 2874 505c505 < thumb-1.jpg --- > Untitled-3.gif 512c512 < 9b1b923cd76561359f8886033a4f5848 --- > 7dca4cba342f610c5aa0d30693c3fa84 537c537 < 2874 --- > 1145 diff -r 20130410/pki/redhat/tps-ui/shared/docroot/esc/sow/js/.svn/entries 20130413/pki/redhat/tps-ui/shared/docroot/esc/sow/js/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps-ui/shared/docroot/tokendb/.svn/entries 20130413/pki/redhat/tps-ui/shared/docroot/tokendb/.svn/entries 4c4 < 16073 --- > 16075 641c641 < showAdmin.template --- > new.template 648,650c648,650 < f9ac27d2a01f3a07e176b21452bed3a2 < 2009-07-01T17:12:57.607616Z < 15564 --- > 52341553e54442a415904b8f20f4ab4b > 2011-03-28T18:43:33.119303Z > 15849 673c673 < 10997 --- > 2967 675c675 < new.template --- > showAdmin.template 682,684c682,684 < 52341553e54442a415904b8f20f4ab4b < 2011-03-28T18:43:33.119303Z < 15849 --- > f9ac27d2a01f3a07e176b21452bed3a2 > 2009-07-01T17:12:57.607616Z > 15564 707c707 < 2967 --- > 10997 743c743 < revoke.template --- > searchActivityAdmin.template 750,753c750,753 < 2edb29304a428751094307dd9d398376 < 2009-07-01T17:12:57.607616Z < 15564 < alee at REDHAT.COM --- > 0cbe63d5b4077a797795078a00e73add > 2009-06-18T01:26:17.158558Z > 15555 > mharmsen at REDHAT.COM 775c775 < 12253 --- > 3638 777c777 < searchActivityAdmin.template --- > revoke.template 784,787c784,787 < 0cbe63d5b4077a797795078a00e73add < 2009-06-18T01:26:17.158558Z < 15555 < mharmsen at REDHAT.COM --- > 2edb29304a428751094307dd9d398376 > 2009-07-01T17:12:57.607616Z > 15564 > alee at REDHAT.COM 809c809 < 3638 --- > 12253 913c913 < selfTestResults.template --- > editConfig.template 920,923c920,923 < d0a3e13090ab00bb6cf3f9f4655c42de < 2010-08-16T23:18:25.657475Z < 15799 < awnuk at REDHAT.COM --- > 352584a5ddc4a9b858ae3f38d67d88a3 > 2010-11-01T20:19:56.691345Z > 15825 > alee at REDHAT.COM 945c945 < 4471 --- > 8958 947c947 < editConfig.template --- > selfTestResults.template 954,957c954,957 < 352584a5ddc4a9b858ae3f38d67d88a3 < 2010-11-01T20:19:56.691345Z < 15825 < alee at REDHAT.COM --- > d0a3e13090ab00bb6cf3f9f4655c42de > 2010-08-16T23:18:25.657475Z > 15799 > awnuk at REDHAT.COM 979c979 < 8958 --- > 4471 1015c1015 < auditAdmin.template --- > agentViewConfig.template 1022,1024c1022,1024 < 65aa01bc25907c3a8f44e6d11e030879 < 2010-01-25T20:31:10.087455Z < 15718 --- > c0b72c0659c1574ccc43f668ec33b031 > 2010-11-01T20:19:56.691345Z > 15825 1047c1047 < 8541 --- > 6538 1049c1049 < agentViewConfig.template --- > auditAdmin.template 1056,1058c1056,1058 < c0b72c0659c1574ccc43f668ec33b031 < 2010-11-01T20:19:56.691345Z < 15825 --- > 65aa01bc25907c3a8f44e6d11e030879 > 2010-01-25T20:31:10.087455Z > 15718 1081c1081 < 6538 --- > 8541 diff -r 20130410/pki/redhat/tps-ui/shared/docroot/tps/.svn/entries 20130413/pki/redhat/tps-ui/shared/docroot/tps/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps-ui/shared/docroot/tps/admin/.svn/entries 20130413/pki/redhat/tps-ui/shared/docroot/tps/admin/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps-ui/shared/docroot/tps/admin/console/.svn/entries 20130413/pki/redhat/tps-ui/shared/docroot/tps/admin/console/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/tps-ui/shared/docroot/tps/admin/console/config/.svn/entries 20130413/pki/redhat/tps-ui/shared/docroot/tps/admin/console/config/.svn/entries 4c4 < 16073 --- > 16075 641c641 < displaycertchain2panel.vm --- > header.vm 648c648 < 757e86f2278b8341562dd4f3423dfbb5 --- > ab87b521f1fdafd0cde2372f7e469fbe 673c673 < 1485 --- > 1245 675c675 < header.vm --- > displaycertchain2panel.vm 682c682 < ab87b521f1fdafd0cde2372f7e469fbe --- > 757e86f2278b8341562dd4f3423dfbb5 707c707 < 1245 --- > 1485 743c743 < wizard.vm --- > namepanel.vm 750,752c750,752 < 813ee4eadc6ebe579dacc61cd78a234f < 2009-06-18T01:26:17.158558Z < 15555 --- > be520ea86f4311acd47fb03337d041dd > 2009-03-25T23:56:04.292449Z > 15454 775c775 < 3501 --- > 3016 811c811 < namepanel.vm --- > wizard.vm 818,820c818,820 < be520ea86f4311acd47fb03337d041dd < 2009-03-25T23:56:04.292449Z < 15454 --- > 813ee4eadc6ebe579dacc61cd78a234f > 2009-06-18T01:26:17.158558Z > 15555 843c843 < 3016 --- > 3501 diff -r 20130410/pki/redhat/tps-ui/shared/docroot/tps/admin/console/img/.svn/entries 20130413/pki/redhat/tps-ui/shared/docroot/tps/admin/console/img/.svn/entries 4c4 < 16073 --- > 16075 29c29 < icon_crit_update.gif --- > id.png 36c36 < 780c4b270412345e20be4a12d6c84f25 --- > 0e7d74d28d6a32582d0f9b6c211b4bb9 61c61 < 337 --- > 1604 97c97 < id.png --- > icon_crit_update.gif 104c104 < 0e7d74d28d6a32582d0f9b6c211b4bb9 --- > 780c4b270412345e20be4a12d6c84f25 129c129 < 1604 --- > 337 131c131 < icon_checkin.gif --- > icon_up2date.gif 138c138 < 9db09afb885f049c9060378e090fb37d --- > e78feb0776e7143e5f4dec201d994845 163c163 < 225 --- > 226 165c165 < icon_up2date.gif --- > icon_checkin.gif 172c172 < e78feb0776e7143e5f4dec201d994845 --- > 9db09afb885f049c9060378e090fb37d 197c197 < 226 --- > 225 403c403 < button-clear.gif --- > pki-icon-home.gif 410c410 < 275ffc87e2e657909eb3c7f2325d3087 --- > b7152f4a6665d99f9a8e6cf303ffa0ad 435c435 < 647 --- > 657 471c471 < pki-icon-home.gif --- > button-clear.gif 478c478 < b7152f4a6665d99f9a8e6cf303ffa0ad --- > 275ffc87e2e657909eb3c7f2325d3087 503c503 < 657 --- > 647 diff -r 20130410/pki/redhat/tps-ui/shared/docroot/tps/admin/console/js/.svn/entries 20130413/pki/redhat/tps-ui/shared/docroot/tps/admin/console/js/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/util/.svn/entries 20130413/pki/redhat/util/.svn/entries 4c4 < 16073 --- > 16075 diff -r 20130410/pki/redhat/util/config/.svn/entries 20130413/pki/redhat/util/config/.svn/entries 4c4 < 2554 --- > 2564 diff -r 20130410/pki/redhat/util/config-ext/.svn/entries 20130413/pki/redhat/util/config-ext/.svn/entries 4c4 < 16073 --- > 16075 From alee at redhat.com Mon Apr 15 15:09:15 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 15 Apr 2013 11:09:15 -0400 Subject: [Pki-devel] [PATCH] RHCS 8.1 - SAN Multi-Host Patches [20130413] In-Reply-To: <516A494F.9080202@redhat.com> References: <516A494F.9080202@redhat.com> Message-ID: <1366038555.10716.7.camel@aleeredhat.laptop> Couple of small points: In CAInfoPanel.pm, KRAInfoPanel.pm, TKSInfoPanel.pm (for TPS), and CAInfoPanel (for RA): * You add a comment about a code path that is no longer used. This is actually a bug in pkisilent. Basically, we should be using - or have the ability to use this option. Otherwise, we effectively only use the first URL in the list when selecting CA, KRA, etc. Therefore I would NOT put in this comment. We may even want to add a BZ to make TPS and RA use this option. * In the functions, get_secure_*_port_domain_xml and get_secure_*_host_from domain_xml, you should break to exit the loop once a match is made. Also, there is an unused counter variable $count that should be removed. Other than these issues, ACK. Ade On Sat, 2013-04-13 at 23:14 -0700, Matthew Harmsen wrote: > Please review the attached patches which seek to implement 'Bugzilla > Bug #902956 - [RFE] Cert System 8.1 - Provide automated option for IP > separated configuration' for RHCS 8.1. > > Three new patches (two which are revisions to the previous patches, > and one which represents a simple recursive diffs between the two > 'pki' trees which contain the code changes) have been attached which > address the remaining issues. > * This version of the code has been tested utilizing the > following configuration: > * pki-ip-host (installation host - RHEL 5.9 x86_64) > * pki-ca-agent (CA agent interface - virtual IP) > * pki-ca-ee (CA EE interface - virtual IP) > * pki-ca-ee-ca (CA EE clientauth interface - > virtual IP) > * pki-ca-admin (CA admin interface - virtual IP) > * pki-kra-agent (KRA agent interface - virtual > IP) > * pki-kra-ee (KRA EE interface - virtual IP) > * pki-kra-admin (KRA admin interface - virtual > IP) > * pki-rhel6 (RHDS 9.1 - RHEL 6.3 x86_64 which uses a > different domain) > * Tests utilizing the browser GUI interface have been tested > successfully for the following PKI subsystems: > * CA using four VIPs > * KRA using three VIPs > * OCSP (was never tested, but is strongly believed to > work since the batch 'pkisilent' worked successfully) > * TKS using 'pki-ip-host' as the address for all three > hosts > * RA connecting to this CA > * TPS connecting to this CA, KRA, and TKS > * Tests utilizing new 'pkisilent' batch process templates, the > following PKI subsystems have been tested successfully: > * CA using four VIPs > * KRA using three VIPs > * OCSP using 'pki-ip-host' as the address for all three > hosts > * TKS using 'pki-ip-host' as the address for all three > hosts > * RA failed to connect to this CA (Bugzilla Bug #951891 > filed) > * TPS connecting to this CA, KRA, and TKS > * Bugs have been filed for all remaining issues (many of which > may be addressable during the Q/E test cycle): > * Bugzilla Bug #224770 - Apply "use strict" methodology > to "pkicommon/pkicreate/pkiremove/pkicomplete" . . . > * Bugzilla Bug #951886 - Refactor > 'get_port_configuration_mode()' in 'pkicommon' > * Bugzilla Bug #951887 - Use of unlabelled SELinux ports > on VIPs to support 'IP Separation' > * Bugzilla Bug #951890 - Include default EE clientauth > port (9446) in pki-selinux policy > * Bugzilla Bug #951891 - 'silent_ra_to_ip_port.template' > fails to configure an RA successfully > * Bugzilla Bug #910175 - [DOC] Cert System 8.1 - IP Port > Separation Configuration Mode (additional material has > been added to this bug) > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From mharmsen at redhat.com Mon Apr 15 19:14:36 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Mon, 15 Apr 2013 12:14:36 -0700 Subject: [Pki-devel] [PATCH] 227 Fixed version number in CMake script. In-Reply-To: <51672912.9010902@redhat.com> References: <51672912.9010902@redhat.com> Message-ID: <516C519C.3070909@redhat.com> On 04/11/13 14:20, Endi Sukma Dewata wrote: > The main CMake script has been modified to remove hard-coded > APPLICATION_VERSION_PATCH. > > This fixed the problem building javadoc. > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ACK This is no longer necessary, as the entire VERSION is always supplied to CMAKE via the spec files. -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Tue Apr 16 01:54:53 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 15 Apr 2013 20:54:53 -0500 Subject: [Pki-devel] [PATCH] 227 Fixed version number in CMake script. In-Reply-To: <516C519C.3070909@redhat.com> References: <51672912.9010902@redhat.com> <516C519C.3070909@redhat.com> Message-ID: <516CAF6D.5040109@redhat.com> On 4/15/2013 2:14 PM, Matthew Harmsen wrote: > On 04/11/13 14:20, Endi Sukma Dewata wrote: >> The main CMake script has been modified to remove hard-coded >> APPLICATION_VERSION_PATCH. >> >> This fixed the problem building javadoc. > ACK > > This is no longer necessary, as the entire VERSION is always supplied to > CMAKE via the spec files. Pushed to master. The compose scripts will be changed to get the version numbers from the spec files in a separate ticket: https://fedorahosted.org/pki/ticket/586 -- Endi S. Dewata From edewata at redhat.com Tue Apr 16 02:04:49 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 15 Apr 2013 21:04:49 -0500 Subject: [Pki-devel] [PATCH] 222 Added upgrade script for random number generator. In-Reply-To: <515F36B3.4090805@redhat.com> References: <514B6C31.9060301@redhat.com> <515F36B3.4090805@redhat.com> Message-ID: <516CB1C1.3080507@redhat.com> On 4/5/2013 3:40 PM, Endi Sukma Dewata wrote: > On 3/21/2013 3:23 PM, Endi Sukma Dewata wrote: >> An upgrade script has been added to update the context.xml to >> configure the random number generator. >> >> Ticket #545 > > Rebased on top of #221-1. Revised the patch to do pretty print using python-lxml library. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0222-2-Added-upgrade-script-for-random-number-generator.patch Type: text/x-patch Size: 7214 bytes Desc: not available URL: From alee at redhat.com Tue Apr 16 14:28:16 2013 From: alee at redhat.com (Ade Lee) Date: Tue, 16 Apr 2013 10:28:16 -0400 Subject: [Pki-devel] [PATCH] 126 - Add tokenAuthenticate to admin interface. In-Reply-To: <1365784209.2686.10.camel@aleeredhat.laptop> References: <1365784209.2686.10.camel@aleeredhat.laptop> Message-ID: <1366122496.10716.10.camel@aleeredhat.laptop> Patch with updates based on review. Corrected errors in servlets added, and inserted the new servlets into correct location in web.xml. Formatting of web.xml will be done in another patch. This patch goes on top of 125 (and in place of 126) Please review. Ade On Fri, 2013-04-12 at 12:30 -0400, Ade Lee wrote: > This was part of the cloning changes recently added to 8.1. > Also added the required migration script code. This goes on top of > patch 125. > > Please review. > > Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0126-1-Added-tokenAuthenticate-to-admin-interface.patch Type: text/x-patch Size: 12738 bytes Desc: not available URL: From alee at redhat.com Tue Apr 16 16:13:33 2013 From: alee at redhat.com (Ade Lee) Date: Tue, 16 Apr 2013 12:13:33 -0400 Subject: [Pki-devel] [PATCH] 126 - Add tokenAuthenticate to admin interface. In-Reply-To: <1366122496.10716.10.camel@aleeredhat.laptop> References: <1365784209.2686.10.camel@aleeredhat.laptop> <1366122496.10716.10.camel@aleeredhat.laptop> Message-ID: <1366128813.540.0.camel@aleeredhat.laptop> acked by Endi . Pushed to master. On Tue, 2013-04-16 at 10:28 -0400, Ade Lee wrote: > Patch with updates based on review. > > Corrected errors in servlets added, and inserted the new servlets into > correct location in web.xml. Formatting of web.xml will be done in > another patch. > > This patch goes on top of 125 (and in place of 126) > > Please review. > Ade > > On Fri, 2013-04-12 at 12:30 -0400, Ade Lee wrote: > > This was part of the cloning changes recently added to 8.1. > > Also added the required migration script code. This goes on top of > > patch 125. > > > > Please review. > > > > Ade > From alee at redhat.com Tue Apr 16 16:14:00 2013 From: alee at redhat.com (Ade Lee) Date: Tue, 16 Apr 2013 12:14:00 -0400 Subject: [Pki-devel] [PATCH] 125 - migration script for cloning changes In-Reply-To: <1365776847.2686.7.camel@aleeredhat.laptop> References: <1365776847.2686.7.camel@aleeredhat.laptop> Message-ID: <1366128840.540.1.camel@aleeredhat.laptop> acked by Endi, pushed to master. On Fri, 2013-04-12 at 10:27 -0400, Ade Lee wrote: > Ticket 546. > > There are some additional cloning changes which have not yet been ported > to dogtag 10. These will be added in a separate patch (with migration > changes). > > This goes on top of Endi's patch for the random number generator > changes. > > Please review. > > Ade > From edewata at redhat.com Tue Apr 16 16:19:30 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 16 Apr 2013 11:19:30 -0500 Subject: [Pki-devel] [PATCH] 222 Added upgrade script for random number generator. In-Reply-To: <516CB1C1.3080507@redhat.com> References: <514B6C31.9060301@redhat.com> <515F36B3.4090805@redhat.com> <516CB1C1.3080507@redhat.com> Message-ID: <516D7A12.9030105@redhat.com> On 4/15/2013 9:04 PM, Endi Sukma Dewata wrote: > On 4/5/2013 3:40 PM, Endi Sukma Dewata wrote: >> On 3/21/2013 3:23 PM, Endi Sukma Dewata wrote: >>> An upgrade script has been added to update the context.xml to >>> configure the random number generator. >>> >>> Ticket #545 >> >> Rebased on top of #221-1. > > Revised the patch to do pretty print using python-lxml library. ACKed by Ade. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Apr 16 21:38:07 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 16 Apr 2013 16:38:07 -0500 Subject: [Pki-devel] [PATCH] 228 Refactored pki.upgrade module. Message-ID: <516DC4BF.4030506@redhat.com> Some common constants and methods in pki.upgrade have been moved into the pki module. Ticket #544 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0228-Refactored-pki.upgrade-module.patch Type: text/x-patch Size: 19531 bytes Desc: not available URL: From edewata at redhat.com Tue Apr 16 21:38:13 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 16 Apr 2013 16:38:13 -0500 Subject: [Pki-devel] [PATCH] 229 Tracking upgrade using existing config files. Message-ID: <516DC4C5.6050305@redhat.com> The upgrade framework has been modified to use pki.conf to track system upgrade, tomcat.conf to track instance upgrade, and CS.cfg to track subsystem upgrade. The preop.product.version in CS.cfg has been renamed into product.version and is now used to track upgrade. Ticket #544 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0229-Tracking-upgrade-using-existing-config-files.patch Type: text/x-patch Size: 16690 bytes Desc: not available URL: From edewata at redhat.com Wed Apr 17 01:08:00 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 16 Apr 2013 20:08:00 -0500 Subject: [Pki-devel] [PATCH] 50 Remove [OPTIONS] in the usage text, when there are no options for the CLI #543 In-Reply-To: <1365527306.2168.13.camel@akoneru.redhat.com> References: <1365527306.2168.13.camel@akoneru.redhat.com> Message-ID: <516DF5F0.8060702@redhat.com> On 4/9/2013 12:08 PM, Abhishek Koneru wrote: > Please review the patch which fixes ticket #543 and a similar occurrence > of the issue in other cli commands. ACK. -- Endi S. Dewata From edewata at redhat.com Wed Apr 17 01:08:47 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 16 Apr 2013 20:08:47 -0500 Subject: [Pki-devel] [PATCH] 228 Refactored pki.upgrade module. In-Reply-To: <516DC4BF.4030506@redhat.com> References: <516DC4BF.4030506@redhat.com> Message-ID: <516DF61F.1070000@redhat.com> On 4/16/2013 4:38 PM, Endi Sukma Dewata wrote: > Some common constants and methods in pki.upgrade have been moved > into the pki module. > > Ticket #544 Revised the patch to remove extra debugging line. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0228-1-Refactored-pki.upgrade-module.patch Type: text/x-patch Size: 19448 bytes Desc: not available URL: From edewata at redhat.com Wed Apr 17 01:09:05 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 16 Apr 2013 20:09:05 -0500 Subject: [Pki-devel] [PATCH] 226 Automatic upgrade on RPM upgrade. In-Reply-To: <516322A7.1050104@redhat.com> References: <516322A7.1050104@redhat.com> Message-ID: <516DF631.6090706@redhat.com> On 4/8/2013 3:03 PM, Endi Sukma Dewata wrote: > The spec has been modified to run pki-upgrade on post server > installation. > > Ticket #544 New patch attached. Changed log file name. Added header and footer. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0226-1-Automatic-upgrade-on-RPM-upgrade.patch Type: text/x-patch Size: 1754 bytes Desc: not available URL: From alee at redhat.com Wed Apr 17 03:09:21 2013 From: alee at redhat.com (Ade Lee) Date: Tue, 16 Apr 2013 23:09:21 -0400 Subject: [Pki-devel] [PATCH] 226 Automatic upgrade on RPM upgrade. In-Reply-To: <516DF631.6090706@redhat.com> References: <516322A7.1050104@redhat.com> <516DF631.6090706@redhat.com> Message-ID: <1366168161.540.3.camel@aleeredhat.laptop> On Tue, 2013-04-16 at 20:09 -0500, Endi Sukma Dewata wrote: > On 4/8/2013 3:03 PM, Endi Sukma Dewata wrote: > > The spec has been modified to run pki-upgrade on post server > > installation. > > > > Ticket #544 > > New patch attached. Changed log file name. Added header and footer. > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ACK From alee at redhat.com Wed Apr 17 14:12:01 2013 From: alee at redhat.com (Ade Lee) Date: Wed, 17 Apr 2013 10:12:01 -0400 Subject: [Pki-devel] [PATCH] 51 Remove sensitive parameters from the archived configuration file. Ticket #566 In-Reply-To: <1365625868.4458.2.camel@akoneru.redhat.com> References: <1365625868.4458.2.camel@akoneru.redhat.com> Message-ID: <1366207921.24333.1.camel@aleeredhat.laptop> Comments: 1. Can you explain the addition of the line in pkiparser.py? 2. I would prefer that the sensitive parameters still be logged - but with values XXXXXX, rather than being removed. Ade On Wed, 2013-04-10 at 16:31 -0400, Abhishek Koneru wrote: > Please review the patch which removes storing the sensitive parameters > in the archived deployment configuration file. (Ticket #566) > > --Abhishek > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From akoneru at redhat.com Wed Apr 17 14:35:07 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Wed, 17 Apr 2013 10:35:07 -0400 Subject: [Pki-devel] [PATCH] 50 Remove [OPTIONS] in the usage text, when there are no options for the CLI #543 In-Reply-To: <516DF5F0.8060702@redhat.com> References: <1365527306.2168.13.camel@akoneru.redhat.com> <516DF5F0.8060702@redhat.com> Message-ID: <1366209307.5787.0.camel@akoneru.redhat.com> Pushed to master. On Tue, 2013-04-16 at 20:08 -0500, Endi Sukma Dewata wrote: > On 4/9/2013 12:08 PM, Abhishek Koneru wrote: > > Please review the patch which fixes ticket #543 and a similar occurrence > > of the issue in other cli commands. > > ACK. > From akoneru at redhat.com Wed Apr 17 15:28:55 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Wed, 17 Apr 2013 11:28:55 -0400 Subject: [Pki-devel] [PATCH] 51-2 Fixes for Patch 51 - Remove sensitive parameters from the archived configuration file. Ticket #566 In-Reply-To: <1366207921.24333.1.camel@aleeredhat.laptop> References: <1365625868.4458.2.camel@akoneru.redhat.com> <1366207921.24333.1.camel@aleeredhat.laptop> Message-ID: <1366212535.5787.4.camel@akoneru.redhat.com> Please review the patch with fixes to the comments given for patch 51. --Abhishek On Wed, 2013-04-17 at 10:12 -0400, Ade Lee wrote: > Comments: > > 1. Can you explain the addition of the line in pkiparser.py? > 2. I would prefer that the sensitive parameters still be logged - but > with values XXXXXX, rather than being removed. Sensitive parameters have values as XXXXXXXX in the archived file. > > Ade > > On Wed, 2013-04-10 at 16:31 -0400, Abhishek Koneru wrote: > > Please review the patch which removes storing the sensitive parameters > > in the archived deployment configuration file. (Ticket #566) > > > > --Abhishek > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0051-2-Remove-sensitive-parameters-from-archived-deployment.patch Type: text/x-patch Size: 2747 bytes Desc: not available URL: From edewata at redhat.com Wed Apr 17 16:11:09 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 17 Apr 2013 11:11:09 -0500 Subject: [Pki-devel] [PATCH] 226 Automatic upgrade on RPM upgrade. In-Reply-To: <1366168161.540.3.camel@aleeredhat.laptop> References: <516322A7.1050104@redhat.com> <516DF631.6090706@redhat.com> <1366168161.540.3.camel@aleeredhat.laptop> Message-ID: <516EC99D.2070900@redhat.com> On 4/16/2013 10:09 PM, Ade Lee wrote: > ACK Pushed to master. -- Endi S. Dewata From edewata at redhat.com Wed Apr 17 16:12:02 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 17 Apr 2013 11:12:02 -0500 Subject: [Pki-devel] [PATCH] 228 Refactored pki.upgrade module. In-Reply-To: <516DF61F.1070000@redhat.com> References: <516DC4BF.4030506@redhat.com> <516DF61F.1070000@redhat.com> Message-ID: <516EC9D2.6060209@redhat.com> On 4/16/2013 8:08 PM, Endi Sukma Dewata wrote: > On 4/16/2013 4:38 PM, Endi Sukma Dewata wrote: >> Some common constants and methods in pki.upgrade have been moved >> into the pki module. >> >> Ticket #544 > > Revised the patch to remove extra debugging line. ACKed by Ade. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Wed Apr 17 16:14:47 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 17 Apr 2013 11:14:47 -0500 Subject: [Pki-devel] [PATCH] 229 Tracking upgrade using existing config files. In-Reply-To: <516DC4C5.6050305@redhat.com> References: <516DC4C5.6050305@redhat.com> Message-ID: <516ECA77.60001@redhat.com> On 4/16/2013 4:38 PM, Endi Sukma Dewata wrote: > The upgrade framework has been modified to use pki.conf to track > system upgrade, tomcat.conf to track instance upgrade, and CS.cfg > to track subsystem upgrade. > > The preop.product.version in CS.cfg has been renamed into > product.version and is now used to track upgrade. Per review feedback the default tracker delimiter is replaced with '=' and product.version is renamed to cms.product.version. ACKed by Ade. Pushed to master. -- Endi S. Dewata From akoneru at redhat.com Wed Apr 17 16:18:09 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Wed, 17 Apr 2013 12:18:09 -0400 Subject: [Pki-devel] [PATCH] 51-2 Fixes for Patch 51 - Remove sensitive parameters from the archived configuration file. Ticket #566 In-Reply-To: <1366212535.5787.4.camel@akoneru.redhat.com> References: <1365625868.4458.2.camel@akoneru.redhat.com> <1366207921.24333.1.camel@aleeredhat.laptop> <1366212535.5787.4.camel@akoneru.redhat.com> Message-ID: <1366215489.5787.5.camel@akoneru.redhat.com> ACK'ed by Ade. Pushed to master. On Wed, 2013-04-17 at 11:28 -0400, Abhishek Koneru wrote: > Please review the patch with fixes to the comments given for patch 51. > > --Abhishek > > On Wed, 2013-04-17 at 10:12 -0400, Ade Lee wrote: > > Comments: > > > > 1. Can you explain the addition of the line in pkiparser.py? > > 2. I would prefer that the sensitive parameters still be logged - but > > with values XXXXXX, rather than being removed. > > Sensitive parameters have values as XXXXXXXX in the archived file. > > > > Ade > > > > On Wed, 2013-04-10 at 16:31 -0400, Abhishek Koneru wrote: > > > Please review the patch which removes storing the sensitive parameters > > > in the archived deployment configuration file. (Ticket #566) > > > > > > --Abhishek > > > _______________________________________________ > > > Pki-devel mailing list > > > Pki-devel at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-devel > > > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From akoneru at redhat.com Wed Apr 17 16:58:16 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Wed, 17 Apr 2013 12:58:16 -0400 Subject: [Pki-devel] [PATCH] 48-2 Fixes for [Patch] 48 Show some more information after installation In-Reply-To: <1365537833.20292.3.camel@akoneru.redhat.com> References: <1365093354.11755.6.camel@akoneru.redhat.com> <1365173972.9176.5.camel@akoneru.redhat.com> <51630BA6.4040004@redhat.com> <1365537833.20292.3.camel@akoneru.redhat.com> Message-ID: <1366217896.5787.6.camel@akoneru.redhat.com> ACK'ed by Endi. Pushed to master. On Tue, 2013-04-09 at 16:03 -0400, Abhishek Koneru wrote: > Please review the patch with fixes for the review comments for patch 48 > > On Mon, 2013-04-08 at 13:25 -0500, Endi Sukma Dewata wrote: > > On 4/5/2013 9:59 AM, Abhishek Koneru wrote: > > > Some more changes added to the patch. Please ignore the previous post. > > > Please review the attached patch. > > > > Some comments: > > > > 1. There's a typo: > > > > PKI_CHECK_STATUS_MESSAGE = "COmmand... > > > > 2. Please also show the following information: > > - Admin username > > - Location of client database > > - Client certificate nickname > > > Added these details. > > This way the admin knows the parameters needed to use the CLI. > > > > 3. Could we move these messages before 'Installation complete'? If the > > messages are long it will be more difficult to see the result of the > > installation. > > Information is printed above the 'Installation complete' message. > > > > 4. Some trailing whitespaces. > Fixed. > > > > --Abhishek > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From akoneru at redhat.com Wed Apr 17 18:14:38 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Wed, 17 Apr 2013 14:14:38 -0400 Subject: [Pki-devel] [PATCH] 49 Retry setting selinux contexts incase of concurrent pkispawn/pkidestroy execution on a machine - Ticket 470 In-Reply-To: <1365522678.2168.10.camel@akoneru.redhat.com> References: <1365430968.4393.4.camel@akoneru.redhat.com> <51630BE5.4080505@redhat.com> <1365522678.2168.10.camel@akoneru.redhat.com> Message-ID: <1366222478.5787.10.camel@akoneru.redhat.com> On discussing with Endi on IRC, done these changes before pushing to master. - Changed the while counter < max_tries to while True. - Error checked as error_message.strip == "Could not start semanage transaction" rather than doing an 'in' operation. - Changed the condition counter == max_tries in except block to counter >= max_tries. --Abhishek On Tue, 2013-04-09 at 11:51 -0400, Abhishek Koneru wrote: > Please review the patch with fixes for comments given by Endi. > > --Abhishek > On Mon, 2013-04-08 at 13:26 -0500, Endi Sukma Dewata wrote: > > On 4/8/2013 9:22 AM, Abhishek Koneru wrote: > > > Please review the patch which adds a retry mechanism if a semanage > > > transaction lock could not be acquired by a pkispawn/pkidestroy > > > execution. Normally, if a process does not get SELinux transaction lock > > > it throws an error and quits. > > > > > > This patch allows pkispawn/pkidestroy to retry 10 times with a 5 second > > > interval between each try. > > > > Some comments: > > > > 1. Is there any document describing that the SELinux transaction would > > throw an exception instead of blocking? Or did you already confirm this > > with someone? > > > > 2. Do you have the link of the ticket that handles this issue in DS? > > Please put it in ticket #470 as a reference. > > -- Added the reference in the comments section of #470 > > > > 3. Is there a reliable way to test this? > > Tested the scenario using the following script. > #! /usr/bin/python > > import selinux > if selinux.is_selinux_enabled(): > print 'SELinux is enabled' > import seobject > > try: > trans = seobject.semanageRecords("targeted") > trans.start() > portRecords = seobject.portRecords() > portRecords.add('8492', "tcp", "s0", 'http_port_t') > trans.finish() > except ValueError as e: > s = str(e) > if s.find('Could not start the semanage transaction') != 1: > print (s) > > Executed the same script simultaneously in two terminals. Only one > script completed the transaction, and the other failed throwing a > ValueError. > libsemanage.semanage_get_lock: Could not get direct transaction lock > at /etc/selinux/targeted/modules/semanage.trans.LOCK. (Resource > temporarily unavailable). > ValueError: Could not start semanage transaction > > > > > > 4. The comment for adding SELinux contexts incorrectly says: > > > > # A maximum of 10 tries to delete the SELinux contexts > > > -- Rectified > > 5. The code checks the type of error based on error message: > > > > if error_message.find("Could not start semanage transaction") > > > > The problem is that the error message might change or be translated so > > it would not match. Can we check using the exception class or error code? > > > The methods in classes in seobject throw just the ValueErrors if there > is an exception during execution. No error codes returned. Since the > retry has to be done only when the transaction could not begin without > getting the lock, a check on the error message is done. > > 6. The timeOut variable is used as a counter for number of tries. It > > might be better to use the following variable names for better clarity: > > > > counter = 1 > > max_tries = 10 > > > > -- Changed the variable names > > 7. There's a bug in the patch. Suppose it fails to start transaction > > when timeOut is 9, it will enter the exception handling code, then > > timeOut is incremented to 10. Since timeOut is not bigger than 10 it > > doesn't throw an exception: > > > > if timeOut > 10: > > raise > > > > Then it goes back to the loop, but since timeOut is not less than 10 the > > loop now will terminate: > > > > while timeOut < 10: > > > > So the code will continue without throwing an error. I think it would be > > better to check the timeOut in just one location instead of in two > > places to avoid bugs like this. > > -- Fixed. Modified the check in catch clause to, counter == max_tries > > > > 8. Some trailing whitespaces. > > > Fixed. > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Thu Apr 18 18:45:25 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 18 Apr 2013 13:45:25 -0500 Subject: [Pki-devel] [PATCH] 230 Adding CLI functionality to import CA certificate. Message-ID: <51703F45.9010503@redhat.com> The CLI has been modified such that when it connects to an untrusted server it will ask the user whether to import the CA certificate and also ask for the location of the CA server from which to download the CA certificate. Ticket #491 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0230-Adding-CLI-functionality-to-import-CA-certificate.patch Type: text/x-patch Size: 7688 bytes Desc: not available URL: From akoneru at redhat.com Thu Apr 18 18:53:24 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Thu, 18 Apr 2013 14:53:24 -0400 Subject: [Pki-devel] [PATCH] 52 Fix minor issues in RA and TPS configuration panels. #452 Message-ID: <1366311204.10308.1.camel@akoneru.redhat.com> Please review the patch with fixes for minor issues in configuration panels of RA and TPS. Ticket #452. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0052-Minor-fixes-in-a-few-configuration-UI-panels-of-RA-a.patch Type: text/x-patch Size: 10774 bytes Desc: not available URL: From edewata at redhat.com Thu Apr 18 19:34:09 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 18 Apr 2013 14:34:09 -0500 Subject: [Pki-devel] [PATCH] 231 Using FQDN instead of localhost in CLI Message-ID: <51704AB1.9060107@redhat.com> The CLI has been modified such that by default it will use FQDN instead of localhost to avoid SSL certificate warnings. Ticket #541 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0231-Using-FQDN-instead-of-localhost-in-CLI.patch Type: text/x-patch Size: 2671 bytes Desc: not available URL: From alee at redhat.com Fri Apr 19 03:18:41 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 18 Apr 2013 23:18:41 -0400 Subject: [Pki-devel] [PATCH] 231 Using FQDN instead of localhost in CLI In-Reply-To: <51704AB1.9060107@redhat.com> References: <51704AB1.9060107@redhat.com> Message-ID: <1366341521.2337.1.camel@aleeredhat.laptop> ack On Thu, 2013-04-18 at 14:34 -0500, Endi Sukma Dewata wrote: > The CLI has been modified such that by default it will use FQDN > instead of localhost to avoid SSL certificate warnings. > > Ticket #541 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Fri Apr 19 18:19:15 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 19 Apr 2013 13:19:15 -0500 Subject: [Pki-devel] [PATCH] 232 Added options to reject/ignore cert validity statuses. Message-ID: <51718AA3.9070208@redhat.com> New options have been added to the CLI to reject or ignore certain cert validity statuses such as UNTRUSTED_ISSUER or BAD_CERT_DOMAIN. The options can also be defined in pki.conf as a system-wide policy. Ticket #491 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0232-Added-options-to-reject-ignore-cert-validity-statuse.patch Type: text/x-patch Size: 14559 bytes Desc: not available URL: From akoneru at redhat.com Fri Apr 19 18:42:54 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Fri, 19 Apr 2013 14:42:54 -0400 Subject: [Pki-devel] [PATCH] 53 Check the actual result when revoking/unrevoking a certificate in CLI. Ticket 217 Message-ID: <1366396974.2405.2.camel@akoneru.redhat.com> Please review the patch for trac ticket 217. Added an additional check over the actual result of a revoke/unrevoke operation. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0053-Check-the-actual-result-of-operations-cert-revoke-un.patch Type: text/x-patch Size: 11114 bytes Desc: not available URL: From edewata at redhat.com Fri Apr 19 18:53:50 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 19 Apr 2013 13:53:50 -0500 Subject: [Pki-devel] [PATCH] 231 Using FQDN instead of localhost in CLI In-Reply-To: <1366341521.2337.1.camel@aleeredhat.laptop> References: <51704AB1.9060107@redhat.com> <1366341521.2337.1.camel@aleeredhat.laptop> Message-ID: <517192BE.4000808@redhat.com> On 4/18/2013 10:18 PM, Ade Lee wrote: > ack Pushed to master. -- Endi S. Dewata From alee at redhat.com Fri Apr 19 19:32:10 2013 From: alee at redhat.com (Ade Lee) Date: Fri, 19 Apr 2013 15:32:10 -0400 Subject: [Pki-devel] [PATCH] 127 - add servlet to return 501 or d9 style instances Message-ID: <1366399930.2337.3.camel@aleeredhat.laptop> Added servlet to return 501 for rest operations for d9 instances D9 instances run on tomcat6, which does not have support for the autheticator and realm. We are not supporting the REST operations on D9 style instances. They will need to be migrated. The migration framework has been modified to process d9 or d10 style instances, and a migration script has been added to add the new servlet to existing d9 instances. Please review. Thanks, Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0127-Added-servlet-to-return-501-for-rest-operations-for-.patch Type: text/x-patch Size: 26433 bytes Desc: not available URL: From awnuk at redhat.com Fri Apr 19 22:52:45 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Fri, 19 Apr 2013 15:52:45 -0700 Subject: [Pki-devel] [PATCH] random certificate serial numbers Message-ID: <5171CABD.8020809@redhat.com> This patch adds support for random certificate serial numbers. Bug 912554. -------------- next part -------------- diff --git a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java index 21859a0..39f336b 100644 --- a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java +++ b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java @@ -34,6 +34,7 @@ import org.mozilla.jss.crypto.SignatureAlgorithm; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISubsystem; +import com.netscape.certsrv.dbs.IDBSubsystem; import com.netscape.certsrv.dbs.certdb.ICertificateRepository; import com.netscape.certsrv.dbs.crldb.ICRLRepository; import com.netscape.certsrv.dbs.replicadb.IReplicaIDRepository; @@ -473,6 +474,13 @@ public interface ICertificateAuthority extends ISubsystem { public IService getCAService(); /** + * Retrieves the DB subsystem managing internal data storage. + * + * @return DB subsystem object + */ + public IDBSubsystem getDBSubsystem(); + + /** * Returns the in-memory count of the processed OCSP requests. * * @return number of processed OCSP requests in memory diff --git a/base/common/src/com/netscape/certsrv/common/Constants.java b/base/common/src/com/netscape/certsrv/common/Constants.java index 880e146..bc8dcef 100644 --- a/base/common/src/com/netscape/certsrv/common/Constants.java +++ b/base/common/src/com/netscape/certsrv/common/Constants.java @@ -346,6 +346,8 @@ public interface Constants { public final static String PR_ALL_ALGORITHMS = "allSigningAlgorithms"; public final static String PR_SERIAL = "startSerialNumber"; public final static String PR_MAXSERIAL = "maxSerialNumber"; + public final static String PR_SN_MANAGEMENT = "serialNumberManagement"; + public final static String PR_RANDOM_SN = "randomSerialNumbers"; /*======================================================== * Access Control diff --git a/base/common/src/com/netscape/certsrv/dbs/IDBSubsystem.java b/base/common/src/com/netscape/certsrv/dbs/IDBSubsystem.java index dfa5312..de4060e 100644 --- a/base/common/src/com/netscape/certsrv/dbs/IDBSubsystem.java +++ b/base/common/src/com/netscape/certsrv/dbs/IDBSubsystem.java @@ -23,6 +23,7 @@ import netscape.ldap.LDAPConnection; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.ISubsystem; +import com.netscape.certsrv.base.IConfigStore; /** * An interface represents certificate server @@ -204,6 +205,32 @@ public interface IDBSubsystem extends ISubsystem { public void setEnableSerialMgmt(boolean value) throws EBaseException; /** + * Gets internal DB configuration store + * + * @return internal DB configuration store + */ + public IConfigStore getConfigStore(); + + /** + * Gets DB subsystem configuration store + * + * @return DB subsystem configuration store + */ + public IConfigStore getDBConfigStore(); + + /** + * Gets attribute value for specified entry + * + * @param dn entry's distinguished name + * @param attrName attribute's name + * @param defaultValue attribute's default value + * @param errorValue attribute's error value + * @return attribute value + */ + public String getEntryAttribute(String dn, String attrName, + String defaultValue, String errorValue); + + /** * Returns LDAP connection to connection pool. * * @param conn connection to be returned diff --git a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java index d54cfb3..40d22d6 100644 --- a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java +++ b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java @@ -42,6 +42,16 @@ import com.netscape.cmscore.dbs.CertificateRepository.RenewableCertificateCollec public interface ICertificateRepository extends IRepository { /** + * Retrieves the next certificate serial number, and also increases + * the serial number by one. + * + * @return serial number + * @exception EBaseException failed to retrieve next serial number + */ + public BigInteger getNextSerialNumber() + throws EBaseException; + + /** * Adds a certificate record to the repository. Each certificate * record contains four parts: certificate, meta-attributes, * issue information and reovcation information. @@ -512,5 +522,23 @@ public interface ICertificateRepository extends IRepository { */ public void removeCertRecords(BigInteger beginS, BigInteger endS) throws EBaseException; + /** + * Retrieves serial number management mode. + * + * @return serial number management mode, + * "true" indicates random serial number management, + * "false" indicates sequential serial number management. + */ + public boolean getEnableRandomSerialNumbers(); + + /** + * Sets serial number management mode for certificates.. + * + * @param random "true" sets random serial number management, "false" sequential + * @param updateMode "true" updates "description" attribute in certificate repository + * @param forceModeChange "true" forces certificate repository mode change + */ + public void setEnableRandomSerialNumbers(boolean random, boolean updateMode, boolean forceModeChange); + public void shutdown(); } diff --git a/base/common/src/com/netscape/certsrv/dbs/repository/IRepositoryRecord.java b/base/common/src/com/netscape/certsrv/dbs/repository/IRepositoryRecord.java index 12dc71c..dd5f557 100644 --- a/base/common/src/com/netscape/certsrv/dbs/repository/IRepositoryRecord.java +++ b/base/common/src/com/netscape/certsrv/dbs/repository/IRepositoryRecord.java @@ -32,6 +32,7 @@ public interface IRepositoryRecord extends IDBObj { public final static String ATTR_SERIALNO = "serialNo"; public final static String ATTR_PUB_STATUS = "publishingStatus"; + public final static String ATTR_DESCRIPTION = "description"; /** * Retrieves serial number. @@ -41,4 +42,6 @@ public interface IRepositoryRecord extends IDBObj { public BigInteger getSerialNumber(); public String getPublishingStatus(); + + public String getDescription(); } diff --git a/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java b/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java index 9e06f04..09c77e5 100644 --- a/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java +++ b/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java @@ -1480,6 +1480,10 @@ public class CAAdminServlet extends AdminServlet { getSigningAlgConfig(params); getSerialConfig(params); getMaxSerialConfig(params); + params.put(Constants.PR_SN_MANAGEMENT, + Boolean.toString(mCA.getDBSubsystem().getEnableSerialMgmt())); + params.put(Constants.PR_RANDOM_SN, + Boolean.toString(mCA.getCertificateRepository().getEnableRandomSerialNumbers())); sendResponse(SUCCESS, null, params, resp); } @@ -1549,6 +1553,10 @@ public class CAAdminServlet extends AdminServlet { mCA.setStartSerial(value); } else if (key.equals(Constants.PR_MAXSERIAL)) { mCA.setMaxSerial(value); + } else if (key.equals(Constants.PR_SN_MANAGEMENT)) { + mCA.getDBSubsystem().setEnableSerialMgmt(Boolean.valueOf(value)); + } else if (key.equals(Constants.PR_RANDOM_SN)) { + mCA.getCertificateRepository().setEnableRandomSerialNumbers(Boolean.valueOf(value), true, false); } } diff --git a/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java b/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java index c2ecb87..b953351 100644 --- a/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java +++ b/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java @@ -25,6 +25,7 @@ import java.util.Date; import java.util.Enumeration; import java.util.Hashtable; import java.util.Vector; +import java.util.Random; import java.util.concurrent.Executors; import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.ThreadFactory; @@ -43,8 +44,10 @@ import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.MetaInfo; import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.ca.ICRLIssuingPoint; import com.netscape.certsrv.dbs.EDBException; +import com.netscape.certsrv.dbs.EDBRecordNotFoundException; import com.netscape.certsrv.dbs.IDBSSession; import com.netscape.certsrv.dbs.IDBSearchResults; import com.netscape.certsrv.dbs.IDBSubsystem; @@ -56,6 +59,7 @@ import com.netscape.certsrv.dbs.certdb.ICertRecordList; import com.netscape.certsrv.dbs.certdb.ICertificateRepository; import com.netscape.certsrv.dbs.certdb.IRevocationInfo; import com.netscape.certsrv.dbs.repository.IRepository; +import com.netscape.certsrv.dbs.repository.IRepositoryRecord; import com.netscape.certsrv.logging.ILogger; /** @@ -71,6 +75,15 @@ public class CertificateRepository extends Repository implements ICertificateRepository { public final String CERT_X509ATTRIBUTE = "x509signedcert"; + private static final String PROP_ENABLE_RANDOM_SERIAL_NUMBERS = "enableRandomSerialNumbers"; + private static final String PROP_RANDOM_SERIAL_NUMBER_COUNTER = "randomSerialNumberCounter"; + private static final String PROP_FORCE_MODE_CHANGE = "forceModeChange"; + private static final String PROP_RANDOM_MODE = "random"; + private static final String PROP_SEQUENTIAL_MODE = "sequential"; + private static final String PROP_COLLISION_RECOVERY_STEPS = "collisionRecoverySteps"; + private static final String PROP_COLLISION_RECOVERY_REGENERATIONS = "collisionRecoveryRegenerations"; + private static final String PROP_MINIMUM_RANDOM_BITS = "minimumRandomBits"; + private static final BigInteger BI_MINUS_ONE = (BigInteger.ZERO).subtract(BigInteger.ONE); private IDBSubsystem mDBService; private String mBaseDN; @@ -85,6 +98,15 @@ public class CertificateRepository extends Repository private int mTransitMaxRecords = 1000000; private int mTransitRecordPageSize = 200; + private Random mRandom = null; + private int mBitLength = 0; + private BigInteger mRangeSize = null; + private int mMinRandomBitLength = 4; + private int mMaxCollisionRecoverySteps = 10; + private int mMaxCollisionRecoveryRegenerations = 3; + private IConfigStore mDBConfig = null; + private boolean mForceModeChange = false; + public CertStatusUpdateTask certStatusUpdateTask; public RetrieveModificationsTask retrieveModificationsTask; @@ -96,12 +118,302 @@ public class CertificateRepository extends Repository super(dbService, increment, baseDN); mBaseDN = certRepoBaseDN; mDBService = dbService; + mDBConfig = mDBService.getDBConfigStore(); } public ICertRecord createCertRecord(BigInteger id, Certificate cert, MetaInfo meta) { return new CertRecord(id, cert, meta); } + public boolean getEnableRandomSerialNumbers() { + return mEnableRandomSerialNumbers; + } + + public void setEnableRandomSerialNumbers(boolean random, boolean updateMode, boolean forceModeChange) { + CMS.debug("CertificateRepository: setEnableRandomSerialNumbers random="+random+" updateMode="+updateMode); + if (mEnableRandomSerialNumbers ^ random || forceModeChange) { + mEnableRandomSerialNumbers = random; + CMS.debug("CertificateRepository: setEnableRandomSerialNumbers switching to " + + ((random)?PROP_RANDOM_MODE:PROP_SEQUENTIAL_MODE) + " mode"); + if (updateMode) { + setCertificateRepositoryMode((mEnableRandomSerialNumbers)? PROP_RANDOM_MODE: PROP_SEQUENTIAL_MODE); + } + mDBConfig.putBoolean(PROP_ENABLE_RANDOM_SERIAL_NUMBERS, mEnableRandomSerialNumbers); + + BigInteger lastSerialNumber = null; + try { + lastSerialNumber = getLastSerialNumberInRange(mMinSerialNo,mMaxSerialNo); + } catch (Exception e) { + } + if (lastSerialNumber != null) { + super.setLastSerialNo(lastSerialNumber); + if (mEnableRandomSerialNumbers) { + mCounter = lastSerialNumber.subtract(mMinSerialNo).add(BigInteger.ONE); + CMS.debug("CertificateRepository: setEnableRandomSerialNumbers mCounter="+ + mCounter+"="+lastSerialNumber+"-"+mMinSerialNo+"+1"); + long t = System.currentTimeMillis(); + mDBConfig.putString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, mCounter.toString()+","+t); + } else { + mCounter = BI_MINUS_ONE; + mDBConfig.putString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, mCounter.toString()); + } + } + + try { + CMS.getConfigStore().commit(false); + } catch (Exception e) { + } + } + } + + private BigInteger getRandomNumber() throws EBaseException { + BigInteger randomNumber = null; + + if (mRandom == null) { + mRandom = new Random(); + } + super.initCacheIfNeeded(); + + if (mRangeSize == null) { + mRangeSize = (mMaxSerialNo.subtract(mMinSerialNo)).add(BigInteger.ONE); + CMS.debug("CertificateRepository: getRandomNumber mRangeSize="+mRangeSize); + mBitLength = mRangeSize.bitLength(); + CMS.debug("CertificateRepository: getRandomNumber mBitLength="+mBitLength+ + " >mMinRandomBitLength="+mMinRandomBitLength); + } + if (mBitLength < mMinRandomBitLength) { + CMS.debug("CertificateRepository: getRandomNumber mBitLength="+mBitLength+ + " = 0 && + mMinSerialNo != null && mMaxSerialNo != null && + nextSerialNumber != null && + nextSerialNumber.compareTo(mMinSerialNo) >= 0 && + nextSerialNumber.compareTo(mMaxSerialNo) <= 0) { + mCounter = mCounter.add(BigInteger.ONE); + } + CMS.debug("CertificateRepository: getNextSerialNumber nextSerialNumber="+ + nextSerialNumber+" mCounter="+mCounter); + + super.checkRange(); + } else { + nextSerialNumber = super.getNextSerialNumber(); + } + } + + return nextSerialNumber; + } + + private void updateCounter() { + CMS.debug("CertificateRepository: updateCounter mEnableRandomSerialNumbers="+ + mEnableRandomSerialNumbers+" mCounter="+mCounter); + try { + super.initCacheIfNeeded(); + } catch (Exception e) { + CMS.debug("CertificateRepository: updateCounter Exception from initCacheIfNeeded: "+e.getMessage()); + } + + String crMode = mDBService.getEntryAttribute(mBaseDN, IRepositoryRecord.ATTR_DESCRIPTION, "", null); + + boolean modeChange = (mEnableRandomSerialNumbers && crMode != null && crMode.equals(PROP_SEQUENTIAL_MODE)) || + ((!mEnableRandomSerialNumbers) && crMode != null && crMode.equals(PROP_RANDOM_MODE)); + CMS.debug("CertificateRepository: updateCounter mEnableRandomSerialNumbers="+mEnableRandomSerialNumbers); + CMS.debug("CertificateRepository: updateCounter CertificateRepositoryMode ="+crMode); + CMS.debug("CertificateRepository: updateCounter modeChange="+modeChange); + if (modeChange) { + if (mForceModeChange) { + setEnableRandomSerialNumbers(mEnableRandomSerialNumbers, true, mForceModeChange); + } else { + setEnableRandomSerialNumbers(!mEnableRandomSerialNumbers, false, mForceModeChange); + } + } else if (mEnableRandomSerialNumbers && mCounter != null && + mCounter.compareTo(BigInteger.ZERO) >= 0) { + long t = System.currentTimeMillis(); + mDBConfig.putString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, mCounter.toString()+","+t); + try { + CMS.getConfigStore().commit(false); + } catch (Exception e) { + CMS.debug("CertificateRepository: updateCounter Exception committing ConfigStore="+e.getMessage()); + } + } + CMS.debug("CertificateRepository: UpdateCounter mEnableRandomSerialNumbers="+ + mEnableRandomSerialNumbers+" mCounter="+mCounter); + } + + private BigInteger getInRangeCount(String fromTime, BigInteger minSerialNo, BigInteger maxSerialNo) + throws EBaseException { + BigInteger count = BigInteger.ZERO; + String filter = null; + + if (fromTime != null && fromTime.length() > 0) { + filter = "(certCreateTime >= "+fromTime+")"; + } else { + filter = "(&("+ICertRecord.ATTR_ID+">="+minSerialNo+")("+ + ICertRecord.ATTR_ID+"<="+maxSerialNo+"))"; + } + CMS.debug("CertificateRepository: getInRangeCount filter="+filter+ + " minSerialNo="+minSerialNo+" maxSerialNo="+maxSerialNo); + + Enumeration e = findCertRecs(filter, new String[] {ICertRecord.ATTR_ID, "objectclass"}); + while (e != null && e.hasMoreElements()) { + ICertRecord rec = (ICertRecord) e.nextElement(); + if (rec != null) { + BigInteger sn = rec.getSerialNumber(); + if (fromTime == null || fromTime.length() == 0 || + (minSerialNo != null && maxSerialNo != null && + sn != null && sn.compareTo(minSerialNo) >= 0 && + sn.compareTo(maxSerialNo) <= 0)) { + count = count.add(BigInteger.ONE); + } + } + } + CMS.debug("CertificateRepository: getInRangeCount count=" + count); + + return count; + } + + private BigInteger getInRangeCounter(BigInteger minSerialNo, BigInteger maxSerialNo) + throws EBaseException { + String c = null; + String t = null; + String s = (mDBConfig.getString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, "-1")).trim(); + CMS.debug("CertificateRepository: getInRangeCounter: saved counter string="+s); + int i = s.indexOf(','); + int n = s.length(); + if (i > -1) { + if (i > 0) { + c = s.substring(0, i); + if (i < n) { + t = s.substring(i+1); + } + } else { + c = "-1"; + } + } else { + c = s; + } + CMS.debug("CertificateRepository: getInRangeCounter: c=" + c + ((t != null)?(" t="+t):"null")); + + BigInteger counter = new BigInteger(c); + BigInteger count = BigInteger.ZERO; + if (CMS.isPreOpMode()) { + CMS.debug("CertificateRepository: getInRangeCounter: CMS.isPreOpMode"); + counter = new BigInteger("-2"); + mDBConfig.putString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, "-2"); + try { + CMS.getConfigStore().commit(false); + } catch (Exception e) { + CMS.debug("CertificateRepository: updateCounter Exception committing ConfigStore="+e.getMessage()); + } + } else if (t != null) { + count = getInRangeCount(t, minSerialNo, maxSerialNo); + if (count.compareTo(BigInteger.ZERO) > 0) { + counter = counter.add(count); + } + } else if (s.equals("-2")) { + count = getInRangeCount(t, minSerialNo, maxSerialNo); + if (count.compareTo(BigInteger.ZERO) >= 0) { + counter = count; + } + } + CMS.debug("CertificateRepository: getInRangeCounter: counter=" + counter); + + return counter; + } + public BigInteger getLastSerialNumberInRange(BigInteger serial_low_bound, BigInteger serial_upper_bound) throws EBaseException { @@ -114,7 +426,43 @@ public class CertificateRepository extends Repository } - String ldapfilter = "(" + "certstatus" + "=*" + ")"; + mEnableRandomSerialNumbers = mDBConfig.getBoolean(PROP_ENABLE_RANDOM_SERIAL_NUMBERS, false); + mForceModeChange = mDBConfig.getBoolean(PROP_FORCE_MODE_CHANGE, false); + String crMode = mDBService.getEntryAttribute(mBaseDN, IRepositoryRecord.ATTR_DESCRIPTION, "", null); + mMinRandomBitLength = mDBConfig.getInteger(PROP_MINIMUM_RANDOM_BITS, 4); + mMaxCollisionRecoverySteps = mDBConfig.getInteger(PROP_COLLISION_RECOVERY_STEPS, 10); + mMaxCollisionRecoveryRegenerations = mDBConfig.getInteger(PROP_COLLISION_RECOVERY_REGENERATIONS, 3); + boolean modeChange = (mEnableRandomSerialNumbers && crMode != null && crMode.equals(PROP_SEQUENTIAL_MODE)) || + ((!mEnableRandomSerialNumbers) && crMode != null && crMode.equals(PROP_RANDOM_MODE)); + CMS.debug("CertificateRepository: getLastSerialNumberInRange"+ + " mEnableRandomSerialNumbers="+mEnableRandomSerialNumbers+ + " mMinRandomBitLength="+mMinRandomBitLength+ + " CollisionRecovery="+mMaxCollisionRecoveryRegenerations+","+mMaxCollisionRecoverySteps); + CMS.debug("CertificateRepository: getLastSerialNumberInRange modeChange="+modeChange+ + " mForceModeChange="+mForceModeChange+((crMode != null)?(" mode="+crMode):"")); + if (modeChange) { + if (mForceModeChange) { + setCertificateRepositoryMode((mEnableRandomSerialNumbers)? PROP_RANDOM_MODE: PROP_SEQUENTIAL_MODE); + mForceModeChange = false; + mDBConfig.remove(PROP_FORCE_MODE_CHANGE); + } else { + mEnableRandomSerialNumbers = !mEnableRandomSerialNumbers; + mDBConfig.putBoolean(PROP_ENABLE_RANDOM_SERIAL_NUMBERS, mEnableRandomSerialNumbers); + } + } + if (mEnableRandomSerialNumbers && mCounter == null) { + mCounter = getInRangeCounter(serial_low_bound, serial_upper_bound); + } else { + mCounter = BI_MINUS_ONE; + } + mDBConfig.putString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, mCounter.toString()); + try { + CMS.getConfigStore().commit(false); + } catch (Exception e) { + } + CMS.debug("CertificateRepository: getLastSerialNumberInRange mEnableRandomSerialNumbers="+mEnableRandomSerialNumbers); + + String ldapfilter = "("+ICertRecord.ATTR_CERT_STATUS+"=*"+")"; String[] attrs = null; @@ -130,7 +478,7 @@ public class CertificateRepository extends Repository BigInteger ret = new BigInteger(serial_low_bound.toString(10)); - ret = ret.add(new BigInteger("-1")); + ret = ret.subtract(BigInteger.ONE); CMS.debug("CertificateRepository:getLastCertRecordSerialNo: returning " + ret); return ret; } @@ -156,6 +504,10 @@ public class CertificateRepository extends Repository if (((serial.compareTo(serial_low_bound) == 0) || (serial.compareTo(serial_low_bound) == 1)) && ((serial.compareTo(serial_upper_bound) == 0) || (serial.compareTo(serial_upper_bound) == -1))) { CMS.debug("getLastSerialNumberInRange returning: " + serial); + if (modeChange && mEnableRandomSerialNumbers) { + mCounter = serial.subtract(serial_low_bound).add(BigInteger.ONE); + CMS.debug("getLastSerialNumberInRange mCounter: " + mCounter); + } return serial; } } else { @@ -165,9 +517,13 @@ public class CertificateRepository extends Repository BigInteger ret = new BigInteger(serial_low_bound.toString(10)); - ret = ret.add(new BigInteger("-1")); + ret = ret.subtract(BigInteger.ONE); CMS.debug("CertificateRepository:getLastCertRecordSerialNo: returning " + ret); + if (modeChange && mEnableRandomSerialNumbers) { + mCounter = BigInteger.ZERO; + CMS.debug("getLastSerialNumberInRange mCounter: " + mCounter); + } return ret; } @@ -275,6 +631,7 @@ public class CertificateRepository extends Repository transitRevokedExpiredCertificates(); CMS.getLogger().log(ILogger.EV_SYSTEM, ILogger.S_OTHER, CMS.getLogMessage("CMSCORE_DBS_FINISH_REVOKED_EXPIRED_SEARCH")); + updateCounter(); } /** @@ -646,6 +1003,50 @@ public class CertificateRepository extends Repository return rec; } + public boolean checkCertificateRecord(BigInteger serialNo) + throws EBaseException { + IDBSSession s = mDBService.createSession(); + CertRecord rec = null; + boolean exists = true; + + try { + String name = "cn" + "=" + + serialNo.toString() + "," + getDN(); + String attrs[] = { "DN" }; + + rec = (CertRecord) s.read(name, attrs); + if (rec == null) exists = false; + } catch (EDBRecordNotFoundException e) { + exists = false; + } catch (Exception e) { + throw new EBaseException(e.getMessage()); + } finally { + if (s != null) + s.close(); + } + return exists; + } + + private void setCertificateRepositoryMode(String mode) { + IDBSSession s = null; + + CMS.debug("CertificateRepository: setCertificateRepositoryMode setting mode: "+mode); + try { + s = mDBService.createSession(); + ModificationSet mods = new ModificationSet(); + String name = getDN(); + mods.add(IRepositoryRecord.ATTR_DESCRIPTION, Modification.MOD_REPLACE, mode); + s.modify(name, mods); + } catch (Exception e) { + CMS.debug("CertificateRepository: setCertificateRepositoryMode Exception: "+e.getMessage()); + } + try { + if (s != null) s.close(); + } catch (Exception e) { + CMS.debug("CertificateRepository: setCertificateRepositoryMode Exception: "+e.getMessage()); + } + } + public synchronized void modifyCertificateRecord(BigInteger serialNo, ModificationSet mods) throws EBaseException { IDBSSession s = mDBService.createSession(); @@ -1195,7 +1596,7 @@ public class CertificateRepository extends Repository String fromVal = "0"; try { if (from != null) { - Integer.parseInt(from); + new BigInteger(from); fromVal = from; } } catch (Exception e1) { diff --git a/base/common/src/com/netscape/cmscore/dbs/DBSubsystem.java b/base/common/src/com/netscape/cmscore/dbs/DBSubsystem.java index 0824cc9..be674bf 100644 --- a/base/common/src/com/netscape/cmscore/dbs/DBSubsystem.java +++ b/base/common/src/com/netscape/cmscore/dbs/DBSubsystem.java @@ -138,8 +138,6 @@ public class DBSubsystem implements IDBSubsystem { private static final String PROP_INCREMENT_NAME = "increment_name"; private static final String PROP_RANGE_DN = "rangeDN"; - private static final BigInteger BI_ONE = new BigInteger("1"); - private ILogger mLogger = null; // singleton enforcement @@ -424,7 +422,7 @@ public class DBSubsystem implements IDBSubsystem { conn.modify(dn, mods); // Add new range object - String endRange = nextRangeNo.add(incrementNo).subtract(BI_ONE).toString(); + String endRange = nextRangeNo.add(incrementNo).subtract(BigInteger.ONE).toString(); LDAPAttributeSet attrs = new LDAPAttributeSet(); attrs.add(new LDAPAttribute("objectClass", "top")); attrs.add(new LDAPAttribute("objectClass", "pkiRange")); @@ -436,6 +434,8 @@ public class DBSubsystem implements IDBSubsystem { String dn2 = "cn=" + nextRange + "," + rangeDN; LDAPEntry rangeEntry = new LDAPEntry(dn2, attrs); conn.add(rangeEntry); + CMS.debug("DBSubsystem: getNextRange Next range has been added: " + + nextRange + " - " + endRange); } catch (Exception e) { CMS.debug("DBSubsystem: getNextRange. Unable to provide next range :" + e); e.printStackTrace(); @@ -531,6 +531,7 @@ public class DBSubsystem implements IDBSubsystem { PROP_NEXT_SERIAL_NUMBER, "0"), 16); mEnableSerialMgmt = mDBConfig.getBoolean(PROP_ENABLE_SERIAL_MGMT, false); + CMS.debug("DBSubsystem: init() mEnableSerialMgmt="+mEnableSerialMgmt); // populate the certs hash entry Hashtable certs = new Hashtable(); @@ -783,6 +784,10 @@ public class DBSubsystem implements IDBSubsystem { reg.registerAttribute(IRepositoryRecord.ATTR_PUB_STATUS, new StringMapper(RepositorySchema.LDAP_ATTR_PUB_STATUS)); } + if (!reg.isAttributeRegistered(IRepositoryRecord.ATTR_DESCRIPTION)) { + reg.registerAttribute(IRepositoryRecord.ATTR_DESCRIPTION, + new StringMapper(RepositorySchema.LDAP_ATTR_DESCRIPTION)); + } } catch (EBaseException e) { if (CMS.isPreOpMode()) @@ -791,6 +796,47 @@ public class DBSubsystem implements IDBSubsystem { } } + public String getEntryAttribute(String dn, String attrName, + String defaultValue, String errorValue) { + LDAPConnection conn = null; + String attrValue = null; + try { + conn = mLdapConnFactory.getConn(); + String[] attrs = { attrName }; + LDAPEntry entry = conn.read(dn, attrs); + if (entry != null) { + LDAPAttribute attr = entry.getAttribute(attrName); + if (attr != null) { + attrValue = (String) attr.getStringValues().nextElement(); + } else { + attrValue = defaultValue; + } + } else { + attrValue = errorValue; + } + } catch (LDAPException e) { + CMS.debug("DBSubsystem: getEntryAttribute LDAPException code="+e.getLDAPResultCode()); + if (e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT) { + attrValue = defaultValue; + } + } catch (Exception e) { + CMS.debug("DBSubsystem: getEntryAttribute. Unable to retrieve '"+attrName+"': "+ e); + attrValue = errorValue; + } finally { + try { + if ((conn != null) && (mLdapConnFactory != null)) { + CMS.debug("Releasing ldap connection"); + mLdapConnFactory.returnConn(conn); + } + } catch (Exception e) { + CMS.debug("Error releasing the ldap connection" + e.toString()); + } + } + CMS.debug("DBSubsystem: getEntryAttribute: dn="+dn+" attr="+attrName+":"+attrValue+";"); + + return attrValue; + } + /** * Starts up this service. */ @@ -798,13 +844,20 @@ public class DBSubsystem implements IDBSubsystem { } /** - * Retrieves configuration store. + * Retrieves internal DB configuration store. */ public IConfigStore getConfigStore() { return mConfig; } /** + * Retrieves DB subsystem configuration store. + */ + public IConfigStore getDBConfigStore() { + return mDBConfig; + } + + /** * Retrieves base DN of backend database. */ public String getBaseDN() { diff --git a/base/common/src/com/netscape/cmscore/dbs/Repository.java b/base/common/src/com/netscape/cmscore/dbs/Repository.java index 57ac500..e6b6e83 100644 --- a/base/common/src/com/netscape/cmscore/dbs/Repository.java +++ b/base/common/src/com/netscape/cmscore/dbs/Repository.java @@ -49,7 +49,6 @@ import com.netscape.certsrv.dbs.repository.IRepositoryRecord; public abstract class Repository implements IRepository { - private static final BigInteger BI_ONE = new BigInteger("1"); private BigInteger BI_INCREMENT = null; // (the next serialNo to be issued) - 1 private BigInteger mSerialNo = null; @@ -61,8 +60,10 @@ public abstract class Repository implements IRepository { private String mNextMaxSerial = null; private String mNextMinSerial = null; - private BigInteger mMinSerialNo = null; - private BigInteger mMaxSerialNo = null; + protected boolean mEnableRandomSerialNumbers = false; + protected BigInteger mCounter = null; + protected BigInteger mMinSerialNo = null; + protected BigInteger mMaxSerialNo = null; private BigInteger mNextMinSerialNo = null; private BigInteger mNextMaxSerialNo = null; @@ -149,6 +150,7 @@ public abstract class Repository implements IRepository { } BigInteger serial = rec.getSerialNumber(); + CMS.debug("Repository: getSerialNumber serial="+serial); if (!mInit) { // cms may crash after issue a cert but before update @@ -158,7 +160,7 @@ public abstract class Repository implements IRepository { serial + "," + mBaseDN); if (obj != null) { - serial = serial.add(BI_ONE); + serial = serial.add(BigInteger.ONE); setSerialNumber(serial); } } catch (EBaseException e) { @@ -246,6 +248,10 @@ public abstract class Repository implements IRepository { return mMinSerial; } + protected void setLastSerialNo(BigInteger lastSN) { + mLastSerialNo = lastSN; + } + /** * init serial number cache */ @@ -281,7 +287,10 @@ public abstract class Repository implements IRepository { String increment = mDB.getIncrementConfig(mRepo); String lowWaterMark = mDB.getLowWaterMarkConfig(mRepo); - CMS.debug("Repository: minSerial " + mMinSerial + " maxSerial: " + mMaxSerial); + CMS.debug("Repository: minSerial:" + mMinSerial + " maxSerial: " + mMaxSerial); + CMS.debug("Repository: nextMinSerial: " + ((mNextMinSerial == null)?"":mNextMinSerial) + + " nextMaxSerial: " + ((mNextMaxSerial == null)?"":mNextMaxSerial)); + CMS.debug("Repository: increment:" + increment + " lowWaterMark: " + lowWaterMark); if (mMinSerial != null) mMinSerialNo = new BigInteger(mMinSerial, mRadix); @@ -317,6 +326,11 @@ public abstract class Repository implements IRepository { } + protected void initCacheIfNeeded() throws EBaseException { + if (mLastSerialNo == null) + initCache(); + } + /** * get the next serial number in cache */ @@ -325,7 +339,7 @@ public abstract class Repository implements IRepository { CMS.debug("Repository:In getTheSerialNumber "); if (mLastSerialNo == null) initCache(); - BigInteger serial = new BigInteger((mLastSerialNo.add(BI_ONE)).toString()); + BigInteger serial = mLastSerialNo.add(BigInteger.ONE); if (mMaxSerialNo != null && serial.compareTo(mMaxSerialNo) > 0) return null; @@ -354,7 +368,7 @@ public abstract class Repository implements IRepository { // < BI_INCREMENT and server restart right afterwards. mDB.setNextSerialConfig(num); - mSerialNo = num.subtract(BI_ONE); + mSerialNo = num.subtract(BigInteger.ONE); mNext = num.add(BI_INCREMENT); setSerialNumber(mNext); } @@ -373,36 +387,65 @@ public abstract class Repository implements IRepository { if (mLastSerialNo == null) { initCache(); - - mLastSerialNo = mLastSerialNo.add(BI_ONE); - - } else { - mLastSerialNo = mLastSerialNo.add(BI_ONE); } - if (mLastSerialNo == null) { CMS.debug("Repository::getNextSerialNumber() " + "- mLastSerialNo is null!"); throw new EBaseException("mLastSerialNo is null"); } + mLastSerialNo = mLastSerialNo.add(BigInteger.ONE); + + checkRange(); + + BigInteger retSerial = new BigInteger(mLastSerialNo.toString()); + + CMS.debug("Repository: getNextSerialNumber: returning retSerial " + retSerial); + return retSerial; + } + + /** + * Checks to see if range needs to be switched. + * + * @exception EBaseException thrown when next range is not allocated + */ + protected void checkRange() throws EBaseException + { // check if we have reached the end of the range // if so, move to next range - if (mLastSerialNo.compareTo(mMaxSerialNo) > 0) { + BigInteger randomLimit = null; + BigInteger rangeLength = null; + if ((this instanceof ICertificateRepository) && + mDB.getEnableSerialMgmt() && mEnableRandomSerialNumbers) { + rangeLength = mMaxSerialNo.subtract(mMinSerialNo).add(BigInteger.ONE); + randomLimit = rangeLength.subtract(mLowWaterMarkNo.shiftRight(1)); + CMS.debug("Repository: checkRange rangeLength="+rangeLength); + CMS.debug("Repository: checkRange randomLimit="+randomLimit); + } + CMS.debug("Repository: checkRange mLastSerialNo="+mLastSerialNo); + if (mLastSerialNo.compareTo( mMaxSerialNo ) > 0 || + ((!CMS.isPreOpMode()) && randomLimit != null && mCounter.compareTo(randomLimit) > 0)) { + if (mDB.getEnableSerialMgmt()) { CMS.debug("Reached the end of the range. Attempting to move to next range"); + if ((mNextMinSerialNo == null) || (mNextMaxSerialNo == null)) { + if (rangeLength != null && mCounter.compareTo(rangeLength) < 0) { + return; + } else { + throw new EDBException(CMS.getUserMessage("CMS_DBS_LIMIT_REACHED", + mLastSerialNo.toString())); + } + } mMinSerialNo = mNextMinSerialNo; mMaxSerialNo = mNextMaxSerialNo; - mNextMinSerialNo = null; - mNextMaxSerialNo = null; - if ((mMaxSerialNo == null) || (mMinSerialNo == null)) { - throw new EDBException(CMS.getUserMessage("CMS_DBS_LIMIT_REACHED", - mLastSerialNo.toString())); - } mLastSerialNo = mMinSerialNo; + mNextMinSerialNo = null; + mNextMaxSerialNo = null; + mCounter = BigInteger.ZERO; + // persist the changes - mDB.setMinSerialConfig(mRepo, mMinSerialNo.toString()); - mDB.setMaxSerialConfig(mRepo, mMaxSerialNo.toString()); + mDB.setMinSerialConfig(mRepo, mMinSerialNo.toString(mRadix)); + mDB.setMaxSerialConfig(mRepo, mMaxSerialNo.toString(mRadix)); mDB.setNextMinSerialConfig(mRepo, null); mDB.setNextMaxSerialConfig(mRepo, null); } else { @@ -410,11 +453,6 @@ public abstract class Repository implements IRepository { mLastSerialNo.toString())); } } - - BigInteger retSerial = new BigInteger(mLastSerialNo.toString()); - - CMS.debug("Repository: getNextSerialNumber: returning retSerial " + retSerial); - return retSerial; } /** @@ -436,13 +474,19 @@ public abstract class Repository implements IRepository { if (mLastSerialNo == null) initCache(); - BigInteger numsInRange = mMaxSerialNo.subtract(mLastSerialNo); + BigInteger numsInRange = null; + if ((this instanceof ICertificateRepository) && + mDB.getEnableSerialMgmt() && mEnableRandomSerialNumbers) { + numsInRange = (mMaxSerialNo.subtract(mMinSerialNo)).subtract(mCounter); + } else { + numsInRange = mMaxSerialNo.subtract(mLastSerialNo); + } BigInteger numsInNextRange = null; BigInteger numsAvail = null; CMS.debug("Serial numbers left in range: " + numsInRange.toString()); CMS.debug("Last Serial Number: " + mLastSerialNo.toString()); if ((mNextMaxSerialNo != null) && (mNextMinSerialNo != null)) { - numsInNextRange = mNextMaxSerialNo.subtract(mNextMinSerialNo); + numsInNextRange = mNextMaxSerialNo.subtract(mNextMinSerialNo).add(BigInteger.ONE); numsAvail = numsInRange.add(numsInNextRange); CMS.debug("Serial Numbers in next range: " + numsInNextRange.toString()); CMS.debug("Serial Numbers available: " + numsAvail.toString()); @@ -458,7 +502,7 @@ public abstract class Repository implements IRepository { CMS.debug("Next Range not available"); } else { CMS.debug("nNextMinSerialNo has been set to " + mNextMinSerialNo.toString(mRadix)); - mNextMaxSerialNo = mNextMinSerialNo.add(mIncrementNo); + mNextMaxSerialNo = mNextMinSerialNo.add(mIncrementNo).subtract(BigInteger.ONE); numsAvail = numsAvail.add(mIncrementNo); mDB.setNextMinSerialConfig(mRepo, mNextMinSerialNo.toString(mRadix)); mDB.setNextMaxSerialConfig(mRepo, mNextMaxSerialNo.toString(mRadix)); diff --git a/base/common/src/com/netscape/cmscore/dbs/RepositoryRecord.java b/base/common/src/com/netscape/cmscore/dbs/RepositoryRecord.java index 36d5ce9..a268f68 100644 --- a/base/common/src/com/netscape/cmscore/dbs/RepositoryRecord.java +++ b/base/common/src/com/netscape/cmscore/dbs/RepositoryRecord.java @@ -40,11 +40,13 @@ public class RepositoryRecord implements IRepositoryRecord { private static final long serialVersionUID = 1648450747848783853L; private BigInteger mSerialNo = null; private String mPublishingStatus = null; + private String mDescription = null; protected static Vector mNames = new Vector(); static { mNames.addElement(IRepositoryRecord.ATTR_SERIALNO); mNames.addElement(IRepositoryRecord.ATTR_PUB_STATUS); + mNames.addElement(IRepositoryRecord.ATTR_DESCRIPTION); } /** @@ -62,6 +64,8 @@ public class RepositoryRecord implements IRepositoryRecord { mSerialNo = (BigInteger) obj; } else if (name.equalsIgnoreCase(IRepositoryRecord.ATTR_PUB_STATUS)) { mPublishingStatus = (String) obj; + } else if (name.equalsIgnoreCase(IRepositoryRecord.ATTR_DESCRIPTION)) { + mDescription = (String) obj; } else { throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name)); } @@ -75,6 +79,8 @@ public class RepositoryRecord implements IRepositoryRecord { return mSerialNo; } else if (name.equalsIgnoreCase(IRepositoryRecord.ATTR_PUB_STATUS)) { return mPublishingStatus; + } else if (name.equalsIgnoreCase(IRepositoryRecord.ATTR_DESCRIPTION)) { + return mDescription; } else { throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name)); } @@ -108,4 +114,8 @@ public class RepositoryRecord implements IRepositoryRecord { public String getPublishingStatus() { return mPublishingStatus; } + + public String getDescription() { + return mDescription; + } } diff --git a/base/common/src/com/netscape/cmscore/dbs/RepositorySchema.java b/base/common/src/com/netscape/cmscore/dbs/RepositorySchema.java index 4ec8da6..5dfc555 100644 --- a/base/common/src/com/netscape/cmscore/dbs/RepositorySchema.java +++ b/base/common/src/com/netscape/cmscore/dbs/RepositorySchema.java @@ -31,4 +31,5 @@ public class RepositorySchema { public static final String LDAP_OC_REPOSITORY = "repository"; public static final String LDAP_ATTR_SERIALNO = "serialno"; public static final String LDAP_ATTR_PUB_STATUS = "publishingStatus"; + public final static String LDAP_ATTR_DESCRIPTION = "description"; } diff --git a/base/common/test/com/netscape/cmscore/dbs/DBSubsystemDefaultStub.java b/base/common/test/com/netscape/cmscore/dbs/DBSubsystemDefaultStub.java index 396121b..9b22213 100644 --- a/base/common/test/com/netscape/cmscore/dbs/DBSubsystemDefaultStub.java +++ b/base/common/test/com/netscape/cmscore/dbs/DBSubsystemDefaultStub.java @@ -168,4 +168,17 @@ public class DBSubsystemDefaultStub implements IDBSubsystem { // TODO Auto-generated method stub } + + @Override + public IConfigStore getDBConfigStore() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getEntryAttribute(String dn, String attrName, + String defaultValue, String errorValue) { + // TODO Auto-generated method stub + return null; + } } diff --git a/base/console/src/com/netscape/admin/certsrv/config/CMSCAGeneralPanel.java b/base/console/src/com/netscape/admin/certsrv/config/CMSCAGeneralPanel.java index bee66d6..4c89196 100644 --- a/base/console/src/com/netscape/admin/certsrv/config/CMSCAGeneralPanel.java +++ b/base/console/src/com/netscape/admin/certsrv/config/CMSCAGeneralPanel.java @@ -47,6 +47,8 @@ public class CMSCAGeneralPanel extends CMSBaseTab implements ItemListener { private JTextField mSerialNumber; private JTextField mMaxSerialNumber; private JCheckBox mValidity; + private JCheckBox mEnableSerialNumberManagement; + private JCheckBox mEnableRandomSerialNumbers; private Vector mGroupData; private static final String HELPINDEX = "configuration-ca-general-help"; @@ -189,49 +191,86 @@ public class CMSCAGeneralPanel extends CMSBaseTab implements ItemListener { gb2.setConstraints(dummy1, gbc); signingPanel.add(dummy1); + // add serial number management + CMSAdminUtil.resetGBC(gbc); + mEnableSerialNumberManagement = makeJCheckBox("MANAGEMENT"); + //mEnableSerialNumberManagement.setEnabled(false); + gbc.anchor = gbc.CENTER; + gbc.gridwidth = gbc.REMAINDER; + gbc.gridheight = 1; + gbc.weightx = 1.0; + gbc.weighty = 1.0; + gbc.gridx = 0; + gbc.gridy = 0; + gb3.setConstraints(mEnableSerialNumberManagement, gbc); + serialPanel.add(mEnableSerialNumberManagement); + + // add random serial numbers + CMSAdminUtil.resetGBC(gbc); + mEnableRandomSerialNumbers = makeJCheckBox("RANDOM"); + gbc.anchor = gbc.CENTER; + gbc.gridwidth = gbc.REMAINDER; + gbc.gridheight = gbc.REMAINDER; //1; + gbc.weightx = 1.0; + gbc.weighty = 1.0; + gbc.gridx = 0; + gbc.gridy = 1; + gb3.setConstraints(mEnableRandomSerialNumbers, gbc); + serialPanel.add(mEnableRandomSerialNumbers); + // add serial number block CMSAdminUtil.resetGBC(gbc); JLabel serialLabel = makeJLabel("SERIAL"); + serialLabel.setEnabled(false); gbc.anchor = gbc.CENTER; gb3.setConstraints(serialLabel, gbc); + gbc.gridwidth = 1; + gbc.gridheight = 1; + gbc.weightx = 0.0; gbc.weighty = 1.0; - //gbc.insets = new Insets(COMPONENT_SPACE,0,COMPONENT_SPACE,0); - serialPanel.add(serialLabel); + gbc.gridx = 0; + gbc.gridy = 2; + //serialPanel.add(serialLabel); CMSAdminUtil.resetGBC(gbc); mSerialNumber = makeJTextField(17); mSerialNumber.setEnabled(false); gbc.anchor = gbc.NORTHWEST; - //gbc.gridwidth = gbc.REMAINDER; - //gbc.gridheight = gbc.REMAINDER; - //gbc.weightx = 1.0; + gbc.gridwidth = 1; + gbc.gridheight = 1; + gbc.weightx = 0.0; gbc.weighty = 1.0; + gbc.gridx = 1; + gbc.gridy = 2; gb3.setConstraints(mSerialNumber, gbc); - serialPanel.add(mSerialNumber); + //serialPanel.add(mSerialNumber); // add end serial number block CMSAdminUtil.resetGBC(gbc); JLabel maxSerialLabel = makeJLabel("MAXSERIAL"); - gbc.anchor = gbc.EAST; - //gbc.insets = new Insets(COMPONENT_SPACE,DIFFERENT_COMPONENT_SPACE,0,0); - gbc.weightx = 0.0; + maxSerialLabel.setEnabled(false); + gbc.anchor = gbc.CENTER; gbc.gridwidth = 1; + gbc.gridheight = 1; + gbc.weightx = 0.0; + gbc.weighty = 1.0; gbc.gridx = 0; + gbc.gridy = 3; gb3.setConstraints(maxSerialLabel, gbc); - //gbc.weighty = 1.0; - serialPanel.add(maxSerialLabel); + //serialPanel.add(maxSerialLabel); CMSAdminUtil.resetGBC(gbc); mMaxSerialNumber = makeJTextField(17); mMaxSerialNumber.setEnabled(false); - gbc.anchor = gbc.NORTHWEST; - gbc.gridy = 1; - //gbc.gridwidth = gbc.REMAINDER; - //gbc.gridheight = gbc.REMAINDER; - //gbc.weightx = 1.0; + gbc.anchor = gbc.CENTER; + gbc.gridwidth = 1; + gbc.gridheight = 1; + gbc.weightx = 0.0; gbc.weighty = 1.0; + gbc.gridx = 1; + gbc.gridy = 3; gb3.setConstraints(mMaxSerialNumber, gbc); - serialPanel.add(mMaxSerialNumber); + //serialPanel.add(mMaxSerialNumber); CMSAdminUtil.resetGBC(gbc); JLabel dummy2 = new JLabel(" "); @@ -249,13 +288,15 @@ public class CMSCAGeneralPanel extends CMSBaseTab implements ItemListener { public void refresh() { mModel.progressStart(); NameValuePairs nvps = new NameValuePairs(); - nvps.put(Constants.PR_EE_ENABLED, ""); + //nvps.put(Constants.PR_EE_ENABLED, ""); //nvps.add(Constants.PR_RA_ENABLED, ""); nvps.put(Constants.PR_DEFAULT_ALGORITHM, ""); nvps.put(Constants.PR_ALL_ALGORITHMS, ""); nvps.put(Constants.PR_SERIAL, ""); nvps.put(Constants.PR_MAXSERIAL, ""); nvps.put(Constants.PR_VALIDITY, ""); + nvps.put(Constants.PR_SN_MANAGEMENT, ""); + nvps.put(Constants.PR_RANDOM_SN, ""); try { NameValuePairs val = mAdmin.read(DestDef.DEST_CA_ADMIN, @@ -268,22 +309,27 @@ public class CMSCAGeneralPanel extends CMSBaseTab implements ItemListener { } mModel.progressStop(); clearDirtyFlag(); + enableFields(); } protected void populate(NameValuePairs nvps) { String defaultAlgorithm = ""; for (String name : nvps.keySet()) { String value = nvps.get(name); +/* if (name.equals(Constants.PR_EE_ENABLED)) { mEEEnable.setSelected(getBoolean(value)); } else if (name.equals(Constants.PR_OCSP_ENABLED)) { mOCSPEnable.setSelected(getBoolean(value)); -/* } else if (name.equals(Constants.PR_RA_ENABLED)) { mRAEnable.setSelected(getBoolean(nvp.getValue())); */ - } else if (name.equals(Constants.PR_VALIDITY)) { + if (name.equals(Constants.PR_VALIDITY)) { mValidity.setSelected(getBoolean(value)); + } else if (name.equals(Constants.PR_SN_MANAGEMENT)) { + mEnableSerialNumberManagement.setSelected(getBoolean(value)); + } else if (name.equals(Constants.PR_RANDOM_SN)) { + mEnableRandomSerialNumbers.setSelected(getBoolean(value)); } else if (name.equals(Constants.PR_DEFAULT_ALGORITHM)) { defaultAlgorithm = value; } else if (name.equals(Constants.PR_ALL_ALGORITHMS)) { @@ -321,9 +367,19 @@ public class CMSCAGeneralPanel extends CMSBaseTab implements ItemListener { } public void actionPerformed(ActionEvent e) { + if (e.getSource().equals(mEnableSerialNumberManagement)) { + enableFields(); + } super.actionPerformed(e); } + private void enableFields() { + boolean enable = mEnableSerialNumberManagement.isSelected(); + mEnableRandomSerialNumbers.setEnabled(enable); + if (!enable) mEnableRandomSerialNumbers.setSelected(enable); + CMSAdminUtil.repaintComp(mEnableRandomSerialNumbers); + } + private String hexToDecimal(String hex) { //String newHex = hex.substring(2); @@ -338,6 +394,7 @@ public class CMSCAGeneralPanel extends CMSBaseTab implements ItemListener { public boolean applyCallback() { NameValuePairs nvps = new NameValuePairs(); +/* if (mEEEnable.isSelected()) nvps.put(Constants.PR_EE_ENABLED, Constants.TRUE); else @@ -348,7 +405,6 @@ public class CMSCAGeneralPanel extends CMSBaseTab implements ItemListener { else nvps.put(Constants.PR_OCSP_ENABLED, Constants.FALSE); -/* if (mRAEnable.isSelected()) nvps.add(Constants.PR_RA_ENABLED, Constants.TRUE); else @@ -360,6 +416,17 @@ public class CMSCAGeneralPanel extends CMSBaseTab implements ItemListener { else nvps.put(Constants.PR_VALIDITY, Constants.FALSE); + if (mEnableSerialNumberManagement.isSelected()) + nvps.put(Constants.PR_SN_MANAGEMENT, Constants.TRUE); + else + nvps.put(Constants.PR_SN_MANAGEMENT, Constants.FALSE); + + if (mEnableSerialNumberManagement.isSelected() && + mEnableRandomSerialNumbers.isSelected()) + nvps.put(Constants.PR_RANDOM_SN, Constants.TRUE); + else + nvps.put(Constants.PR_RANDOM_SN, Constants.FALSE); + nvps.put(Constants.PR_DEFAULT_ALGORITHM, (String) mAlgorithms.getSelectedItem()); diff --git a/dogtag/console-ui/src/CMSAdminRS.properties b/dogtag/console-ui/src/CMSAdminRS.properties index e421049..4cf156b 100644 --- a/dogtag/console-ui/src/CMSAdminRS.properties +++ b/dogtag/console-ui/src/CMSAdminRS.properties @@ -387,6 +387,12 @@ CAGENERAL_COMBOBOX_ALGORITHM_VALUE_2=SHA1 with RSA CAGENERAL_COMBOBOX_ALGORITHM_VALUE_3=SHA256 with RSA CAGENERAL_COMBOBOX_ALGORITHM_VALUE_4=SHA512 with RSA CAGENERAL_COMBOBOX_ALGORITHM_VALUE_5=SHA1 with DSA +CAGENERAL_BORDER_MANAGEMENT_LABEL=Serial Number Management +CAGENERAL_CHECKBOX_MANAGEMENT_LABEL=Enable serial number management +CAGENERAL_CHECKBOXL_MANAGEMENT_TTIP=Allow CA to manage serial numbers automatically +CAGENERAL_BORDER_RANDOM_LABEL=Random Certificate Serial Numbers +CAGENERAL_CHECKBOX_RANDOM_LABEL=Enable random certificate serial numbers +CAGENERAL_CHECKBOXL_RANDOM_TTIP=Allow CA to generate random certificate serial numbers CAGENERAL_BORDER_SERIAL_LABEL=Certificate Serial Number CAGENERAL_LABEL_SERIAL_LABEL=Next Serial Number: (0x) CAGENERAL_LABEL_SERIAL_TTIP=Specify the next serial number of the certificate that the CA issues From mharmsen at redhat.com Sat Apr 20 02:46:37 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 19 Apr 2013 19:46:37 -0700 Subject: [Pki-devel] [PATCH] random certificate serial numbers In-Reply-To: <5171CABD.8020809@redhat.com> References: <5171CABD.8020809@redhat.com> Message-ID: <5172018D.9000602@redhat.com> On 04/19/13 15:52, Andrew Wnuk wrote: > This patch adds support for random certificate serial numbers. > > Bug 912554. > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ACK I received a demo of this fix. -------------- next part -------------- An HTML attachment was scrubbed... URL: From awnuk at redhat.com Sat Apr 20 02:47:03 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Fri, 19 Apr 2013 19:47:03 -0700 Subject: [Pki-devel] [PATCH] random certificate serial numbers - updated Message-ID: <517201A7.7070304@redhat.com> This patch adds support for random certificate serial numbers. It was updated to add ability to configure random certificate serial numbers using pkispawn. Bug 912554. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- diff --git a/base/ca/shared/conf/CS.cfg.in b/base/ca/shared/conf/CS.cfg.in index a1acde2..1316e9b 100644 --- a/base/ca/shared/conf/CS.cfg.in +++ b/base/ca/shared/conf/CS.cfg.in @@ -769,7 +769,9 @@ cmsgateway._029=## cmsgateway.enableAdminEnroll=false https.port=8443 http.port=8080 -dbs.enableSerialManagement=false +dbs.enableSerialManagement=[PKI_ENABLE_RANDOM_SERIAL_NUMBERS] +dbs.enableRandomSerialNumbers=[PKI_ENABLE_RANDOM_SERIAL_NUMBERS] +dbs.randomSerialNumberCounter=0 dbs.beginRequestNumber=1 dbs.endRequestNumber=10000000 dbs.requestIncrement=10000000 diff --git a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java index 21859a0..39f336b 100644 --- a/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java +++ b/base/common/src/com/netscape/certsrv/ca/ICertificateAuthority.java @@ -34,6 +34,7 @@ import org.mozilla.jss.crypto.SignatureAlgorithm; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.base.ISubsystem; +import com.netscape.certsrv.dbs.IDBSubsystem; import com.netscape.certsrv.dbs.certdb.ICertificateRepository; import com.netscape.certsrv.dbs.crldb.ICRLRepository; import com.netscape.certsrv.dbs.replicadb.IReplicaIDRepository; @@ -473,6 +474,13 @@ public interface ICertificateAuthority extends ISubsystem { public IService getCAService(); /** + * Retrieves the DB subsystem managing internal data storage. + * + * @return DB subsystem object + */ + public IDBSubsystem getDBSubsystem(); + + /** * Returns the in-memory count of the processed OCSP requests. * * @return number of processed OCSP requests in memory diff --git a/base/common/src/com/netscape/certsrv/common/Constants.java b/base/common/src/com/netscape/certsrv/common/Constants.java index 880e146..bc8dcef 100644 --- a/base/common/src/com/netscape/certsrv/common/Constants.java +++ b/base/common/src/com/netscape/certsrv/common/Constants.java @@ -346,6 +346,8 @@ public interface Constants { public final static String PR_ALL_ALGORITHMS = "allSigningAlgorithms"; public final static String PR_SERIAL = "startSerialNumber"; public final static String PR_MAXSERIAL = "maxSerialNumber"; + public final static String PR_SN_MANAGEMENT = "serialNumberManagement"; + public final static String PR_RANDOM_SN = "randomSerialNumbers"; /*======================================================== * Access Control diff --git a/base/common/src/com/netscape/certsrv/dbs/IDBSubsystem.java b/base/common/src/com/netscape/certsrv/dbs/IDBSubsystem.java index dfa5312..de4060e 100644 --- a/base/common/src/com/netscape/certsrv/dbs/IDBSubsystem.java +++ b/base/common/src/com/netscape/certsrv/dbs/IDBSubsystem.java @@ -23,6 +23,7 @@ import netscape.ldap.LDAPConnection; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.ISubsystem; +import com.netscape.certsrv.base.IConfigStore; /** * An interface represents certificate server @@ -204,6 +205,32 @@ public interface IDBSubsystem extends ISubsystem { public void setEnableSerialMgmt(boolean value) throws EBaseException; /** + * Gets internal DB configuration store + * + * @return internal DB configuration store + */ + public IConfigStore getConfigStore(); + + /** + * Gets DB subsystem configuration store + * + * @return DB subsystem configuration store + */ + public IConfigStore getDBConfigStore(); + + /** + * Gets attribute value for specified entry + * + * @param dn entry's distinguished name + * @param attrName attribute's name + * @param defaultValue attribute's default value + * @param errorValue attribute's error value + * @return attribute value + */ + public String getEntryAttribute(String dn, String attrName, + String defaultValue, String errorValue); + + /** * Returns LDAP connection to connection pool. * * @param conn connection to be returned diff --git a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java index d54cfb3..40d22d6 100644 --- a/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java +++ b/base/common/src/com/netscape/certsrv/dbs/certdb/ICertificateRepository.java @@ -42,6 +42,16 @@ import com.netscape.cmscore.dbs.CertificateRepository.RenewableCertificateCollec public interface ICertificateRepository extends IRepository { /** + * Retrieves the next certificate serial number, and also increases + * the serial number by one. + * + * @return serial number + * @exception EBaseException failed to retrieve next serial number + */ + public BigInteger getNextSerialNumber() + throws EBaseException; + + /** * Adds a certificate record to the repository. Each certificate * record contains four parts: certificate, meta-attributes, * issue information and reovcation information. @@ -512,5 +522,23 @@ public interface ICertificateRepository extends IRepository { */ public void removeCertRecords(BigInteger beginS, BigInteger endS) throws EBaseException; + /** + * Retrieves serial number management mode. + * + * @return serial number management mode, + * "true" indicates random serial number management, + * "false" indicates sequential serial number management. + */ + public boolean getEnableRandomSerialNumbers(); + + /** + * Sets serial number management mode for certificates.. + * + * @param random "true" sets random serial number management, "false" sequential + * @param updateMode "true" updates "description" attribute in certificate repository + * @param forceModeChange "true" forces certificate repository mode change + */ + public void setEnableRandomSerialNumbers(boolean random, boolean updateMode, boolean forceModeChange); + public void shutdown(); } diff --git a/base/common/src/com/netscape/certsrv/dbs/repository/IRepositoryRecord.java b/base/common/src/com/netscape/certsrv/dbs/repository/IRepositoryRecord.java index 12dc71c..dd5f557 100644 --- a/base/common/src/com/netscape/certsrv/dbs/repository/IRepositoryRecord.java +++ b/base/common/src/com/netscape/certsrv/dbs/repository/IRepositoryRecord.java @@ -32,6 +32,7 @@ public interface IRepositoryRecord extends IDBObj { public final static String ATTR_SERIALNO = "serialNo"; public final static String ATTR_PUB_STATUS = "publishingStatus"; + public final static String ATTR_DESCRIPTION = "description"; /** * Retrieves serial number. @@ -41,4 +42,6 @@ public interface IRepositoryRecord extends IDBObj { public BigInteger getSerialNumber(); public String getPublishingStatus(); + + public String getDescription(); } diff --git a/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java b/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java index 9e06f04..09c77e5 100644 --- a/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java +++ b/base/common/src/com/netscape/cms/servlet/admin/CAAdminServlet.java @@ -1480,6 +1480,10 @@ public class CAAdminServlet extends AdminServlet { getSigningAlgConfig(params); getSerialConfig(params); getMaxSerialConfig(params); + params.put(Constants.PR_SN_MANAGEMENT, + Boolean.toString(mCA.getDBSubsystem().getEnableSerialMgmt())); + params.put(Constants.PR_RANDOM_SN, + Boolean.toString(mCA.getCertificateRepository().getEnableRandomSerialNumbers())); sendResponse(SUCCESS, null, params, resp); } @@ -1549,6 +1553,10 @@ public class CAAdminServlet extends AdminServlet { mCA.setStartSerial(value); } else if (key.equals(Constants.PR_MAXSERIAL)) { mCA.setMaxSerial(value); + } else if (key.equals(Constants.PR_SN_MANAGEMENT)) { + mCA.getDBSubsystem().setEnableSerialMgmt(Boolean.valueOf(value)); + } else if (key.equals(Constants.PR_RANDOM_SN)) { + mCA.getCertificateRepository().setEnableRandomSerialNumbers(Boolean.valueOf(value), true, false); } } diff --git a/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java b/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java index c2ecb87..b953351 100644 --- a/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java +++ b/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java @@ -25,6 +25,7 @@ import java.util.Date; import java.util.Enumeration; import java.util.Hashtable; import java.util.Vector; +import java.util.Random; import java.util.concurrent.Executors; import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.ThreadFactory; @@ -43,8 +44,10 @@ import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.MetaInfo; import com.netscape.certsrv.base.SessionContext; +import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.ca.ICRLIssuingPoint; import com.netscape.certsrv.dbs.EDBException; +import com.netscape.certsrv.dbs.EDBRecordNotFoundException; import com.netscape.certsrv.dbs.IDBSSession; import com.netscape.certsrv.dbs.IDBSearchResults; import com.netscape.certsrv.dbs.IDBSubsystem; @@ -56,6 +59,7 @@ import com.netscape.certsrv.dbs.certdb.ICertRecordList; import com.netscape.certsrv.dbs.certdb.ICertificateRepository; import com.netscape.certsrv.dbs.certdb.IRevocationInfo; import com.netscape.certsrv.dbs.repository.IRepository; +import com.netscape.certsrv.dbs.repository.IRepositoryRecord; import com.netscape.certsrv.logging.ILogger; /** @@ -71,6 +75,15 @@ public class CertificateRepository extends Repository implements ICertificateRepository { public final String CERT_X509ATTRIBUTE = "x509signedcert"; + private static final String PROP_ENABLE_RANDOM_SERIAL_NUMBERS = "enableRandomSerialNumbers"; + private static final String PROP_RANDOM_SERIAL_NUMBER_COUNTER = "randomSerialNumberCounter"; + private static final String PROP_FORCE_MODE_CHANGE = "forceModeChange"; + private static final String PROP_RANDOM_MODE = "random"; + private static final String PROP_SEQUENTIAL_MODE = "sequential"; + private static final String PROP_COLLISION_RECOVERY_STEPS = "collisionRecoverySteps"; + private static final String PROP_COLLISION_RECOVERY_REGENERATIONS = "collisionRecoveryRegenerations"; + private static final String PROP_MINIMUM_RANDOM_BITS = "minimumRandomBits"; + private static final BigInteger BI_MINUS_ONE = (BigInteger.ZERO).subtract(BigInteger.ONE); private IDBSubsystem mDBService; private String mBaseDN; @@ -85,6 +98,15 @@ public class CertificateRepository extends Repository private int mTransitMaxRecords = 1000000; private int mTransitRecordPageSize = 200; + private Random mRandom = null; + private int mBitLength = 0; + private BigInteger mRangeSize = null; + private int mMinRandomBitLength = 4; + private int mMaxCollisionRecoverySteps = 10; + private int mMaxCollisionRecoveryRegenerations = 3; + private IConfigStore mDBConfig = null; + private boolean mForceModeChange = false; + public CertStatusUpdateTask certStatusUpdateTask; public RetrieveModificationsTask retrieveModificationsTask; @@ -96,12 +118,302 @@ public class CertificateRepository extends Repository super(dbService, increment, baseDN); mBaseDN = certRepoBaseDN; mDBService = dbService; + mDBConfig = mDBService.getDBConfigStore(); } public ICertRecord createCertRecord(BigInteger id, Certificate cert, MetaInfo meta) { return new CertRecord(id, cert, meta); } + public boolean getEnableRandomSerialNumbers() { + return mEnableRandomSerialNumbers; + } + + public void setEnableRandomSerialNumbers(boolean random, boolean updateMode, boolean forceModeChange) { + CMS.debug("CertificateRepository: setEnableRandomSerialNumbers random="+random+" updateMode="+updateMode); + if (mEnableRandomSerialNumbers ^ random || forceModeChange) { + mEnableRandomSerialNumbers = random; + CMS.debug("CertificateRepository: setEnableRandomSerialNumbers switching to " + + ((random)?PROP_RANDOM_MODE:PROP_SEQUENTIAL_MODE) + " mode"); + if (updateMode) { + setCertificateRepositoryMode((mEnableRandomSerialNumbers)? PROP_RANDOM_MODE: PROP_SEQUENTIAL_MODE); + } + mDBConfig.putBoolean(PROP_ENABLE_RANDOM_SERIAL_NUMBERS, mEnableRandomSerialNumbers); + + BigInteger lastSerialNumber = null; + try { + lastSerialNumber = getLastSerialNumberInRange(mMinSerialNo,mMaxSerialNo); + } catch (Exception e) { + } + if (lastSerialNumber != null) { + super.setLastSerialNo(lastSerialNumber); + if (mEnableRandomSerialNumbers) { + mCounter = lastSerialNumber.subtract(mMinSerialNo).add(BigInteger.ONE); + CMS.debug("CertificateRepository: setEnableRandomSerialNumbers mCounter="+ + mCounter+"="+lastSerialNumber+"-"+mMinSerialNo+"+1"); + long t = System.currentTimeMillis(); + mDBConfig.putString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, mCounter.toString()+","+t); + } else { + mCounter = BI_MINUS_ONE; + mDBConfig.putString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, mCounter.toString()); + } + } + + try { + CMS.getConfigStore().commit(false); + } catch (Exception e) { + } + } + } + + private BigInteger getRandomNumber() throws EBaseException { + BigInteger randomNumber = null; + + if (mRandom == null) { + mRandom = new Random(); + } + super.initCacheIfNeeded(); + + if (mRangeSize == null) { + mRangeSize = (mMaxSerialNo.subtract(mMinSerialNo)).add(BigInteger.ONE); + CMS.debug("CertificateRepository: getRandomNumber mRangeSize="+mRangeSize); + mBitLength = mRangeSize.bitLength(); + CMS.debug("CertificateRepository: getRandomNumber mBitLength="+mBitLength+ + " >mMinRandomBitLength="+mMinRandomBitLength); + } + if (mBitLength < mMinRandomBitLength) { + CMS.debug("CertificateRepository: getRandomNumber mBitLength="+mBitLength+ + " = 0 && + mMinSerialNo != null && mMaxSerialNo != null && + nextSerialNumber != null && + nextSerialNumber.compareTo(mMinSerialNo) >= 0 && + nextSerialNumber.compareTo(mMaxSerialNo) <= 0) { + mCounter = mCounter.add(BigInteger.ONE); + } + CMS.debug("CertificateRepository: getNextSerialNumber nextSerialNumber="+ + nextSerialNumber+" mCounter="+mCounter); + + super.checkRange(); + } else { + nextSerialNumber = super.getNextSerialNumber(); + } + } + + return nextSerialNumber; + } + + private void updateCounter() { + CMS.debug("CertificateRepository: updateCounter mEnableRandomSerialNumbers="+ + mEnableRandomSerialNumbers+" mCounter="+mCounter); + try { + super.initCacheIfNeeded(); + } catch (Exception e) { + CMS.debug("CertificateRepository: updateCounter Exception from initCacheIfNeeded: "+e.getMessage()); + } + + String crMode = mDBService.getEntryAttribute(mBaseDN, IRepositoryRecord.ATTR_DESCRIPTION, "", null); + + boolean modeChange = (mEnableRandomSerialNumbers && crMode != null && crMode.equals(PROP_SEQUENTIAL_MODE)) || + ((!mEnableRandomSerialNumbers) && crMode != null && crMode.equals(PROP_RANDOM_MODE)); + CMS.debug("CertificateRepository: updateCounter mEnableRandomSerialNumbers="+mEnableRandomSerialNumbers); + CMS.debug("CertificateRepository: updateCounter CertificateRepositoryMode ="+crMode); + CMS.debug("CertificateRepository: updateCounter modeChange="+modeChange); + if (modeChange) { + if (mForceModeChange) { + setEnableRandomSerialNumbers(mEnableRandomSerialNumbers, true, mForceModeChange); + } else { + setEnableRandomSerialNumbers(!mEnableRandomSerialNumbers, false, mForceModeChange); + } + } else if (mEnableRandomSerialNumbers && mCounter != null && + mCounter.compareTo(BigInteger.ZERO) >= 0) { + long t = System.currentTimeMillis(); + mDBConfig.putString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, mCounter.toString()+","+t); + try { + CMS.getConfigStore().commit(false); + } catch (Exception e) { + CMS.debug("CertificateRepository: updateCounter Exception committing ConfigStore="+e.getMessage()); + } + } + CMS.debug("CertificateRepository: UpdateCounter mEnableRandomSerialNumbers="+ + mEnableRandomSerialNumbers+" mCounter="+mCounter); + } + + private BigInteger getInRangeCount(String fromTime, BigInteger minSerialNo, BigInteger maxSerialNo) + throws EBaseException { + BigInteger count = BigInteger.ZERO; + String filter = null; + + if (fromTime != null && fromTime.length() > 0) { + filter = "(certCreateTime >= "+fromTime+")"; + } else { + filter = "(&("+ICertRecord.ATTR_ID+">="+minSerialNo+")("+ + ICertRecord.ATTR_ID+"<="+maxSerialNo+"))"; + } + CMS.debug("CertificateRepository: getInRangeCount filter="+filter+ + " minSerialNo="+minSerialNo+" maxSerialNo="+maxSerialNo); + + Enumeration e = findCertRecs(filter, new String[] {ICertRecord.ATTR_ID, "objectclass"}); + while (e != null && e.hasMoreElements()) { + ICertRecord rec = (ICertRecord) e.nextElement(); + if (rec != null) { + BigInteger sn = rec.getSerialNumber(); + if (fromTime == null || fromTime.length() == 0 || + (minSerialNo != null && maxSerialNo != null && + sn != null && sn.compareTo(minSerialNo) >= 0 && + sn.compareTo(maxSerialNo) <= 0)) { + count = count.add(BigInteger.ONE); + } + } + } + CMS.debug("CertificateRepository: getInRangeCount count=" + count); + + return count; + } + + private BigInteger getInRangeCounter(BigInteger minSerialNo, BigInteger maxSerialNo) + throws EBaseException { + String c = null; + String t = null; + String s = (mDBConfig.getString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, "-1")).trim(); + CMS.debug("CertificateRepository: getInRangeCounter: saved counter string="+s); + int i = s.indexOf(','); + int n = s.length(); + if (i > -1) { + if (i > 0) { + c = s.substring(0, i); + if (i < n) { + t = s.substring(i+1); + } + } else { + c = "-1"; + } + } else { + c = s; + } + CMS.debug("CertificateRepository: getInRangeCounter: c=" + c + ((t != null)?(" t="+t):"null")); + + BigInteger counter = new BigInteger(c); + BigInteger count = BigInteger.ZERO; + if (CMS.isPreOpMode()) { + CMS.debug("CertificateRepository: getInRangeCounter: CMS.isPreOpMode"); + counter = new BigInteger("-2"); + mDBConfig.putString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, "-2"); + try { + CMS.getConfigStore().commit(false); + } catch (Exception e) { + CMS.debug("CertificateRepository: updateCounter Exception committing ConfigStore="+e.getMessage()); + } + } else if (t != null) { + count = getInRangeCount(t, minSerialNo, maxSerialNo); + if (count.compareTo(BigInteger.ZERO) > 0) { + counter = counter.add(count); + } + } else if (s.equals("-2")) { + count = getInRangeCount(t, minSerialNo, maxSerialNo); + if (count.compareTo(BigInteger.ZERO) >= 0) { + counter = count; + } + } + CMS.debug("CertificateRepository: getInRangeCounter: counter=" + counter); + + return counter; + } + public BigInteger getLastSerialNumberInRange(BigInteger serial_low_bound, BigInteger serial_upper_bound) throws EBaseException { @@ -114,7 +426,43 @@ public class CertificateRepository extends Repository } - String ldapfilter = "(" + "certstatus" + "=*" + ")"; + mEnableRandomSerialNumbers = mDBConfig.getBoolean(PROP_ENABLE_RANDOM_SERIAL_NUMBERS, false); + mForceModeChange = mDBConfig.getBoolean(PROP_FORCE_MODE_CHANGE, false); + String crMode = mDBService.getEntryAttribute(mBaseDN, IRepositoryRecord.ATTR_DESCRIPTION, "", null); + mMinRandomBitLength = mDBConfig.getInteger(PROP_MINIMUM_RANDOM_BITS, 4); + mMaxCollisionRecoverySteps = mDBConfig.getInteger(PROP_COLLISION_RECOVERY_STEPS, 10); + mMaxCollisionRecoveryRegenerations = mDBConfig.getInteger(PROP_COLLISION_RECOVERY_REGENERATIONS, 3); + boolean modeChange = (mEnableRandomSerialNumbers && crMode != null && crMode.equals(PROP_SEQUENTIAL_MODE)) || + ((!mEnableRandomSerialNumbers) && crMode != null && crMode.equals(PROP_RANDOM_MODE)); + CMS.debug("CertificateRepository: getLastSerialNumberInRange"+ + " mEnableRandomSerialNumbers="+mEnableRandomSerialNumbers+ + " mMinRandomBitLength="+mMinRandomBitLength+ + " CollisionRecovery="+mMaxCollisionRecoveryRegenerations+","+mMaxCollisionRecoverySteps); + CMS.debug("CertificateRepository: getLastSerialNumberInRange modeChange="+modeChange+ + " mForceModeChange="+mForceModeChange+((crMode != null)?(" mode="+crMode):"")); + if (modeChange) { + if (mForceModeChange) { + setCertificateRepositoryMode((mEnableRandomSerialNumbers)? PROP_RANDOM_MODE: PROP_SEQUENTIAL_MODE); + mForceModeChange = false; + mDBConfig.remove(PROP_FORCE_MODE_CHANGE); + } else { + mEnableRandomSerialNumbers = !mEnableRandomSerialNumbers; + mDBConfig.putBoolean(PROP_ENABLE_RANDOM_SERIAL_NUMBERS, mEnableRandomSerialNumbers); + } + } + if (mEnableRandomSerialNumbers && mCounter == null) { + mCounter = getInRangeCounter(serial_low_bound, serial_upper_bound); + } else { + mCounter = BI_MINUS_ONE; + } + mDBConfig.putString(PROP_RANDOM_SERIAL_NUMBER_COUNTER, mCounter.toString()); + try { + CMS.getConfigStore().commit(false); + } catch (Exception e) { + } + CMS.debug("CertificateRepository: getLastSerialNumberInRange mEnableRandomSerialNumbers="+mEnableRandomSerialNumbers); + + String ldapfilter = "("+ICertRecord.ATTR_CERT_STATUS+"=*"+")"; String[] attrs = null; @@ -130,7 +478,7 @@ public class CertificateRepository extends Repository BigInteger ret = new BigInteger(serial_low_bound.toString(10)); - ret = ret.add(new BigInteger("-1")); + ret = ret.subtract(BigInteger.ONE); CMS.debug("CertificateRepository:getLastCertRecordSerialNo: returning " + ret); return ret; } @@ -156,6 +504,10 @@ public class CertificateRepository extends Repository if (((serial.compareTo(serial_low_bound) == 0) || (serial.compareTo(serial_low_bound) == 1)) && ((serial.compareTo(serial_upper_bound) == 0) || (serial.compareTo(serial_upper_bound) == -1))) { CMS.debug("getLastSerialNumberInRange returning: " + serial); + if (modeChange && mEnableRandomSerialNumbers) { + mCounter = serial.subtract(serial_low_bound).add(BigInteger.ONE); + CMS.debug("getLastSerialNumberInRange mCounter: " + mCounter); + } return serial; } } else { @@ -165,9 +517,13 @@ public class CertificateRepository extends Repository BigInteger ret = new BigInteger(serial_low_bound.toString(10)); - ret = ret.add(new BigInteger("-1")); + ret = ret.subtract(BigInteger.ONE); CMS.debug("CertificateRepository:getLastCertRecordSerialNo: returning " + ret); + if (modeChange && mEnableRandomSerialNumbers) { + mCounter = BigInteger.ZERO; + CMS.debug("getLastSerialNumberInRange mCounter: " + mCounter); + } return ret; } @@ -275,6 +631,7 @@ public class CertificateRepository extends Repository transitRevokedExpiredCertificates(); CMS.getLogger().log(ILogger.EV_SYSTEM, ILogger.S_OTHER, CMS.getLogMessage("CMSCORE_DBS_FINISH_REVOKED_EXPIRED_SEARCH")); + updateCounter(); } /** @@ -646,6 +1003,50 @@ public class CertificateRepository extends Repository return rec; } + public boolean checkCertificateRecord(BigInteger serialNo) + throws EBaseException { + IDBSSession s = mDBService.createSession(); + CertRecord rec = null; + boolean exists = true; + + try { + String name = "cn" + "=" + + serialNo.toString() + "," + getDN(); + String attrs[] = { "DN" }; + + rec = (CertRecord) s.read(name, attrs); + if (rec == null) exists = false; + } catch (EDBRecordNotFoundException e) { + exists = false; + } catch (Exception e) { + throw new EBaseException(e.getMessage()); + } finally { + if (s != null) + s.close(); + } + return exists; + } + + private void setCertificateRepositoryMode(String mode) { + IDBSSession s = null; + + CMS.debug("CertificateRepository: setCertificateRepositoryMode setting mode: "+mode); + try { + s = mDBService.createSession(); + ModificationSet mods = new ModificationSet(); + String name = getDN(); + mods.add(IRepositoryRecord.ATTR_DESCRIPTION, Modification.MOD_REPLACE, mode); + s.modify(name, mods); + } catch (Exception e) { + CMS.debug("CertificateRepository: setCertificateRepositoryMode Exception: "+e.getMessage()); + } + try { + if (s != null) s.close(); + } catch (Exception e) { + CMS.debug("CertificateRepository: setCertificateRepositoryMode Exception: "+e.getMessage()); + } + } + public synchronized void modifyCertificateRecord(BigInteger serialNo, ModificationSet mods) throws EBaseException { IDBSSession s = mDBService.createSession(); @@ -1195,7 +1596,7 @@ public class CertificateRepository extends Repository String fromVal = "0"; try { if (from != null) { - Integer.parseInt(from); + new BigInteger(from); fromVal = from; } } catch (Exception e1) { diff --git a/base/common/src/com/netscape/cmscore/dbs/DBSubsystem.java b/base/common/src/com/netscape/cmscore/dbs/DBSubsystem.java index 0824cc9..be674bf 100644 --- a/base/common/src/com/netscape/cmscore/dbs/DBSubsystem.java +++ b/base/common/src/com/netscape/cmscore/dbs/DBSubsystem.java @@ -138,8 +138,6 @@ public class DBSubsystem implements IDBSubsystem { private static final String PROP_INCREMENT_NAME = "increment_name"; private static final String PROP_RANGE_DN = "rangeDN"; - private static final BigInteger BI_ONE = new BigInteger("1"); - private ILogger mLogger = null; // singleton enforcement @@ -424,7 +422,7 @@ public class DBSubsystem implements IDBSubsystem { conn.modify(dn, mods); // Add new range object - String endRange = nextRangeNo.add(incrementNo).subtract(BI_ONE).toString(); + String endRange = nextRangeNo.add(incrementNo).subtract(BigInteger.ONE).toString(); LDAPAttributeSet attrs = new LDAPAttributeSet(); attrs.add(new LDAPAttribute("objectClass", "top")); attrs.add(new LDAPAttribute("objectClass", "pkiRange")); @@ -436,6 +434,8 @@ public class DBSubsystem implements IDBSubsystem { String dn2 = "cn=" + nextRange + "," + rangeDN; LDAPEntry rangeEntry = new LDAPEntry(dn2, attrs); conn.add(rangeEntry); + CMS.debug("DBSubsystem: getNextRange Next range has been added: " + + nextRange + " - " + endRange); } catch (Exception e) { CMS.debug("DBSubsystem: getNextRange. Unable to provide next range :" + e); e.printStackTrace(); @@ -531,6 +531,7 @@ public class DBSubsystem implements IDBSubsystem { PROP_NEXT_SERIAL_NUMBER, "0"), 16); mEnableSerialMgmt = mDBConfig.getBoolean(PROP_ENABLE_SERIAL_MGMT, false); + CMS.debug("DBSubsystem: init() mEnableSerialMgmt="+mEnableSerialMgmt); // populate the certs hash entry Hashtable certs = new Hashtable(); @@ -783,6 +784,10 @@ public class DBSubsystem implements IDBSubsystem { reg.registerAttribute(IRepositoryRecord.ATTR_PUB_STATUS, new StringMapper(RepositorySchema.LDAP_ATTR_PUB_STATUS)); } + if (!reg.isAttributeRegistered(IRepositoryRecord.ATTR_DESCRIPTION)) { + reg.registerAttribute(IRepositoryRecord.ATTR_DESCRIPTION, + new StringMapper(RepositorySchema.LDAP_ATTR_DESCRIPTION)); + } } catch (EBaseException e) { if (CMS.isPreOpMode()) @@ -791,6 +796,47 @@ public class DBSubsystem implements IDBSubsystem { } } + public String getEntryAttribute(String dn, String attrName, + String defaultValue, String errorValue) { + LDAPConnection conn = null; + String attrValue = null; + try { + conn = mLdapConnFactory.getConn(); + String[] attrs = { attrName }; + LDAPEntry entry = conn.read(dn, attrs); + if (entry != null) { + LDAPAttribute attr = entry.getAttribute(attrName); + if (attr != null) { + attrValue = (String) attr.getStringValues().nextElement(); + } else { + attrValue = defaultValue; + } + } else { + attrValue = errorValue; + } + } catch (LDAPException e) { + CMS.debug("DBSubsystem: getEntryAttribute LDAPException code="+e.getLDAPResultCode()); + if (e.getLDAPResultCode() == LDAPException.NO_SUCH_OBJECT) { + attrValue = defaultValue; + } + } catch (Exception e) { + CMS.debug("DBSubsystem: getEntryAttribute. Unable to retrieve '"+attrName+"': "+ e); + attrValue = errorValue; + } finally { + try { + if ((conn != null) && (mLdapConnFactory != null)) { + CMS.debug("Releasing ldap connection"); + mLdapConnFactory.returnConn(conn); + } + } catch (Exception e) { + CMS.debug("Error releasing the ldap connection" + e.toString()); + } + } + CMS.debug("DBSubsystem: getEntryAttribute: dn="+dn+" attr="+attrName+":"+attrValue+";"); + + return attrValue; + } + /** * Starts up this service. */ @@ -798,13 +844,20 @@ public class DBSubsystem implements IDBSubsystem { } /** - * Retrieves configuration store. + * Retrieves internal DB configuration store. */ public IConfigStore getConfigStore() { return mConfig; } /** + * Retrieves DB subsystem configuration store. + */ + public IConfigStore getDBConfigStore() { + return mDBConfig; + } + + /** * Retrieves base DN of backend database. */ public String getBaseDN() { diff --git a/base/common/src/com/netscape/cmscore/dbs/Repository.java b/base/common/src/com/netscape/cmscore/dbs/Repository.java index 57ac500..e6b6e83 100644 --- a/base/common/src/com/netscape/cmscore/dbs/Repository.java +++ b/base/common/src/com/netscape/cmscore/dbs/Repository.java @@ -49,7 +49,6 @@ import com.netscape.certsrv.dbs.repository.IRepositoryRecord; public abstract class Repository implements IRepository { - private static final BigInteger BI_ONE = new BigInteger("1"); private BigInteger BI_INCREMENT = null; // (the next serialNo to be issued) - 1 private BigInteger mSerialNo = null; @@ -61,8 +60,10 @@ public abstract class Repository implements IRepository { private String mNextMaxSerial = null; private String mNextMinSerial = null; - private BigInteger mMinSerialNo = null; - private BigInteger mMaxSerialNo = null; + protected boolean mEnableRandomSerialNumbers = false; + protected BigInteger mCounter = null; + protected BigInteger mMinSerialNo = null; + protected BigInteger mMaxSerialNo = null; private BigInteger mNextMinSerialNo = null; private BigInteger mNextMaxSerialNo = null; @@ -149,6 +150,7 @@ public abstract class Repository implements IRepository { } BigInteger serial = rec.getSerialNumber(); + CMS.debug("Repository: getSerialNumber serial="+serial); if (!mInit) { // cms may crash after issue a cert but before update @@ -158,7 +160,7 @@ public abstract class Repository implements IRepository { serial + "," + mBaseDN); if (obj != null) { - serial = serial.add(BI_ONE); + serial = serial.add(BigInteger.ONE); setSerialNumber(serial); } } catch (EBaseException e) { @@ -246,6 +248,10 @@ public abstract class Repository implements IRepository { return mMinSerial; } + protected void setLastSerialNo(BigInteger lastSN) { + mLastSerialNo = lastSN; + } + /** * init serial number cache */ @@ -281,7 +287,10 @@ public abstract class Repository implements IRepository { String increment = mDB.getIncrementConfig(mRepo); String lowWaterMark = mDB.getLowWaterMarkConfig(mRepo); - CMS.debug("Repository: minSerial " + mMinSerial + " maxSerial: " + mMaxSerial); + CMS.debug("Repository: minSerial:" + mMinSerial + " maxSerial: " + mMaxSerial); + CMS.debug("Repository: nextMinSerial: " + ((mNextMinSerial == null)?"":mNextMinSerial) + + " nextMaxSerial: " + ((mNextMaxSerial == null)?"":mNextMaxSerial)); + CMS.debug("Repository: increment:" + increment + " lowWaterMark: " + lowWaterMark); if (mMinSerial != null) mMinSerialNo = new BigInteger(mMinSerial, mRadix); @@ -317,6 +326,11 @@ public abstract class Repository implements IRepository { } + protected void initCacheIfNeeded() throws EBaseException { + if (mLastSerialNo == null) + initCache(); + } + /** * get the next serial number in cache */ @@ -325,7 +339,7 @@ public abstract class Repository implements IRepository { CMS.debug("Repository:In getTheSerialNumber "); if (mLastSerialNo == null) initCache(); - BigInteger serial = new BigInteger((mLastSerialNo.add(BI_ONE)).toString()); + BigInteger serial = mLastSerialNo.add(BigInteger.ONE); if (mMaxSerialNo != null && serial.compareTo(mMaxSerialNo) > 0) return null; @@ -354,7 +368,7 @@ public abstract class Repository implements IRepository { // < BI_INCREMENT and server restart right afterwards. mDB.setNextSerialConfig(num); - mSerialNo = num.subtract(BI_ONE); + mSerialNo = num.subtract(BigInteger.ONE); mNext = num.add(BI_INCREMENT); setSerialNumber(mNext); } @@ -373,36 +387,65 @@ public abstract class Repository implements IRepository { if (mLastSerialNo == null) { initCache(); - - mLastSerialNo = mLastSerialNo.add(BI_ONE); - - } else { - mLastSerialNo = mLastSerialNo.add(BI_ONE); } - if (mLastSerialNo == null) { CMS.debug("Repository::getNextSerialNumber() " + "- mLastSerialNo is null!"); throw new EBaseException("mLastSerialNo is null"); } + mLastSerialNo = mLastSerialNo.add(BigInteger.ONE); + + checkRange(); + + BigInteger retSerial = new BigInteger(mLastSerialNo.toString()); + + CMS.debug("Repository: getNextSerialNumber: returning retSerial " + retSerial); + return retSerial; + } + + /** + * Checks to see if range needs to be switched. + * + * @exception EBaseException thrown when next range is not allocated + */ + protected void checkRange() throws EBaseException + { // check if we have reached the end of the range // if so, move to next range - if (mLastSerialNo.compareTo(mMaxSerialNo) > 0) { + BigInteger randomLimit = null; + BigInteger rangeLength = null; + if ((this instanceof ICertificateRepository) && + mDB.getEnableSerialMgmt() && mEnableRandomSerialNumbers) { + rangeLength = mMaxSerialNo.subtract(mMinSerialNo).add(BigInteger.ONE); + randomLimit = rangeLength.subtract(mLowWaterMarkNo.shiftRight(1)); + CMS.debug("Repository: checkRange rangeLength="+rangeLength); + CMS.debug("Repository: checkRange randomLimit="+randomLimit); + } + CMS.debug("Repository: checkRange mLastSerialNo="+mLastSerialNo); + if (mLastSerialNo.compareTo( mMaxSerialNo ) > 0 || + ((!CMS.isPreOpMode()) && randomLimit != null && mCounter.compareTo(randomLimit) > 0)) { + if (mDB.getEnableSerialMgmt()) { CMS.debug("Reached the end of the range. Attempting to move to next range"); + if ((mNextMinSerialNo == null) || (mNextMaxSerialNo == null)) { + if (rangeLength != null && mCounter.compareTo(rangeLength) < 0) { + return; + } else { + throw new EDBException(CMS.getUserMessage("CMS_DBS_LIMIT_REACHED", + mLastSerialNo.toString())); + } + } mMinSerialNo = mNextMinSerialNo; mMaxSerialNo = mNextMaxSerialNo; - mNextMinSerialNo = null; - mNextMaxSerialNo = null; - if ((mMaxSerialNo == null) || (mMinSerialNo == null)) { - throw new EDBException(CMS.getUserMessage("CMS_DBS_LIMIT_REACHED", - mLastSerialNo.toString())); - } mLastSerialNo = mMinSerialNo; + mNextMinSerialNo = null; + mNextMaxSerialNo = null; + mCounter = BigInteger.ZERO; + // persist the changes - mDB.setMinSerialConfig(mRepo, mMinSerialNo.toString()); - mDB.setMaxSerialConfig(mRepo, mMaxSerialNo.toString()); + mDB.setMinSerialConfig(mRepo, mMinSerialNo.toString(mRadix)); + mDB.setMaxSerialConfig(mRepo, mMaxSerialNo.toString(mRadix)); mDB.setNextMinSerialConfig(mRepo, null); mDB.setNextMaxSerialConfig(mRepo, null); } else { @@ -410,11 +453,6 @@ public abstract class Repository implements IRepository { mLastSerialNo.toString())); } } - - BigInteger retSerial = new BigInteger(mLastSerialNo.toString()); - - CMS.debug("Repository: getNextSerialNumber: returning retSerial " + retSerial); - return retSerial; } /** @@ -436,13 +474,19 @@ public abstract class Repository implements IRepository { if (mLastSerialNo == null) initCache(); - BigInteger numsInRange = mMaxSerialNo.subtract(mLastSerialNo); + BigInteger numsInRange = null; + if ((this instanceof ICertificateRepository) && + mDB.getEnableSerialMgmt() && mEnableRandomSerialNumbers) { + numsInRange = (mMaxSerialNo.subtract(mMinSerialNo)).subtract(mCounter); + } else { + numsInRange = mMaxSerialNo.subtract(mLastSerialNo); + } BigInteger numsInNextRange = null; BigInteger numsAvail = null; CMS.debug("Serial numbers left in range: " + numsInRange.toString()); CMS.debug("Last Serial Number: " + mLastSerialNo.toString()); if ((mNextMaxSerialNo != null) && (mNextMinSerialNo != null)) { - numsInNextRange = mNextMaxSerialNo.subtract(mNextMinSerialNo); + numsInNextRange = mNextMaxSerialNo.subtract(mNextMinSerialNo).add(BigInteger.ONE); numsAvail = numsInRange.add(numsInNextRange); CMS.debug("Serial Numbers in next range: " + numsInNextRange.toString()); CMS.debug("Serial Numbers available: " + numsAvail.toString()); @@ -458,7 +502,7 @@ public abstract class Repository implements IRepository { CMS.debug("Next Range not available"); } else { CMS.debug("nNextMinSerialNo has been set to " + mNextMinSerialNo.toString(mRadix)); - mNextMaxSerialNo = mNextMinSerialNo.add(mIncrementNo); + mNextMaxSerialNo = mNextMinSerialNo.add(mIncrementNo).subtract(BigInteger.ONE); numsAvail = numsAvail.add(mIncrementNo); mDB.setNextMinSerialConfig(mRepo, mNextMinSerialNo.toString(mRadix)); mDB.setNextMaxSerialConfig(mRepo, mNextMaxSerialNo.toString(mRadix)); diff --git a/base/common/src/com/netscape/cmscore/dbs/RepositoryRecord.java b/base/common/src/com/netscape/cmscore/dbs/RepositoryRecord.java index 36d5ce9..a268f68 100644 --- a/base/common/src/com/netscape/cmscore/dbs/RepositoryRecord.java +++ b/base/common/src/com/netscape/cmscore/dbs/RepositoryRecord.java @@ -40,11 +40,13 @@ public class RepositoryRecord implements IRepositoryRecord { private static final long serialVersionUID = 1648450747848783853L; private BigInteger mSerialNo = null; private String mPublishingStatus = null; + private String mDescription = null; protected static Vector mNames = new Vector(); static { mNames.addElement(IRepositoryRecord.ATTR_SERIALNO); mNames.addElement(IRepositoryRecord.ATTR_PUB_STATUS); + mNames.addElement(IRepositoryRecord.ATTR_DESCRIPTION); } /** @@ -62,6 +64,8 @@ public class RepositoryRecord implements IRepositoryRecord { mSerialNo = (BigInteger) obj; } else if (name.equalsIgnoreCase(IRepositoryRecord.ATTR_PUB_STATUS)) { mPublishingStatus = (String) obj; + } else if (name.equalsIgnoreCase(IRepositoryRecord.ATTR_DESCRIPTION)) { + mDescription = (String) obj; } else { throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name)); } @@ -75,6 +79,8 @@ public class RepositoryRecord implements IRepositoryRecord { return mSerialNo; } else if (name.equalsIgnoreCase(IRepositoryRecord.ATTR_PUB_STATUS)) { return mPublishingStatus; + } else if (name.equalsIgnoreCase(IRepositoryRecord.ATTR_DESCRIPTION)) { + return mDescription; } else { throw new EBaseException(CMS.getUserMessage("CMS_BASE_INVALID_ATTRIBUTE", name)); } @@ -108,4 +114,8 @@ public class RepositoryRecord implements IRepositoryRecord { public String getPublishingStatus() { return mPublishingStatus; } + + public String getDescription() { + return mDescription; + } } diff --git a/base/common/src/com/netscape/cmscore/dbs/RepositorySchema.java b/base/common/src/com/netscape/cmscore/dbs/RepositorySchema.java index 4ec8da6..5dfc555 100644 --- a/base/common/src/com/netscape/cmscore/dbs/RepositorySchema.java +++ b/base/common/src/com/netscape/cmscore/dbs/RepositorySchema.java @@ -31,4 +31,5 @@ public class RepositorySchema { public static final String LDAP_OC_REPOSITORY = "repository"; public static final String LDAP_ATTR_SERIALNO = "serialno"; public static final String LDAP_ATTR_PUB_STATUS = "publishingStatus"; + public final static String LDAP_ATTR_DESCRIPTION = "description"; } diff --git a/base/common/test/com/netscape/cmscore/dbs/DBSubsystemDefaultStub.java b/base/common/test/com/netscape/cmscore/dbs/DBSubsystemDefaultStub.java index 396121b..9b22213 100644 --- a/base/common/test/com/netscape/cmscore/dbs/DBSubsystemDefaultStub.java +++ b/base/common/test/com/netscape/cmscore/dbs/DBSubsystemDefaultStub.java @@ -168,4 +168,17 @@ public class DBSubsystemDefaultStub implements IDBSubsystem { // TODO Auto-generated method stub } + + @Override + public IConfigStore getDBConfigStore() { + // TODO Auto-generated method stub + return null; + } + + @Override + public String getEntryAttribute(String dn, String attrName, + String defaultValue, String errorValue) { + // TODO Auto-generated method stub + return null; + } } diff --git a/base/console/src/com/netscape/admin/certsrv/config/CMSCAGeneralPanel.java b/base/console/src/com/netscape/admin/certsrv/config/CMSCAGeneralPanel.java index bee66d6..4c89196 100644 --- a/base/console/src/com/netscape/admin/certsrv/config/CMSCAGeneralPanel.java +++ b/base/console/src/com/netscape/admin/certsrv/config/CMSCAGeneralPanel.java @@ -47,6 +47,8 @@ public class CMSCAGeneralPanel extends CMSBaseTab implements ItemListener { private JTextField mSerialNumber; private JTextField mMaxSerialNumber; private JCheckBox mValidity; + private JCheckBox mEnableSerialNumberManagement; + private JCheckBox mEnableRandomSerialNumbers; private Vector mGroupData; private static final String HELPINDEX = "configuration-ca-general-help"; @@ -189,49 +191,86 @@ public class CMSCAGeneralPanel extends CMSBaseTab implements ItemListener { gb2.setConstraints(dummy1, gbc); signingPanel.add(dummy1); + // add serial number management + CMSAdminUtil.resetGBC(gbc); + mEnableSerialNumberManagement = makeJCheckBox("MANAGEMENT"); + //mEnableSerialNumberManagement.setEnabled(false); + gbc.anchor = gbc.CENTER; + gbc.gridwidth = gbc.REMAINDER; + gbc.gridheight = 1; + gbc.weightx = 1.0; + gbc.weighty = 1.0; + gbc.gridx = 0; + gbc.gridy = 0; + gb3.setConstraints(mEnableSerialNumberManagement, gbc); + serialPanel.add(mEnableSerialNumberManagement); + + // add random serial numbers + CMSAdminUtil.resetGBC(gbc); + mEnableRandomSerialNumbers = makeJCheckBox("RANDOM"); + gbc.anchor = gbc.CENTER; + gbc.gridwidth = gbc.REMAINDER; + gbc.gridheight = gbc.REMAINDER; //1; + gbc.weightx = 1.0; + gbc.weighty = 1.0; + gbc.gridx = 0; + gbc.gridy = 1; + gb3.setConstraints(mEnableRandomSerialNumbers, gbc); + serialPanel.add(mEnableRandomSerialNumbers); + // add serial number block CMSAdminUtil.resetGBC(gbc); JLabel serialLabel = makeJLabel("SERIAL"); + serialLabel.setEnabled(false); gbc.anchor = gbc.CENTER; gb3.setConstraints(serialLabel, gbc); + gbc.gridwidth = 1; + gbc.gridheight = 1; + gbc.weightx = 0.0; gbc.weighty = 1.0; - //gbc.insets = new Insets(COMPONENT_SPACE,0,COMPONENT_SPACE,0); - serialPanel.add(serialLabel); + gbc.gridx = 0; + gbc.gridy = 2; + //serialPanel.add(serialLabel); CMSAdminUtil.resetGBC(gbc); mSerialNumber = makeJTextField(17); mSerialNumber.setEnabled(false); gbc.anchor = gbc.NORTHWEST; - //gbc.gridwidth = gbc.REMAINDER; - //gbc.gridheight = gbc.REMAINDER; - //gbc.weightx = 1.0; + gbc.gridwidth = 1; + gbc.gridheight = 1; + gbc.weightx = 0.0; gbc.weighty = 1.0; + gbc.gridx = 1; + gbc.gridy = 2; gb3.setConstraints(mSerialNumber, gbc); - serialPanel.add(mSerialNumber); + //serialPanel.add(mSerialNumber); // add end serial number block CMSAdminUtil.resetGBC(gbc); JLabel maxSerialLabel = makeJLabel("MAXSERIAL"); - gbc.anchor = gbc.EAST; - //gbc.insets = new Insets(COMPONENT_SPACE,DIFFERENT_COMPONENT_SPACE,0,0); - gbc.weightx = 0.0; + maxSerialLabel.setEnabled(false); + gbc.anchor = gbc.CENTER; gbc.gridwidth = 1; + gbc.gridheight = 1; + gbc.weightx = 0.0; + gbc.weighty = 1.0; gbc.gridx = 0; + gbc.gridy = 3; gb3.setConstraints(maxSerialLabel, gbc); - //gbc.weighty = 1.0; - serialPanel.add(maxSerialLabel); + //serialPanel.add(maxSerialLabel); CMSAdminUtil.resetGBC(gbc); mMaxSerialNumber = makeJTextField(17); mMaxSerialNumber.setEnabled(false); - gbc.anchor = gbc.NORTHWEST; - gbc.gridy = 1; - //gbc.gridwidth = gbc.REMAINDER; - //gbc.gridheight = gbc.REMAINDER; - //gbc.weightx = 1.0; + gbc.anchor = gbc.CENTER; + gbc.gridwidth = 1; + gbc.gridheight = 1; + gbc.weightx = 0.0; gbc.weighty = 1.0; + gbc.gridx = 1; + gbc.gridy = 3; gb3.setConstraints(mMaxSerialNumber, gbc); - serialPanel.add(mMaxSerialNumber); + //serialPanel.add(mMaxSerialNumber); CMSAdminUtil.resetGBC(gbc); JLabel dummy2 = new JLabel(" "); @@ -249,13 +288,15 @@ public class CMSCAGeneralPanel extends CMSBaseTab implements ItemListener { public void refresh() { mModel.progressStart(); NameValuePairs nvps = new NameValuePairs(); - nvps.put(Constants.PR_EE_ENABLED, ""); + //nvps.put(Constants.PR_EE_ENABLED, ""); //nvps.add(Constants.PR_RA_ENABLED, ""); nvps.put(Constants.PR_DEFAULT_ALGORITHM, ""); nvps.put(Constants.PR_ALL_ALGORITHMS, ""); nvps.put(Constants.PR_SERIAL, ""); nvps.put(Constants.PR_MAXSERIAL, ""); nvps.put(Constants.PR_VALIDITY, ""); + nvps.put(Constants.PR_SN_MANAGEMENT, ""); + nvps.put(Constants.PR_RANDOM_SN, ""); try { NameValuePairs val = mAdmin.read(DestDef.DEST_CA_ADMIN, @@ -268,22 +309,27 @@ public class CMSCAGeneralPanel extends CMSBaseTab implements ItemListener { } mModel.progressStop(); clearDirtyFlag(); + enableFields(); } protected void populate(NameValuePairs nvps) { String defaultAlgorithm = ""; for (String name : nvps.keySet()) { String value = nvps.get(name); +/* if (name.equals(Constants.PR_EE_ENABLED)) { mEEEnable.setSelected(getBoolean(value)); } else if (name.equals(Constants.PR_OCSP_ENABLED)) { mOCSPEnable.setSelected(getBoolean(value)); -/* } else if (name.equals(Constants.PR_RA_ENABLED)) { mRAEnable.setSelected(getBoolean(nvp.getValue())); */ - } else if (name.equals(Constants.PR_VALIDITY)) { + if (name.equals(Constants.PR_VALIDITY)) { mValidity.setSelected(getBoolean(value)); + } else if (name.equals(Constants.PR_SN_MANAGEMENT)) { + mEnableSerialNumberManagement.setSelected(getBoolean(value)); + } else if (name.equals(Constants.PR_RANDOM_SN)) { + mEnableRandomSerialNumbers.setSelected(getBoolean(value)); } else if (name.equals(Constants.PR_DEFAULT_ALGORITHM)) { defaultAlgorithm = value; } else if (name.equals(Constants.PR_ALL_ALGORITHMS)) { @@ -321,9 +367,19 @@ public class CMSCAGeneralPanel extends CMSBaseTab implements ItemListener { } public void actionPerformed(ActionEvent e) { + if (e.getSource().equals(mEnableSerialNumberManagement)) { + enableFields(); + } super.actionPerformed(e); } + private void enableFields() { + boolean enable = mEnableSerialNumberManagement.isSelected(); + mEnableRandomSerialNumbers.setEnabled(enable); + if (!enable) mEnableRandomSerialNumbers.setSelected(enable); + CMSAdminUtil.repaintComp(mEnableRandomSerialNumbers); + } + private String hexToDecimal(String hex) { //String newHex = hex.substring(2); @@ -338,6 +394,7 @@ public class CMSCAGeneralPanel extends CMSBaseTab implements ItemListener { public boolean applyCallback() { NameValuePairs nvps = new NameValuePairs(); +/* if (mEEEnable.isSelected()) nvps.put(Constants.PR_EE_ENABLED, Constants.TRUE); else @@ -348,7 +405,6 @@ public class CMSCAGeneralPanel extends CMSBaseTab implements ItemListener { else nvps.put(Constants.PR_OCSP_ENABLED, Constants.FALSE); -/* if (mRAEnable.isSelected()) nvps.add(Constants.PR_RA_ENABLED, Constants.TRUE); else @@ -360,6 +416,17 @@ public class CMSCAGeneralPanel extends CMSBaseTab implements ItemListener { else nvps.put(Constants.PR_VALIDITY, Constants.FALSE); + if (mEnableSerialNumberManagement.isSelected()) + nvps.put(Constants.PR_SN_MANAGEMENT, Constants.TRUE); + else + nvps.put(Constants.PR_SN_MANAGEMENT, Constants.FALSE); + + if (mEnableSerialNumberManagement.isSelected() && + mEnableRandomSerialNumbers.isSelected()) + nvps.put(Constants.PR_RANDOM_SN, Constants.TRUE); + else + nvps.put(Constants.PR_RANDOM_SN, Constants.FALSE); + nvps.put(Constants.PR_DEFAULT_ALGORITHM, (String) mAlgorithms.getSelectedItem()); diff --git a/base/server/config/pkislots.cfg b/base/server/config/pkislots.cfg index a2a661f..a68b45e 100644 --- a/base/server/config/pkislots.cfg +++ b/base/server/config/pkislots.cfg @@ -50,6 +50,7 @@ PKI_EE_SECURE_CLIENT_AUTH_PORT_UI_SLOT=[PKI_EE_SECURE_CLIENT_AUTH_PORT_UI] PKI_EE_SECURE_PORT_SLOT=[PKI_EE_SECURE_PORT] PKI_EE_SECURE_PORT_CONNECTOR_NAME_SLOT=[PKI_EE_SECURE_PORT_CONNECTOR_NAME] PKI_EE_SECURE_PORT_SERVER_COMMENT_SLOT=[PKI_EE_SECURE_PORT_SERVER_COMMENT] +PKI_ENABLE_RANDOM_SERIAL_NUMBERS=[PKI_ENABLE_RANDOM_SERIAL_NUMBERS] PKI_GROUP_SLOT=[PKI_GROUP] PKI_INSTANCE_ID_SLOT=[PKI_INSTANCE_ID] PKI_INSTANCE_INITSCRIPT_SLOT=[PKI_INSTANCE_INITSCRIPT] diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index e848363..21a192c 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -372,6 +372,7 @@ pki_ocsp_signing_nickname=ocspSigningCert cert-%(pki_instance_name)s CA pki_ocsp_signing_signing_algorithm=SHA256withRSA pki_ocsp_signing_subject_dn=cn=CA OCSP Signing Certificate,o=%(pki_security_domain_name)s pki_ocsp_signing_token=Internal Key Storage Token +pki_random_serial_numbers_enable=False pki_subordinate=False pki_admin_email=%(pki_admin_name)s@%(pki_dns_domainname)s pki_admin_name=%(pki_admin_uid)s diff --git a/base/server/src/engine/pkiparser.py b/base/server/src/engine/pkiparser.py index 2e15376..4fbabe1 100644 --- a/base/server/src/engine/pkiparser.py +++ b/base/server/src/engine/pkiparser.py @@ -810,6 +810,10 @@ class PKIConfigParser: "+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA," +\ "+TLS_DHE_RSA_WITH_AES_128_CBC_SHA," +\ "+TLS_DHE_RSA_WITH_AES_256_CBC_SHA" + if config.pki_master_dict['pki_subsystem'] == "CA": + config.pki_master_dict['PKI_ENABLE_RANDOM_SERIAL_NUMBERS']=\ + config.pki_master_dict\ + ['pki_random_serial_numbers_enable'].lower() # Shared Apache/Tomcat NSS security database name/value pairs config.pki_master_dict['pki_shared_pfile'] =\ os.path.join( diff --git a/dogtag/console-ui/src/CMSAdminRS.properties b/dogtag/console-ui/src/CMSAdminRS.properties index e421049..4cf156b 100644 --- a/dogtag/console-ui/src/CMSAdminRS.properties +++ b/dogtag/console-ui/src/CMSAdminRS.properties @@ -387,6 +387,12 @@ CAGENERAL_COMBOBOX_ALGORITHM_VALUE_2=SHA1 with RSA CAGENERAL_COMBOBOX_ALGORITHM_VALUE_3=SHA256 with RSA CAGENERAL_COMBOBOX_ALGORITHM_VALUE_4=SHA512 with RSA CAGENERAL_COMBOBOX_ALGORITHM_VALUE_5=SHA1 with DSA +CAGENERAL_BORDER_MANAGEMENT_LABEL=Serial Number Management +CAGENERAL_CHECKBOX_MANAGEMENT_LABEL=Enable serial number management +CAGENERAL_CHECKBOXL_MANAGEMENT_TTIP=Allow CA to manage serial numbers automatically +CAGENERAL_BORDER_RANDOM_LABEL=Random Certificate Serial Numbers +CAGENERAL_CHECKBOX_RANDOM_LABEL=Enable random certificate serial numbers +CAGENERAL_CHECKBOXL_RANDOM_TTIP=Allow CA to generate random certificate serial numbers CAGENERAL_BORDER_SERIAL_LABEL=Certificate Serial Number CAGENERAL_LABEL_SERIAL_LABEL=Next Serial Number: (0x) CAGENERAL_LABEL_SERIAL_TTIP=Specify the next serial number of the certificate that the CA issues From mharmsen at redhat.com Sat Apr 20 02:48:52 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Fri, 19 Apr 2013 19:48:52 -0700 Subject: [Pki-devel] [PATCH] random certificate serial numbers - updated In-Reply-To: <517201A7.7070304@redhat.com> References: <517201A7.7070304@redhat.com> Message-ID: <51720214.8060806@redhat.com> On 04/19/13 19:47, Andrew Wnuk wrote: > This patch adds support for random certificate serial numbers. > It was updated to add ability to configure random certificate serial > numbers using pkispawn. > > Bug 912554. > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ACK I received a demo of this for a CA and a CA clone. -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Sat Apr 20 04:20:54 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 19 Apr 2013 23:20:54 -0500 Subject: [Pki-devel] [PATCH] 127 - add servlet to return 501 or d9 style instances In-Reply-To: <1366399930.2337.3.camel@aleeredhat.laptop> References: <1366399930.2337.3.camel@aleeredhat.laptop> Message-ID: <517217A6.2090402@redhat.com> On 4/19/2013 2:32 PM, Ade Lee wrote: > > Added servlet to return 501 for rest operations for d9 instances > > D9 instances run on tomcat6, which does not have support for the > autheticator and realm. We are not supporting the REST operations > on D9 style instances. They will need to be migrated. > > The migration framework has been modified to process d9 or d10 > style instances, and a migration script has been added to add the new > servlet to existing d9 instances. Some comments (some of which have been discussed over IRC): 1. To be consistent the pki_subsystem and pki_instance classes should be called PKISubsystem and PKIInstance. 2. In PKIUpgrader's constructor the instance/subsystem objects are only created for validation then discarded. It might be better to move the validation inside the instances() or subsystems() where the objects are actually created and stored. 3. There seems to be a bug in these lines: inst = pki.pki_instance(instance, instance_type) ... subs = pki.pki_instance(instance, subsystem, instance_type) The second line probably should have been calling pki.pki_subsystem() and the parameter should have been inst (the instance object, not the name). 4. To improve clarity, the subsystem/instance name variable should be called 'name' inside the corresponding class, and 'subsystemName' or 'instanceName' outside the class. 5. The PKISubsystem constructor shouldn't need to take the type parameter because it can be obtained from the instance. 6. The message in RESTServlet could be simplified into something like this: The REST services are not available because this server is a legacy Dogtag 9 server. To access the REST services this server must be migrated into a new Dogtag 10 server. 7. Instead of overriding doGet() and doPost() it's also possible to just override service(). 8. The --instance-type parameter works differently from the --instance and --subsystem parameters. By default pki-upgrade will upgrade all instances and subsystem on the system. If the --instance or --subsystem is specified, it will narrow the scope to the specified instance/subsystem only. The --instance-type, on the other hand, works as an additional parameter to --instance and has a default value of 10. Suppose there is a mix of Dogtag 9 and Dogtag 10 instances and some may have the same names (e.g. D9 pki-ca and D10 pki-ca). The parameters will work like this: pki-upgrade ==> upgrade all instances pki-upgrade --instance pki-ca ==> upgrade D10 pki-ca only pki-upgrade --instance pki-ca --instance-type 9 ==> upgrade D9 pki-ca only To be consistent it should work like this: pki-upgrade --instance pki-ca ==> upgrade both pki-ca instances pki-upgrade --instance pki-ca --instance-type 10 ==> upgrade D10 pki-ca only pki-upgrade --instance-type 9 ==> upgrade all D9 instances 9. We discussed about putting the context XML in /conf/Catalina/localhost instead of META-INF. Is this going to be handled by a separate upgrade script? 10. Document root could be obtained using self.doc.getroot() instead of self.doc.find('.'). 11. Element index could be obtained using self.root.index(mapping) instead of list(self.root).index(mapping). 12. There are some trailing whitespaces. -- Endi S. Dewata From alee at redhat.com Mon Apr 22 13:54:49 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 22 Apr 2013 09:54:49 -0400 Subject: [Pki-devel] [PATCH] 127 - add servlet to return 501 or d9 style instances In-Reply-To: <517217A6.2090402@redhat.com> References: <1366399930.2337.3.camel@aleeredhat.laptop> <517217A6.2090402@redhat.com> Message-ID: <1366638889.23240.5.camel@aleeredhat.laptop> On Fri, 2013-04-19 at 23:20 -0500, Endi Sukma Dewata wrote: > On 4/19/2013 2:32 PM, Ade Lee wrote: > > > > Added servlet to return 501 for rest operations for d9 instances > > > > D9 instances run on tomcat6, which does not have support for the > > autheticator and realm. We are not supporting the REST operations > > on D9 style instances. They will need to be migrated. > > > > The migration framework has been modified to process d9 or d10 > > style instances, and a migration script has been added to add the new > > servlet to existing d9 instances. > > Some comments (some of which have been discussed over IRC): > > 1. To be consistent the pki_subsystem and pki_instance classes should be > called PKISubsystem and PKIInstance. done > > 2. In PKIUpgrader's constructor the instance/subsystem objects are only > created for validation then discarded. It might be better to move the > validation inside the instances() or subsystems() where the objects are > actually created and stored. > done - we now have a validate() method which is called by the constructor. > 3. There seems to be a bug in these lines: > > inst = pki.pki_instance(instance, instance_type) > ... > subs = pki.pki_instance(instance, subsystem, instance_type) > > The second line probably should have been calling pki.pki_subsystem() > and the parameter should have been inst (the instance object, not the name). > Done. This is validation code that has been removed. > 4. To improve clarity, the subsystem/instance name variable should be > called 'name' inside the corresponding class, and 'subsystemName' or > 'instanceName' outside the class. > Done > 5. The PKISubsystem constructor shouldn't need to take the type > parameter because it can be obtained from the instance. > Done > 6. The message in RESTServlet could be simplified into something like this: > > The REST services are not available because this server is a legacy > Dogtag 9 server. To access the REST services this server must be > migrated into a new Dogtag 10 server. > Done > 7. Instead of overriding doGet() and doPost() it's also possible to just > override service(). > Done > 8. The --instance-type parameter works differently from the --instance > and --subsystem parameters. By default pki-upgrade will upgrade all > instances and subsystem on the system. If the --instance or --subsystem > is specified, it will narrow the scope to the specified > instance/subsystem only. The --instance-type, on the other hand, works > as an additional parameter to --instance and has a default value of 10. > > Suppose there is a mix of Dogtag 9 and Dogtag 10 instances and some may > have the same names (e.g. D9 pki-ca and D10 pki-ca). The parameters will > work like this: > > pki-upgrade ==> upgrade all instances > > pki-upgrade --instance pki-ca ==> upgrade D10 pki-ca only > > pki-upgrade --instance pki-ca --instance-type 9 > ==> upgrade D9 pki-ca only > > To be consistent it should work like this: > > pki-upgrade --instance pki-ca ==> upgrade both pki-ca instances > > pki-upgrade --instance pki-ca --instance-type 10 > ==> upgrade D10 pki-ca only > > pki-upgrade --instance-type 9 ==> upgrade all D9 instances > Done > 9. We discussed about putting the context XML in > /conf/Catalina/localhost instead of META-INF. Is this going to > be handled by a separate upgrade script? > To be handled as a separate upgrade script when we do the 10.1 customization work. > 10. Document root could be obtained using self.doc.getroot() instead of > self.doc.find('.'). > Done > 11. Element index could be obtained using self.root.index(mapping) > instead of list(self.root).index(mapping). > Done > 12. There are some trailing whitespaces. > Fixed -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0127-2-Added-servlet-to-return-501-for-rest-operations-for-.patch Type: text/x-patch Size: 34271 bytes Desc: not available URL: From alee at redhat.com Mon Apr 22 14:33:42 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 22 Apr 2013 10:33:42 -0400 Subject: [Pki-devel] [PATCH] 52 Fix minor issues in RA and TPS configuration panels. #452 In-Reply-To: <1366311204.10308.1.camel@akoneru.redhat.com> References: <1366311204.10308.1.camel@akoneru.redhat.com> Message-ID: <1366641222.23240.7.camel@aleeredhat.laptop> As discussed on #irc, it would be better to send in the full restart command in both donepanel.vm and in the securitydomain panel. Also, on donepanel.vm, an #if directive was removed, but not its corresponding #end directive(s). On Thu, 2013-04-18 at 14:53 -0400, Abhishek Koneru wrote: > Please review the patch with fixes for minor issues in configuration > panels of RA and TPS. Ticket #452. > > --Abhishek > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Mon Apr 22 16:18:05 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 22 Apr 2013 12:18:05 -0400 Subject: [Pki-devel] [PATCH] 127 - add servlet to return 501 or d9 style instances In-Reply-To: <1366638889.23240.5.camel@aleeredhat.laptop> References: <1366399930.2337.3.camel@aleeredhat.laptop> <517217A6.2090402@redhat.com> <1366638889.23240.5.camel@aleeredhat.laptop> Message-ID: <1366647485.31354.2.camel@aleeredhat.laptop> Modified with changes based on comments in #irc. 1. PKIException now takes instance and subsystem objects instead of names. 2. Changed __repr__ for PKIInstance 3. Fixed get_tracker 4. Redefine con_dir in terms of base_dir Tested with d9 and d10 instances. All still looks good. On Mon, 2013-04-22 at 09:54 -0400, Ade Lee wrote: > On Fri, 2013-04-19 at 23:20 -0500, Endi Sukma Dewata wrote: > > On 4/19/2013 2:32 PM, Ade Lee wrote: > > > > > > Added servlet to return 501 for rest operations for d9 instances > > > > > > D9 instances run on tomcat6, which does not have support for the > > > autheticator and realm. We are not supporting the REST operations > > > on D9 style instances. They will need to be migrated. > > > > > > The migration framework has been modified to process d9 or d10 > > > style instances, and a migration script has been added to add the new > > > servlet to existing d9 instances. > > > > Some comments (some of which have been discussed over IRC): > > > > 1. To be consistent the pki_subsystem and pki_instance classes should be > > called PKISubsystem and PKIInstance. > > done > > > > 2. In PKIUpgrader's constructor the instance/subsystem objects are only > > created for validation then discarded. It might be better to move the > > validation inside the instances() or subsystems() where the objects are > > actually created and stored. > > > done - we now have a validate() method which is called by the > constructor. > > > 3. There seems to be a bug in these lines: > > > > inst = pki.pki_instance(instance, instance_type) > > ... > > subs = pki.pki_instance(instance, subsystem, instance_type) > > > > The second line probably should have been calling pki.pki_subsystem() > > and the parameter should have been inst (the instance object, not the name). > > > > Done. This is validation code that has been removed. > > > 4. To improve clarity, the subsystem/instance name variable should be > > called 'name' inside the corresponding class, and 'subsystemName' or > > 'instanceName' outside the class. > > > Done > > > 5. The PKISubsystem constructor shouldn't need to take the type > > parameter because it can be obtained from the instance. > > > Done > > > 6. The message in RESTServlet could be simplified into something like this: > > > > The REST services are not available because this server is a legacy > > Dogtag 9 server. To access the REST services this server must be > > migrated into a new Dogtag 10 server. > > > Done > > 7. Instead of overriding doGet() and doPost() it's also possible to just > > override service(). > > > Done > > > 8. The --instance-type parameter works differently from the --instance > > and --subsystem parameters. By default pki-upgrade will upgrade all > > instances and subsystem on the system. If the --instance or --subsystem > > is specified, it will narrow the scope to the specified > > instance/subsystem only. The --instance-type, on the other hand, works > > as an additional parameter to --instance and has a default value of 10. > > > > Suppose there is a mix of Dogtag 9 and Dogtag 10 instances and some may > > have the same names (e.g. D9 pki-ca and D10 pki-ca). The parameters will > > work like this: > > > > pki-upgrade ==> upgrade all instances > > > > pki-upgrade --instance pki-ca ==> upgrade D10 pki-ca only > > > > pki-upgrade --instance pki-ca --instance-type 9 > > ==> upgrade D9 pki-ca only > > > > To be consistent it should work like this: > > > > pki-upgrade --instance pki-ca ==> upgrade both pki-ca instances > > > > pki-upgrade --instance pki-ca --instance-type 10 > > ==> upgrade D10 pki-ca only > > > > pki-upgrade --instance-type 9 ==> upgrade all D9 instances > > > Done > > > 9. We discussed about putting the context XML in > > /conf/Catalina/localhost instead of META-INF. Is this going to > > be handled by a separate upgrade script? > > > To be handled as a separate upgrade script when we do the 10.1 > customization work. > > > 10. Document root could be obtained using self.doc.getroot() instead of > > self.doc.find('.'). > > > Done > > 11. Element index could be obtained using self.root.index(mapping) > > instead of list(self.root).index(mapping). > > > Done > > > 12. There are some trailing whitespaces. > > > Fixed -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0127-3-Added-servlet-to-return-501-for-rest-operations-for-.patch Type: text/x-patch Size: 34333 bytes Desc: not available URL: From akoneru at redhat.com Mon Apr 22 19:26:07 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Mon, 22 Apr 2013 15:26:07 -0400 (EDT) Subject: [Pki-devel] [PATCH] 52-2 Fixes for review comments for patch 52 In-Reply-To: <1366641222.23240.7.camel@aleeredhat.laptop> References: <1366311204.10308.1.camel@akoneru.redhat.com> <1366641222.23240.7.camel@aleeredhat.laptop> Message-ID: <321671022.338434.1366658767892.JavaMail.root@redhat.com> Please review the patch with fixes for review comments on Patch 52. --Abhishek ----- Original Message ----- From: "Ade Lee" To: "Abhishek Koneru" Cc: "pki-devel" Sent: Monday, April 22, 2013 10:33:42 AM Subject: Re: [Pki-devel] [PATCH] 52 Fix minor issues in RA and TPS configuration panels. #452 As discussed on #irc, it would be better to send in the full restart command in both donepanel.vm and in the securitydomain panel. Also, on donepanel.vm, an #if directive was removed, but not its corresponding #end directive(s). On Thu, 2013-04-18 at 14:53 -0400, Abhishek Koneru wrote: > Please review the patch with fixes for minor issues in configuration > panels of RA and TPS. Ticket #452. > > --Abhishek > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0053-2-Minor-fixes-in-a-few-configuration-UI-panels-of-RA-a.patch Type: text/x-patch Size: 12098 bytes Desc: not available URL: From edewata at redhat.com Mon Apr 22 19:41:43 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 22 Apr 2013 14:41:43 -0500 Subject: [Pki-devel] [PATCH] 53 Check the actual result when revoking/unrevoking a certificate in CLI. Ticket 217 In-Reply-To: <1366396974.2405.2.camel@akoneru.redhat.com> References: <1366396974.2405.2.camel@akoneru.redhat.com> Message-ID: <51759277.8070303@redhat.com> On 4/19/2013 1:42 PM, Abhishek Koneru wrote: > Please review the patch for trac ticket 217. > > Added an additional check over the actual result of a revoke/unrevoke > operation. Some comments: 1. In CertRequestInfo the synchronized keywords don't seem to be necessary. CertRequestInfo objects are created to pass REST operation results to the client. They don't seem to be used by multiple threads. 2. In CertRequestInfoFactory the operationResult uses 'pass/fail' values which are duplicated in several places. It might be better to use 'success/error' to match RES_SUCCESS and RES_ERROR constants, and these values can be put in constant variables in CertRequestInfo: public static final String REQ_SUCCESS = "success"; public static final String REQ_ERROR = "error"; This way we can be sure the operationResult will be used consistently. 3. In CertRequestInfoFactory the code for operationResult assignment seems to be incorrect because it will assign 'fail' to completed requests without error. Try cert-request-find, it will show all requests for system certs as failed. 4. In CertCLI if the request status is COMPLETE but the operation result is 'fail' the status will appear as REJECTED. This could be confusing because the request is not actually rejected. I think we should display the operation result separately from the status. -- Endi S. Dewata From akoneru at redhat.com Mon Apr 22 19:58:42 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Mon, 22 Apr 2013 15:58:42 -0400 (EDT) Subject: [Pki-devel] [PATCH] 54 Clean up code that logs installation information in pkispawn In-Reply-To: <511091538.345755.1366660561585.JavaMail.root@redhat.com> Message-ID: <1976611376.346155.1366660722488.JavaMail.root@redhat.com> Currently, after the instance is installed, some additional information is printed on the console. This data is also logged in the log file. When pkispawn is executed in a verbose mode, it will display he information twice and in an unordered way. This patch removes these log statements. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0054-Remove-installation-information-logs-in-pkispawn.patch Type: text/x-patch Size: 2827 bytes Desc: not available URL: From akoneru at redhat.com Mon Apr 22 20:21:15 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Mon, 22 Apr 2013 16:21:15 -0400 (EDT) Subject: [Pki-devel] [PATCH] 54 Clean up code that logs installation information in pkispawn In-Reply-To: <1976611376.346155.1366660722488.JavaMail.root@redhat.com> References: <1976611376.346155.1366660722488.JavaMail.root@redhat.com> Message-ID: <1029555315.351309.1366662075931.JavaMail.root@redhat.com> Fixed the comments and pushed to master. Comments mentioned by Endi on IRC. --Remove trailing whitespace. --Change the tile to "INSTALLATION SUMMARY" --ACK after the two issues are addressed. --Abhishek ----- Original Message ----- From: "Abhishek Koneru" To: pki-devel at redhat.com Sent: Monday, April 22, 2013 3:58:42 PM Subject: [Pki-devel] [PATCH] 54 Clean up code that logs installation information in pkispawn Currently, after the instance is installed, some additional information is printed on the console. This data is also logged in the log file. When pkispawn is executed in a verbose mode, it will display he information twice and in an unordered way. This patch removes these log statements. --Abhishek _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Mon Apr 22 20:22:16 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 22 Apr 2013 16:22:16 -0400 Subject: [Pki-devel] [PATCH] 127 - add servlet to return 501 or d9 style instances In-Reply-To: <1366647485.31354.2.camel@aleeredhat.laptop> References: <1366399930.2337.3.camel@aleeredhat.laptop> <517217A6.2090402@redhat.com> <1366638889.23240.5.camel@aleeredhat.laptop> <1366647485.31354.2.camel@aleeredhat.laptop> Message-ID: <1366662136.15316.0.camel@aleeredhat.laptop> acked by Endi. Pushed to master. On Mon, 2013-04-22 at 12:18 -0400, Ade Lee wrote: > Modified with changes based on comments in #irc. > > 1. PKIException now takes instance and subsystem objects instead of > names. > 2. Changed __repr__ for PKIInstance > 3. Fixed get_tracker > 4. Redefine con_dir in terms of base_dir > > Tested with d9 and d10 instances. All still looks good. > > On Mon, 2013-04-22 at 09:54 -0400, Ade Lee wrote: > > On Fri, 2013-04-19 at 23:20 -0500, Endi Sukma Dewata wrote: > > > On 4/19/2013 2:32 PM, Ade Lee wrote: > > > > > > > > Added servlet to return 501 for rest operations for d9 instances > > > > > > > > D9 instances run on tomcat6, which does not have support for the > > > > autheticator and realm. We are not supporting the REST operations > > > > on D9 style instances. They will need to be migrated. > > > > > > > > The migration framework has been modified to process d9 or d10 > > > > style instances, and a migration script has been added to add the new > > > > servlet to existing d9 instances. > > > > > > Some comments (some of which have been discussed over IRC): > > > > > > 1. To be consistent the pki_subsystem and pki_instance classes should be > > > called PKISubsystem and PKIInstance. > > > > done > > > > > > 2. In PKIUpgrader's constructor the instance/subsystem objects are only > > > created for validation then discarded. It might be better to move the > > > validation inside the instances() or subsystems() where the objects are > > > actually created and stored. > > > > > done - we now have a validate() method which is called by the > > constructor. > > > > > 3. There seems to be a bug in these lines: > > > > > > inst = pki.pki_instance(instance, instance_type) > > > ... > > > subs = pki.pki_instance(instance, subsystem, instance_type) > > > > > > The second line probably should have been calling pki.pki_subsystem() > > > and the parameter should have been inst (the instance object, not the name). > > > > > > > Done. This is validation code that has been removed. > > > > > 4. To improve clarity, the subsystem/instance name variable should be > > > called 'name' inside the corresponding class, and 'subsystemName' or > > > 'instanceName' outside the class. > > > > > Done > > > > > 5. The PKISubsystem constructor shouldn't need to take the type > > > parameter because it can be obtained from the instance. > > > > > Done > > > > > 6. The message in RESTServlet could be simplified into something like this: > > > > > > The REST services are not available because this server is a legacy > > > Dogtag 9 server. To access the REST services this server must be > > > migrated into a new Dogtag 10 server. > > > > > Done > > > 7. Instead of overriding doGet() and doPost() it's also possible to just > > > override service(). > > > > > Done > > > > > 8. The --instance-type parameter works differently from the --instance > > > and --subsystem parameters. By default pki-upgrade will upgrade all > > > instances and subsystem on the system. If the --instance or --subsystem > > > is specified, it will narrow the scope to the specified > > > instance/subsystem only. The --instance-type, on the other hand, works > > > as an additional parameter to --instance and has a default value of 10. > > > > > > Suppose there is a mix of Dogtag 9 and Dogtag 10 instances and some may > > > have the same names (e.g. D9 pki-ca and D10 pki-ca). The parameters will > > > work like this: > > > > > > pki-upgrade ==> upgrade all instances > > > > > > pki-upgrade --instance pki-ca ==> upgrade D10 pki-ca only > > > > > > pki-upgrade --instance pki-ca --instance-type 9 > > > ==> upgrade D9 pki-ca only > > > > > > To be consistent it should work like this: > > > > > > pki-upgrade --instance pki-ca ==> upgrade both pki-ca instances > > > > > > pki-upgrade --instance pki-ca --instance-type 10 > > > ==> upgrade D10 pki-ca only > > > > > > pki-upgrade --instance-type 9 ==> upgrade all D9 instances > > > > > Done > > > > > 9. We discussed about putting the context XML in > > > /conf/Catalina/localhost instead of META-INF. Is this going to > > > be handled by a separate upgrade script? > > > > > To be handled as a separate upgrade script when we do the 10.1 > > customization work. > > > > > 10. Document root could be obtained using self.doc.getroot() instead of > > > self.doc.find('.'). > > > > > Done > > > 11. Element index could be obtained using self.root.index(mapping) > > > instead of list(self.root).index(mapping). > > > > > Done > > > > > 12. There are some trailing whitespaces. > > > > > Fixed > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From akoneru at redhat.com Mon Apr 22 20:23:00 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Mon, 22 Apr 2013 16:23:00 -0400 (EDT) Subject: [Pki-devel] [PATCH] 52-2 Fixes for review comments for patch 52 In-Reply-To: <321671022.338434.1366658767892.JavaMail.root@redhat.com> References: <1366311204.10308.1.camel@akoneru.redhat.com> <1366641222.23240.7.camel@aleeredhat.laptop> <321671022.338434.1366658767892.JavaMail.root@redhat.com> Message-ID: <2071859080.351606.1366662180758.JavaMail.root@redhat.com> Comments given by Ade on IRC. --Correct the typo in the value of restartCOmmand in ra/Donepanel.pm. -- ACK after fixing the issue. Fixed the typo and pushed to master. --Abhishek ----- Original Message ----- From: "Abhishek Koneru" To: pki-devel at redhat.com Sent: Monday, April 22, 2013 3:26:07 PM Subject: [Pki-devel] [PATCH] 52-2 Fixes for review comments for patch 52 Please review the patch with fixes for review comments on Patch 52. --Abhishek ----- Original Message ----- From: "Ade Lee" To: "Abhishek Koneru" Cc: "pki-devel" Sent: Monday, April 22, 2013 10:33:42 AM Subject: Re: [Pki-devel] [PATCH] 52 Fix minor issues in RA and TPS configuration panels. #452 As discussed on #irc, it would be better to send in the full restart command in both donepanel.vm and in the securitydomain panel. Also, on donepanel.vm, an #if directive was removed, but not its corresponding #end directive(s). On Thu, 2013-04-18 at 14:53 -0400, Abhishek Koneru wrote: > Please review the patch with fixes for minor issues in configuration > panels of RA and TPS. Ticket #452. > > --Abhishek > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Mon Apr 22 20:35:26 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 22 Apr 2013 16:35:26 -0400 Subject: [Pki-devel] PATCH 128 - added directories to spec file Message-ID: <1366662926.15316.2.camel@aleeredhat.laptop> Add directories to spec file Added /var/lib/pki and /var/log/pki to spec file to that we deliver them with pki-server and pki-base respectively. Please review. Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0128-Add-directories-to-spec-file.patch Type: text/x-patch Size: 2060 bytes Desc: not available URL: From alee at redhat.com Mon Apr 22 20:47:28 2013 From: alee at redhat.com (Ade Lee) Date: Mon, 22 Apr 2013 16:47:28 -0400 Subject: [Pki-devel] PATCH 128 - added directories to spec file In-Reply-To: <1366662926.15316.2.camel@aleeredhat.laptop> References: <1366662926.15316.2.camel@aleeredhat.laptop> Message-ID: <1366663648.15316.3.camel@aleeredhat.laptop> acked by endi. pushed to master. On Mon, 2013-04-22 at 16:35 -0400, Ade Lee wrote: > Add directories to spec file > > Added /var/lib/pki and /var/log/pki to spec file to that we > deliver them with pki-server and pki-base respectively. > > Please review. > > Ade From awnuk at redhat.com Tue Apr 23 00:47:50 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Mon, 22 Apr 2013 17:47:50 -0700 Subject: [Pki-devel] [Patch] corrected key IDs for key search result and key record views Message-ID: <5175DA36.6070607@redhat.com> This patch corrects key IDs for key search result and key record views. Bug: 951501. -------------- next part -------------- Index: pki/base/common/src/com/netscape/cms/servlet/key/KeyRecordParser.java =================================================================== --- pki/base/common/src/com/netscape/cms/servlet/key/KeyRecordParser.java (revision 2533) +++ pki/base/common/src/com/netscape/cms/servlet/key/KeyRecordParser.java (working copy) @@ -50,6 +50,7 @@ public final static String OUT_STATE = "state"; public final static String OUT_OWNER_NAME = "ownerName"; public final static String OUT_SERIALNO = "serialNumber"; + public final static String OUT_SERIALNO_IN_HEX = "serialNumberInHex"; public final static String OUT_KEY_ALGORITHM = "keyAlgorithm"; public final static String OUT_PUBLIC_KEY = "publicKey"; public final static String OUT_KEY_LEN = "keyLength"; @@ -73,6 +74,8 @@ rec.getOwnerName()); rarg.addBigIntegerValue(OUT_SERIALNO, rec.getSerialNumber(), 10); + rarg.addBigIntegerValue(OUT_SERIALNO_IN_HEX, + rec.getSerialNumber(), 16); rarg.addStringValue(OUT_KEY_ALGORITHM, rec.getAlgorithm()); // Possible Enhancement: sun's BASE64Encode is not Index: pki/redhat/kra-ui/shared/webapps/kra/agent/kra/srchKey.template =================================================================== --- pki/redhat/kra-ui/shared/webapps/kra/agent/kra/srchKey.template (revision 16063) +++ pki/redhat/kra-ui/shared/webapps/kra/agent/kra/srchKey.template (working copy) @@ -48,7 +48,8 @@ function renderHexNumber(number,width) { - var num = toHex(number); + //var num = toHex(number); + var num = number; while (num.length < width) num = "0"+num; return "0x"+num; @@ -107,8 +108,8 @@ document.write(''); document.write(''); - // document.write('' + renderHexNumber(rec.serialNumber,8) + ''); - document.write('' + renderHexNumber(rec.serialNumber,8) + ''); + // document.write('' + renderHexNumber(rec.serialNumberInHex,8) + ''); + document.write('' + renderHexNumber(rec.serialNumberInHex,8) + ''); document.write('' + rec.state + ''); document.write('' + renderDateFromSecs(rec.archivedOn) + ''); document.write('' + renderDateFromSecs(rec.archivedOn) + ''); Index: pki/redhat/kra-ui/shared/webapps/kra/agent/kra/srchKeyForRecovery.template =================================================================== --- pki/redhat/kra-ui/shared/webapps/kra/agent/kra/srchKeyForRecovery.template (revision 16063) +++ pki/redhat/kra-ui/shared/webapps/kra/agent/kra/srchKeyForRecovery.template (working copy) @@ -47,7 +47,8 @@ function renderHexNumber(number,width) { - var num = toHex(number); + //var num = toHex(number); + var num = number; while (num.length < width) num = "0"+num; return "0x"+num; @@ -120,8 +121,8 @@ document.write(''); document.write(''); - // document.write('' + renderHexNumber(rec.serialNumber,8) + ''); - document.write('' + renderHexNumber(rec.serialNumber,8) + ''); + // document.write('' + renderHexNumber(rec.serialNumberInHex,8) + ''); + document.write('' + renderHexNumber(rec.serialNumberInHex,8) + ''); document.write('' + rec.state + ''); document.write('' + renderDateFromSecs(rec.archivedOn) + ''); document.write('' + renderDateFromSecs(rec.archivedOn) + ''); Index: pki/redhat/kra-ui/shared/webapps/kra/agent/kra/displayBySerial.template =================================================================== --- pki/redhat/kra-ui/shared/webapps/kra/agent/kra/displayBySerial.template (revision 16063) +++ pki/redhat/kra-ui/shared/webapps/kra/agent/kra/displayBySerial.template (working copy) @@ -31,7 +31,8 @@ function renderHexNumber(number,width) { - var num = toHex(number); + //var num = toHex(number); + var num = number; while (num.length < width) num = "0"+num; return "0x"+num; @@ -57,7 +58,7 @@ '?op=displayBySerial&serialNumber=' + result.header.serialNumber + '"' + 'onMouseOver=" return helpstatus(\'Click to redisplay this ' + 'request \')" onMouseOut="return helpstatus(\'\')">' + - renderHexNumber(result.header.serialNumber,8) + + renderHexNumber(result.header.serialNumberInHex,8) + ''); document.writeln('
 
'); Index: pki/redhat/kra-ui/shared/webapps/kra/agent/kra/displayBySerialForRecovery.template =================================================================== --- pki/redhat/kra-ui/shared/webapps/kra/agent/kra/displayBySerialForRecovery.template (revision 16063) +++ pki/redhat/kra-ui/shared/webapps/kra/agent/kra/displayBySerialForRecovery.template (working copy) @@ -43,7 +43,8 @@ function renderHexNumber(number,width) { - var num = toHex(number); + //var num = toHex(number); + var num = number; while (num.length < width) num = "0"+num; return "0x"+num; @@ -97,7 +98,7 @@ 'op=displayBySerial&serialNumber=' + result.header.serialNumber + '"' + 'onMouseOver=" return helpstatus(\'Click to redisplay this ' + 'request \')" onMouseOut="return helpstatus(\'\')">' + - renderHexNumber(result.header.serialNumber,8) + + renderHexNumber(result.header.serialNumberInHex,8) + ''); document.writeln('
 
'); From mharmsen at redhat.com Tue Apr 23 01:00:30 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Mon, 22 Apr 2013 18:00:30 -0700 Subject: [Pki-devel] [Patch] corrected key IDs for key search result and key record views In-Reply-To: <5175DA36.6070607@redhat.com> References: <5175DA36.6070607@redhat.com> Message-ID: <5175DD2E.10304@redhat.com> On 04/22/13 17:47, Andrew Wnuk wrote: > This patch corrects key IDs for key search result and key record views. > > Bug: 951501. > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ACK - I received a demo of this fix. -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Tue Apr 23 03:51:49 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 22 Apr 2013 22:51:49 -0500 Subject: [Pki-devel] [PATCH] 230 Adding CLI functionality to import CA certificate. In-Reply-To: <51703F45.9010503@redhat.com> References: <51703F45.9010503@redhat.com> Message-ID: <51760555.5060507@redhat.com> On 4/18/2013 1:45 PM, Endi Sukma Dewata wrote: > The CLI has been modified such that when it connects to an untrusted > server it will ask the user whether to import the CA certificate and > also ask for the location of the CA server from which to download > the CA certificate. > > Ticket #491 ACKed by Ade. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Apr 23 03:51:54 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 22 Apr 2013 22:51:54 -0500 Subject: [Pki-devel] [PATCH] 232 Added options to reject/ignore cert validity statuses. In-Reply-To: <51718AA3.9070208@redhat.com> References: <51718AA3.9070208@redhat.com> Message-ID: <5176055A.4050401@redhat.com> On 4/19/2013 1:19 PM, Endi Sukma Dewata wrote: > New options have been added to the CLI to reject or ignore certain > cert validity statuses such as UNTRUSTED_ISSUER or BAD_CERT_DOMAIN. > The options can also be defined in pki.conf as a system-wide policy. > > Ticket #491 ACKed by Ade. Pushed to master. -- Endi S. Dewata From akoneru at redhat.com Tue Apr 23 06:19:29 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Tue, 23 Apr 2013 02:19:29 -0400 Subject: [Pki-devel] [PATCH] 53-2 Fixes for comments for patch 53 In-Reply-To: <51759277.8070303@redhat.com> References: <1366396974.2405.2.camel@akoneru.redhat.com> <51759277.8070303@redhat.com> Message-ID: <1366697969.27267.3.camel@akoneru.redhat.com> Please review the patch with fixes for review comments on patch 53. On Mon, 2013-04-22 at 14:41 -0500, Endi Sukma Dewata wrote: > On 4/19/2013 1:42 PM, Abhishek Koneru wrote: > > Please review the patch for trac ticket 217. > > > > Added an additional check over the actual result of a revoke/unrevoke > > operation. > > Some comments: > > 1. In CertRequestInfo the synchronized keywords don't seem to be > necessary. CertRequestInfo objects are created to pass REST operation > results to the client. They don't seem to be used by multiple threads. > --Removed the synchronized keywords > 2. In CertRequestInfoFactory the operationResult uses 'pass/fail' values > which are duplicated in several places. It might be better to use > 'success/error' to match RES_SUCCESS and RES_ERROR constants, and these > values can be put in constant variables in CertRequestInfo: > > public static final String REQ_SUCCESS = "success"; > public static final String REQ_ERROR = "error"; > > This way we can be sure the operationResult will be used consistently. > -- Added the constant variables in CertRequestInfo > 3. In CertRequestInfoFactory the code for operationResult assignment > seems to be incorrect because it will assign 'fail' to completed > requests without error. Try cert-request-find, it will show all requests > for system certs as failed. > -- Corrected. Null value for result is given as a SUCCESS > 4. In CertCLI if the request status is COMPLETE but the operation result > is 'fail' the status will appear as REJECTED. This could be confusing > because the request is not actually rejected. I think we should display > the operation result separately from the status. > -- Printing the operation result seperately. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0053-2-Check-the-actual-result-of-operations-cert-revoke-un.patch Type: text/x-patch Size: 11272 bytes Desc: not available URL: From edewata at redhat.com Tue Apr 23 19:07:25 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 23 Apr 2013 14:07:25 -0500 Subject: [Pki-devel] [PATCH] 233 Refactored code to import CA certificate. Message-ID: <5176DBED.5020409@redhat.com> The code to import CA certificate has been moved from PKIConnection into PKIClient to allow reuse. The Client classes have been modified such that it uses a shared PKIClient object instead of PKIConnection. The return codes in CertFindCLI has been fixed to be more consistent with other commands. Ticket #491 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0233-Refactored-code-to-import-CA-certificate.patch Type: text/x-patch Size: 44904 bytes Desc: not available URL: From edewata at redhat.com Tue Apr 23 19:07:35 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 23 Apr 2013 14:07:35 -0500 Subject: [Pki-devel] [PATCH] 234 Added Client CLI module. Message-ID: <5176DBF7.1040201@redhat.com> A new CLI module has been added to manage certificates in client security database. Ticket #491 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0234-Added-Client-CLI-module.patch Type: text/x-patch Size: 19210 bytes Desc: not available URL: From edewata at redhat.com Tue Apr 23 19:53:00 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 23 Apr 2013 14:53:00 -0500 Subject: [Pki-devel] [PATCH] 53-2 Fixes for comments for patch 53 In-Reply-To: <1366697969.27267.3.camel@akoneru.redhat.com> References: <1366396974.2405.2.camel@akoneru.redhat.com> <51759277.8070303@redhat.com> <1366697969.27267.3.camel@akoneru.redhat.com> Message-ID: <5176E69C.6050108@redhat.com> Some additional comments below. On 4/23/2013 1:19 AM, Abhishek Koneru wrote: >> 2. In CertRequestInfoFactory the operationResult uses 'pass/fail' values >> which are duplicated in several places. It might be better to use >> 'success/error' to match RES_SUCCESS and RES_ERROR constants, and these >> values can be put in constant variables in CertRequestInfo: >> >> public static final String REQ_SUCCESS = "success"; >> public static final String REQ_ERROR = "error"; >> >> This way we can be sure the operationResult will be used consistently. >> > -- Added the constant variables in CertRequestInfo Actually they should use RES_ prefix instead of REQ_ to match IRequest.RES_SUCCESS/ERROR since it's for 'result', or don't use prefix at all. Also, the new constants use uppercase values "SUCCESS/ERROR", but the the request status is in lower case. It would be more consistent to use lowercase values too for the result. Request ID: 5 Type: enrollment Request Status: complete Operation Result: SUCCESS <-- use lower case Certificate ID: 0x5 >> 3. In CertRequestInfoFactory the code for operationResult assignment >> seems to be incorrect because it will assign 'fail' to completed >> requests without error. Try cert-request-find, it will show all requests >> for system certs as failed. >> > -- Corrected. Null value for result is given as a SUCCESS The code can be simplified as follows: if (result == null || result.equals(IRequest.RES_SUCCESS)) { info.setOperationResult(CertRequestInfo.RES_SUCCESS); } else { info.setOperationResult(CertRequestInfo.RES_ERROR); String error = request.getExtDataInString(IRequest.ERROR); info.setErrorMessage(error); <-- no need to check for null } Everything else is good. ACK. -- Endi S. Dewata From akoneru at redhat.com Tue Apr 23 20:15:24 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Tue, 23 Apr 2013 16:15:24 -0400 Subject: [Pki-devel] [PATCH] 53-2 Fixes for comments for patch 53 In-Reply-To: <5176E69C.6050108@redhat.com> References: <1366396974.2405.2.camel@akoneru.redhat.com> <51759277.8070303@redhat.com> <1366697969.27267.3.camel@akoneru.redhat.com> <5176E69C.6050108@redhat.com> Message-ID: <1366748124.2190.1.camel@akoneru.redhat.com> Added the latest suggestion. Pushed to master. --Abhishek On Tue, 2013-04-23 at 14:53 -0500, Endi Sukma Dewata wrote: > Some additional comments below. > > On 4/23/2013 1:19 AM, Abhishek Koneru wrote: > >> 2. In CertRequestInfoFactory the operationResult uses 'pass/fail' values > >> which are duplicated in several places. It might be better to use > >> 'success/error' to match RES_SUCCESS and RES_ERROR constants, and these > >> values can be put in constant variables in CertRequestInfo: > >> > >> public static final String REQ_SUCCESS = "success"; > >> public static final String REQ_ERROR = "error"; > >> > >> This way we can be sure the operationResult will be used consistently. > >> > > -- Added the constant variables in CertRequestInfo > > Actually they should use RES_ prefix instead of REQ_ to match > IRequest.RES_SUCCESS/ERROR since it's for 'result', or don't use prefix > at all. > Also, the new constants use uppercase values "SUCCESS/ERROR", but the > the request status is in lower case. It would be more consistent to use > lowercase values too for the result. > > Request ID: 5 > Type: enrollment > Request Status: complete > Operation Result: SUCCESS <-- use lower case > Certificate ID: 0x5 > -- Changed as mentioned. > >> 3. In CertRequestInfoFactory the code for operationResult assignment > >> seems to be incorrect because it will assign 'fail' to completed > >> requests without error. Try cert-request-find, it will show all requests > >> for system certs as failed. > >> > > -- Corrected. Null value for result is given as a SUCCESS > > The code can be simplified as follows: > > if (result == null || result.equals(IRequest.RES_SUCCESS)) { > info.setOperationResult(CertRequestInfo.RES_SUCCESS); > > } else { > info.setOperationResult(CertRequestInfo.RES_ERROR); > String error = request.getExtDataInString(IRequest.ERROR); > info.setErrorMessage(error); <-- no need to check for null > } > -- Changed as suggested. > Everything else is good. ACK. > From akoneru at redhat.com Tue Apr 23 22:23:18 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Tue, 23 Apr 2013 18:23:18 -0400 Subject: [Pki-devel] [PATCH] 55 If a configuration result has a single cert, cconvert it into an array #Ticket 593 Message-ID: <1366755798.2190.7.camel@akoneru.redhat.com> Please review the patch with fix for issue #593. Issue: The code expects a list of system certs in a configuration result. But if there is only one cert, the JSON result has just the object but not a list with one object. Fix: Put the single cert in an array and continue. Both CA and clone CA installed fine and passed smoke test. --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0055-Defect-Installation-fails-if-there-is-only-one-syste.patch Type: text/x-patch Size: 1502 bytes Desc: not available URL: From awnuk at redhat.com Wed Apr 24 01:27:43 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Tue, 23 Apr 2013 18:27:43 -0700 Subject: [Pki-devel] correcting JavaScript inability to handle big numbers Message-ID: <5177350F.6060609@redhat.com> This patch corrects JavaScript inability to handle big numbers in key key recovery process. Bug: 955784. -------------- next part -------------- Index: pki/base/common/src/com/netscape/cms/servlet/key/RecoverBySerial.java =================================================================== --- pki/base/common/src/com/netscape/cms/servlet/key/RecoverBySerial.java (revision 2533) +++ pki/base/common/src/com/netscape/cms/servlet/key/RecoverBySerial.java (working copy) @@ -68,6 +68,7 @@ private final static String OUT_OP = "op"; private final static String OUT_SERIALNO = IN_SERIALNO; + private final static String OUT_SERIALNO_IN_HEX = "serialNumberInHex"; private final static String OUT_RECOVERY_SUCCESS = "recoverySuccess"; private final static String OUT_SERVICE_URL = "serviceURL"; private final static String OUT_ERROR = "errorDetails"; @@ -288,6 +289,8 @@ new BigInteger(seq), x509cert, (String) sContext.get(SessionContext.USER_ID)); header.addStringValue(OUT_SERIALNO, req.getParameter(IN_SERIALNO)); + header.addStringValue(OUT_SERIALNO_IN_HEX, + new BigInteger(req.getParameter(IN_SERIALNO)).toString(16)); header.addStringValue("requestID", reqID); } catch (EBaseException e) { String error = @@ -404,6 +407,8 @@ req.getParameter(OUT_OP)); header.addBigIntegerValue(OUT_SERIALNO, new BigInteger(seq), 10); + header.addBigIntegerValue(OUT_SERIALNO_IN_HEX, + new BigInteger(seq), 16); header.addStringValue(OUT_SERVICE_URL, req.getRequestURI()); byte pkcs12[] = mService.doKeyRecovery( Index: pki/base/common/src/com/netscape/cms/servlet/key/GetApprovalStatus.java =================================================================== --- pki/base/common/src/com/netscape/cms/servlet/key/GetApprovalStatus.java (revision 2533) +++ pki/base/common/src/com/netscape/cms/servlet/key/GetApprovalStatus.java (working copy) @@ -154,6 +154,8 @@ } header.addStringValue("serialNumber", (String) params.get("keyID")); + header.addStringValue("serialNumberInHex", + new BigInteger((String) params.get("keyID")).toString(16)); int requiredNumber = mService.getNoOfRequiredAgents(); Index: pki/base/common/src/com/netscape/cms/servlet/key/GrantRecovery.java =================================================================== --- pki/base/common/src/com/netscape/cms/servlet/key/GrantRecovery.java (revision 2533) +++ pki/base/common/src/com/netscape/cms/servlet/key/GrantRecovery.java (working copy) @@ -268,6 +268,8 @@ } header.addStringValue("serialNumber", (String) h.get("keyID")); + header.addStringValue("serialNumberInHex", + new BigInteger((String) h.get("keyID")).toString(16)); mService.addDistributedCredential(recoveryID, agentID, agentPWD); header.addStringValue("agentID", Index: pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/grantRecovery.template =================================================================== --- pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/grantRecovery.template (revision 2533) +++ pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/grantRecovery.template (working copy) @@ -33,7 +33,8 @@ document.write("

"); document.write(''); document.write('Recovery of key with key identifier ' + - toHex(result.header.serialNumber) + + ((typeof(result.header.serialNumberInHex) != "undefined")? + result.header.serialNumberInHex: toHex(result.header.serialNumber)) + ' has been granted by ' + result.header.agentID); document.write(''); } Index: pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/getApprovalStatus.template =================================================================== --- pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/getApprovalStatus.template (revision 2533) +++ pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/getApprovalStatus.template (working copy) @@ -35,7 +35,8 @@ function renderHexNumber(number,width) { - var num = toHex(number); + //var num = toHex(number); + var num = number; while (num.length < width) num = "0"+num; return "0x"+num; @@ -53,7 +54,7 @@ document.writeln(''); document.writeln(''); - document.write('Key Identifier: ' + renderHexNumber(result.header.serialNumber,8) + ''); + document.write('Key Identifier: ' + renderHexNumber(result.header.serialNumberInHex,8) + ''); document.writeln(''); document.write(''); Index: pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/finishAsyncRecovery.template =================================================================== --- pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/finishAsyncRecovery.template (revision 2533) +++ pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/finishAsyncRecovery.template (working copy) @@ -34,7 +34,8 @@ function renderHexNumber(number,width) { - var num = toHex(number); + //var num = toHex(number); + var num = number; while (num.length < width) num = "0"+num; return "0x"+num; @@ -52,7 +53,7 @@ document.writeln(''); document.writeln(''); - document.write('Key Identifier: ' + renderHexNumber(result.header.serialNumber,8) + ''); + document.write('Key Identifier: ' + renderHexNumber(result.header.serialNumberInHex,8) + ''); document.writeln(''); document.write(''); Index: pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/finishRecovery.template =================================================================== --- pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/finishRecovery.template (revision 2533) +++ pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/finishRecovery.template (working copy) @@ -34,7 +34,8 @@ function renderHexNumber(number,width) { - var num = toHex(number); + //var num = toHex(number); + var num = number; while (num.length < width) num = "0"+num; return "0x"+num; @@ -52,7 +53,7 @@ document.writeln(''); document.writeln(''); - document.write('Key Identifier: ' + renderHexNumber(result.header.serialNumber,8) + ''); + document.write('Key Identifier: ' + renderHexNumber(result.header.serialNumberInHex,8) + ''); document.writeln(''); document.write(''); Index: pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/recoverBySerial.template =================================================================== --- pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/recoverBySerial.template (revision 2533) +++ pki/dogtag/kra-ui/shared/webapps/kra/agent/kra/recoverBySerial.template (working copy) @@ -35,7 +35,8 @@ document.write("

"); document.write(''); document.write('Recovery request for Key with key identifier ' + - toHex(result.header.serialNumber) + + ((typeof(result.header.serialNumberInHex) != "undefined")? + result.header.serialNumberInHex: toHex(result.header.serialNumber)) + ' has been submitted.\n' + 'Waiting for recovery agents\' approval...'); From mharmsen at redhat.com Wed Apr 24 01:29:53 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Tue, 23 Apr 2013 18:29:53 -0700 Subject: [Pki-devel] correcting JavaScript inability to handle big numbers In-Reply-To: <5177350F.6060609@redhat.com> References: <5177350F.6060609@redhat.com> Message-ID: <51773591.10008@redhat.com> On 04/23/13 18:27, Andrew Wnuk wrote: > This patch corrects JavaScript inability to handle big numbers in key > key recovery process. > > Bug: 955784. > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ACK I received a demo of this fix. -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Wed Apr 24 01:37:53 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 23 Apr 2013 20:37:53 -0500 Subject: [Pki-devel] [PATCH] 55 If a configuration result has a single cert, cconvert it into an array #Ticket 593 In-Reply-To: <1366755798.2190.7.camel@akoneru.redhat.com> References: <1366755798.2190.7.camel@akoneru.redhat.com> Message-ID: <51773771.5070702@redhat.com> On 4/23/2013 5:23 PM, Abhishek Koneru wrote: > Please review the patch with fix for issue #593. > > Issue: > > The code expects a list of system certs in a configuration result. > But if there is only one cert, the JSON result has just the object but > not a list with one object. > > Fix: > > Put the single cert in an array and continue. > > Both CA and clone CA installed fine and passed smoke test. ACK. Just one thing, please add a space after the comma: if not isinstance(certs,types.ListType): -- Endi S. Dewata From akoneru at redhat.com Wed Apr 24 03:17:17 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Tue, 23 Apr 2013 23:17:17 -0400 Subject: [Pki-devel] [PATCH] 55 If a configuration result has a single cert, cconvert it into an array #Ticket 593 In-Reply-To: <51773771.5070702@redhat.com> References: <1366755798.2190.7.camel@akoneru.redhat.com> <51773771.5070702@redhat.com> Message-ID: <1366773437.17571.0.camel@akoneru.redhat.com> Added the space. Pushed to master. --Abhishek On Tue, 2013-04-23 at 20:37 -0500, Endi Sukma Dewata wrote: > On 4/23/2013 5:23 PM, Abhishek Koneru wrote: > > Please review the patch with fix for issue #593. > > > > Issue: > > > > The code expects a list of system certs in a configuration result. > > But if there is only one cert, the JSON result has just the object but > > not a list with one object. > > > > Fix: > > > > Put the single cert in an array and continue. > > > > Both CA and clone CA installed fine and passed smoke test. > > ACK. Just one thing, please add a space after the comma: > > if not isinstance(certs,types.ListType): > From edewata at redhat.com Wed Apr 24 17:37:09 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 24 Apr 2013 12:37:09 -0500 Subject: [Pki-devel] [PATCH] 235 Moved pki.conf into base/common. Message-ID: <51781845.8060303@redhat.com> The pki.conf has been moved into the base/common folder to match the RPM package. Ticket #553 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0235-Moved-pki.conf-into-base-common.patch Type: text/x-patch Size: 2072 bytes Desc: not available URL: From edewata at redhat.com Wed Apr 24 17:37:30 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 24 Apr 2013 12:37:30 -0500 Subject: [Pki-devel] [PATCH] 236 Refactored upgrade framework into base and server upgrade. Message-ID: <5178185A.7030003@redhat.com> The upgrade framework has been split into base and server upgrade frameworks since they will be run automatically by different RPM packages during upgrade. The base upgrade framework will upgrade the system configuration. The server upgrade framework will upgrade the instances and subsystems. Ticket #544 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0236-Refactored-upgrade-framework-into-base-and-server-up.patch Type: text/x-patch Size: 48339 bytes Desc: not available URL: From edewata at redhat.com Wed Apr 24 20:35:19 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 24 Apr 2013 15:35:19 -0500 Subject: [Pki-devel] [PATCH] 235 Moved pki.conf into base/common. In-Reply-To: <51781845.8060303@redhat.com> References: <51781845.8060303@redhat.com> Message-ID: <51784207.5040304@redhat.com> On 4/24/2013 12:37 PM, Endi Sukma Dewata wrote: > The pki.conf has been moved into the base/common folder to match > the RPM package. > > Ticket #553 ACKed by Ade. Pushed to master. -- Endi S. Dewata From alee at redhat.com Thu Apr 25 04:54:09 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 25 Apr 2013 00:54:09 -0400 Subject: [Pki-devel] [PATCH] 236 Refactored upgrade framework into base and server upgrade. In-Reply-To: <5178185A.7030003@redhat.com> References: <5178185A.7030003@redhat.com> Message-ID: <1366865649.10179.24.camel@aleeredhat.laptop> seems reasonable to me. ACK On Wed, 2013-04-24 at 12:37 -0500, Endi Sukma Dewata wrote: > The upgrade framework has been split into base and server upgrade > frameworks since they will be run automatically by different RPM > packages during upgrade. The base upgrade framework will upgrade > the system configuration. The server upgrade framework will upgrade > the instances and subsystems. > > Ticket #544 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From akoneru at redhat.com Thu Apr 25 13:47:20 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Thu, 25 Apr 2013 09:47:20 -0400 Subject: [Pki-devel] [PATCH] 56 Add error logs when executing pkispawn Ticket#592 Message-ID: <1366897640.2340.2.camel@akoneru.redhat.com> Please review the patch which add the stack trace and message information to the debug logs, if an error occurs while executing pkispawn. #592 --Abhishek -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0056-Show-error-messages-and-stack-trace-when-an-error-oc.patch Type: text/x-patch Size: 21240 bytes Desc: not available URL: From alee at redhat.com Thu Apr 25 15:04:22 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 25 Apr 2013 11:04:22 -0400 Subject: [Pki-devel] [PATCH] 56 Add error logs when executing pkispawn Ticket#592 In-Reply-To: <1366897640.2340.2.camel@akoneru.redhat.com> References: <1366897640.2340.2.camel@akoneru.redhat.com> Message-ID: <1366902262.2206.3.camel@localhost.localdomain> All of the above is good. What am really interested in though, is whether error messages that are sent back with exceptions from the config servlet are reported. At last look, it looked like these were not reported. You can test this by sending in some bad data -- say setting up a clone where the base DN does not match the master, or sending in any of the various ways to fail the validation function in SystemConfigService.java. On Thu, 2013-04-25 at 09:47 -0400, Abhishek Koneru wrote: > Please review the patch which add the stack trace and message > information to the debug logs, if an error occurs while executing > pkispawn. #592 > > --Abhishek > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From awnuk at redhat.com Thu Apr 25 18:35:02 2013 From: awnuk at redhat.com (Andrew Wnuk) Date: Thu, 25 Apr 2013 11:35:02 -0700 Subject: [Pki-devel] cloning improvement Message-ID: <51797756.4050508@redhat.com> This patch improves cloning in regards to configuration of random certificate serial numbers. Bug: 922121. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- Index: pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java =================================================================== --- pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java (revision 2580) +++ pki/base/common/src/com/netscape/cmscore/dbs/CertificateRepository.java (working copy) @@ -359,7 +359,7 @@ } else { c = s; } - CMS.debug("CertificateRepository: getInRangeCounter: c=" + c + ((t != null)?(" t="+t):"null")); + CMS.debug("CertificateRepository: getInRangeCounter: c="+c+" t="+((t != null)?t:"null")); BigInteger counter = new BigInteger(c); BigInteger count = BigInteger.ZERO; @@ -407,17 +407,22 @@ mMaxCollisionRecoveryRegenerations = mDBConfig.getInteger(PROP_COLLISION_RECOVERY_REGENERATIONS, 3); boolean modeChange = (mEnableRandomSerialNumbers && crMode != null && crMode.equals(PROP_SEQUENTIAL_MODE)) || ((!mEnableRandomSerialNumbers) && crMode != null && crMode.equals(PROP_RANDOM_MODE)); + boolean enableRsnAtConfig = mEnableRandomSerialNumbers && CMS.isPreOpMode() && + (crMode == null || crMode.length() == 0); CMS.debug("CertificateRepository: getLastSerialNumberInRange"+ " mEnableRandomSerialNumbers="+mEnableRandomSerialNumbers+ " mMinRandomBitLength="+mMinRandomBitLength+ " CollisionRecovery="+mMaxCollisionRecoveryRegenerations+","+mMaxCollisionRecoverySteps); CMS.debug("CertificateRepository: getLastSerialNumberInRange modeChange="+modeChange+ - " mForceModeChange="+mForceModeChange+((crMode != null)?(" mode="+crMode):"")); - if (modeChange) { - if (mForceModeChange) { + " enableRsnAtConfig="+enableRsnAtConfig+" mForceModeChange="+mForceModeChange+ + ((crMode != null)?" mode="+crMode:"")); + if (modeChange || enableRsnAtConfig) { + if (mForceModeChange || enableRsnAtConfig) { setCertificateRepositoryMode((mEnableRandomSerialNumbers)? PROP_RANDOM_MODE: PROP_SEQUENTIAL_MODE); - mForceModeChange = false; - mDBConfig.remove(PROP_FORCE_MODE_CHANGE); + if (mForceModeChange) { + mForceModeChange = false; + mDBConfig.remove(PROP_FORCE_MODE_CHANGE); + } } else { mEnableRandomSerialNumbers = !mEnableRandomSerialNumbers; mDBConfig.putBoolean(PROP_ENABLE_RANDOM_SERIAL_NUMBERS, mEnableRandomSerialNumbers); From mharmsen at redhat.com Thu Apr 25 18:37:42 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Thu, 25 Apr 2013 11:37:42 -0700 Subject: [Pki-devel] cloning improvement In-Reply-To: <51797756.4050508@redhat.com> References: <51797756.4050508@redhat.com> Message-ID: <517977F6.70203@redhat.com> On 04/25/13 11:35, Andrew Wnuk wrote: > This patch improves cloning in regards to configuration of random > certificate serial numbers. > > Bug: 922121. > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ACK I received a demo of this fix. -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Thu Apr 25 21:03:35 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 25 Apr 2013 17:03:35 -0400 Subject: [Pki-devel] [PATCH] 129 - added pretrans and java-atk-wrapper dependency Message-ID: <1366923815.32762.10.camel@localhost.localdomain> These are both things for fedora 19. First the java-atk-wrapper dependency appears to come from something that changed in java-1.7.0-openjdk. When you upgrade to the latest version of the JDK, on starting tomcat, an exception is thrown because the server cannot find this dependency. After some searching, it seems like this dependency is somehow brought in when tomcat is initializing the web containers. Its not clear who is bringing this in. For now, we're just going to add it to the dependencies for pki-server. Hopefully, at some later point, we can remove it. Second, we have added a pretrans section that runs only on f19 onwards. This %pretrans checks for the existence of dogtag 9 style instances, and if present, prevents the upgrade. This is to prevent people from upgrading and then discovering that their dogtag 9 style instance have broken because tomcat 6 does not exist on f19. The workaround - if they want to upgrade in any case -- is to move the registry files associated with those instances. Then they would have to install tomcat 6 and the right version of tomcatjss. The scriptlet is written in lua so that it does not break fresh installs. Go lua! Please review, Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0129-Added-pretrans-script-and-java-atk-wrapper-dependenc.patch Type: text/x-patch Size: 2406 bytes Desc: not available URL: From edewata at redhat.com Thu Apr 25 22:44:50 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 25 Apr 2013 17:44:50 -0500 Subject: [Pki-devel] [PATCH] 237 Updated default client database location for CLI. Message-ID: <5179B1E2.5070207@redhat.com> The default client database location for CLI has been changed to ~/.dogtag/nssdb. The code that initializes the database has been moved from PKIConnection to PKIClient. Ticket #491 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0237-Updated-default-client-database-location-for-CLI.patch Type: text/x-patch Size: 9327 bytes Desc: not available URL: From edewata at redhat.com Thu Apr 25 22:44:54 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 25 Apr 2013 17:44:54 -0500 Subject: [Pki-devel] [PATCH] 238 Added option to download CA cert chain from admin interface. Message-ID: <5179B1E6.4090107@redhat.com> A new --ca-admin--server option has been added to the client-import-cert CLI to download the CA certificate chain from the admin interface. Ticket #491 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0238-Added-option-to-download-CA-cert-chain-from-admin-in.patch Type: text/x-patch Size: 7037 bytes Desc: not available URL: From mharmsen at redhat.com Fri Apr 26 02:52:09 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Thu, 25 Apr 2013 19:52:09 -0700 Subject: [Pki-devel] [PATCH] Fix 'sslget' to skip link local addresses Message-ID: <5179EBD9.2030002@redhat.com> Please review the attached patch which addresses the following two bugs by causing 'sslget' to skip link local addresses: * Bugzilla Bug #953464 - ipa-server-install crashes due to sslget error * Bugzilla Bug #859043 - ipa-server-install results in error -5987 -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20130425-Fix-sslget-to-skip-link-local-addresses.patch Type: text/x-patch Size: 5749 bytes Desc: not available URL: From alee at redhat.com Fri Apr 26 03:01:03 2013 From: alee at redhat.com (Ade Lee) Date: Thu, 25 Apr 2013 23:01:03 -0400 Subject: [Pki-devel] [PATCH] Fix 'sslget' to skip link local addresses In-Reply-To: <5179EBD9.2030002@redhat.com> References: <5179EBD9.2030002@redhat.com> Message-ID: <1366945263.2366.0.camel@aleeredhat.laptop> ack On Thu, 2013-04-25 at 19:52 -0700, Matthew Harmsen wrote: > Please review the attached patch which addresses the following two > bugs by causing 'sslget' to skip link local addresses: > * Bugzilla Bug #953464 - ipa-server-install crashes due to > sslget error > * Bugzilla Bug #859043 - ipa-server-install results in error > -5987 > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Fri Apr 26 03:19:54 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 25 Apr 2013 22:19:54 -0500 Subject: [Pki-devel] [PATCH] 233 Refactored code to import CA certificate. In-Reply-To: <5176DBED.5020409@redhat.com> References: <5176DBED.5020409@redhat.com> Message-ID: <5179F25A.8020307@redhat.com> On 4/23/2013 2:07 PM, Endi Sukma Dewata wrote: > The code to import CA certificate has been moved from PKIConnection > into PKIClient to allow reuse. > > The Client classes have been modified such that it uses a shared > PKIClient object instead of PKIConnection. > > The return codes in CertFindCLI has been fixed to be more consistent > with other commands. ACKed by Ade. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Fri Apr 26 03:20:24 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 25 Apr 2013 22:20:24 -0500 Subject: [Pki-devel] [PATCH] 234 Added Client CLI module. In-Reply-To: <5176DBF7.1040201@redhat.com> References: <5176DBF7.1040201@redhat.com> Message-ID: <5179F278.9040703@redhat.com> On 4/23/2013 2:07 PM, Endi Sukma Dewata wrote: > A new CLI module has been added to manage certificates in client > security database. ACKed by Ade. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Fri Apr 26 03:21:05 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 25 Apr 2013 22:21:05 -0500 Subject: [Pki-devel] [PATCH] 236 Refactored upgrade framework into base and server upgrade. In-Reply-To: <5178185A.7030003@redhat.com> References: <5178185A.7030003@redhat.com> Message-ID: <5179F2A1.2030803@redhat.com> On 4/24/2013 12:37 PM, Endi Sukma Dewata wrote: > The upgrade framework has been split into base and server upgrade > frameworks since they will be run automatically by different RPM > packages during upgrade. The base upgrade framework will upgrade > the system configuration. The server upgrade framework will upgrade > the instances and subsystems. ACKed by Ade. Pushed to master. -- Endi S. Dewata From akoneru at redhat.com Fri Apr 26 04:12:53 2013 From: akoneru at redhat.com (Abhishek Koneru) Date: Fri, 26 Apr 2013 00:12:53 -0400 Subject: [Pki-devel] [PATCH] 56-2 Fixes fo review comments on patch - 56 Add error logs when executing pkispawn Ticket#592 In-Reply-To: <1366902262.2206.3.camel@localhost.localdomain> References: <1366897640.2340.2.camel@akoneru.redhat.com> <1366902262.2206.3.camel@localhost.localdomain> Message-ID: <1366949573.15558.5.camel@akoneru.redhat.com> Please review the attached patch which prints the error message from the configuration servlet. For Example: I tested by installing a CA and then a clone CA, but the clone's base DN does not match with the master's. The following output is printed. Actual error seen in the text section of the HTTPResponse object received in the HTTPError object: com.netscape.certsrv.base.BadRequestException400Master and clone should have the same base DN Error message printed in the debug log (added in this patch): Exception from Java Configuration Servlet: Master and clone should have the same base DN --Abhishek On Thu, 2013-04-25 at 11:04 -0400, Ade Lee wrote: > All of the above is good. What am really interested in though, is > whether error messages that are sent back with exceptions from the > config servlet are reported. At last look, it looked like these were > not reported. > > You can test this by sending in some bad data -- say setting up a clone > where the base DN does not match the master, or sending in any of the > various ways to fail the validation function in > SystemConfigService.java. > > > On Thu, 2013-04-25 at 09:47 -0400, Abhishek Koneru wrote: > > Please review the patch which add the stack trace and message > > information to the debug logs, if an error occurs while executing > > pkispawn. #592 > > > > --Abhishek > > > > > > _______________________________________________ > > Pki-devel mailing list > > Pki-devel at redhat.com > > https://www.redhat.com/mailman/listinfo/pki-devel > > -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-akoneru-0056-2-Show-error-messages-and-stack-trace-when-an-error-oc.patch Type: text/x-patch Size: 22122 bytes Desc: not available URL: From alee at redhat.com Fri Apr 26 06:07:38 2013 From: alee at redhat.com (Ade Lee) Date: Fri, 26 Apr 2013 02:07:38 -0400 Subject: [Pki-devel] [PATCH] 56-2 Fixes fo review comments on patch - 56 Add error logs when executing pkispawn Ticket#592 In-Reply-To: <1366949573.15558.5.camel@akoneru.redhat.com> References: <1366897640.2340.2.camel@akoneru.redhat.com> <1366902262.2206.3.camel@localhost.localdomain> <1366949573.15558.5.camel@akoneru.redhat.com> Message-ID: <1366956458.13305.2.camel@aleeredhat.laptop> ACK. I have pushed this patch with a couple of small modifications. In pkispawn, in the exception code, you print that the "Installation failed" and then exit(0). It should be exit(1). I similarly added a message that the installation failed to the conditional that follows the exception code. On Fri, 2013-04-26 at 00:12 -0400, Abhishek Koneru wrote: > Please review the attached patch which prints the error message from the > configuration servlet. > > For Example: > I tested by installing a CA and then a clone CA, but the clone's base > DN does not match with the master's. The following output is printed. > > Actual error seen in the text section of the HTTPResponse object > received in the HTTPError object: > > standalone="yes"?>com.netscape.certsrv.base.BadRequestException400Master and clone should have the same base DN > > Error message printed in the debug log (added in this patch): > Exception from Java Configuration Servlet: Master and clone should have > the same base DN > > --Abhishek > On Thu, 2013-04-25 at 11:04 -0400, Ade Lee wrote: > > All of the above is good. What am really interested in though, is > > whether error messages that are sent back with exceptions from the > > config servlet are reported. At last look, it looked like these were > > not reported. > > > > You can test this by sending in some bad data -- say setting up a clone > > where the base DN does not match the master, or sending in any of the > > various ways to fail the validation function in > > SystemConfigService.java. > > > > > > On Thu, 2013-04-25 at 09:47 -0400, Abhishek Koneru wrote: > > > Please review the patch which add the stack trace and message > > > information to the debug logs, if an error occurs while executing > > > pkispawn. #592 > > > > > > --Abhishek > > > > > > > > > _______________________________________________ > > > Pki-devel mailing list > > > Pki-devel at redhat.com > > > https://www.redhat.com/mailman/listinfo/pki-devel > > > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Fri Apr 26 14:41:21 2013 From: alee at redhat.com (Ade Lee) Date: Fri, 26 Apr 2013 10:41:21 -0400 Subject: [Pki-devel] [PATCH] 130 - set log level to DEBUG in log file for pkispawn Message-ID: <1366987281.13305.4.camel@aleeredhat.laptop> The log file is not very useful without the level of logging. If you have occasion to go to the log file, then you want to see all the gory details, This of course is valid for pkidestroy too. Also removed an unneeded import introduced by mistake. Please review, Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0130-Set-log-level-in-logfile-to-debug-in-pkispawn.patch Type: text/x-patch Size: 3933 bytes Desc: not available URL: From edewata at redhat.com Fri Apr 26 14:57:31 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 26 Apr 2013 09:57:31 -0500 Subject: [Pki-devel] [PATCH] 237 Updated default client database location for CLI. In-Reply-To: <5179B1E2.5070207@redhat.com> References: <5179B1E2.5070207@redhat.com> Message-ID: <517A95DB.8080509@redhat.com> On 4/25/2013 5:44 PM, Endi Sukma Dewata wrote: > The default client database location for CLI has been changed to > ~/.dogtag/nssdb. The code that initializes the database has been > moved from PKIConnection to PKIClient. New patch attached. The initialization is returned to the MainCLI. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0237-1-Updated-default-client-database-location-for-CLI.patch Type: text/x-patch Size: 6042 bytes Desc: not available URL: From edewata at redhat.com Fri Apr 26 14:57:40 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 26 Apr 2013 09:57:40 -0500 Subject: [Pki-devel] [PATCH] 238 Added option to download CA cert chain from admin interface. In-Reply-To: <5179B1E6.4090107@redhat.com> References: <5179B1E6.4090107@redhat.com> Message-ID: <517A95E4.3080202@redhat.com> On 4/25/2013 5:44 PM, Endi Sukma Dewata wrote: > A new --ca-admin--server option has been added to the client-import-cert > CLI to download the CA certificate chain from the admin interface. > > Ticket #491 New patch attached. The new option has been removed, but the method to download from an alternate servlet is retained. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0238-1-Added-method-to-download-CA-cert-chain-from-admin-in.patch Type: text/x-patch Size: 6185 bytes Desc: not available URL: From edewata at redhat.com Fri Apr 26 14:58:09 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 26 Apr 2013 09:58:09 -0500 Subject: [Pki-devel] [PATCH] 239 Fixed missing classpath for javadoc. Message-ID: <517A9601.8040405@redhat.com> The CMake script has been fixed to include the commons-io library when building javadoc. Ticket #491 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0239-Fixed-missing-classpath-for-javadoc.patch Type: text/x-patch Size: 1068 bytes Desc: not available URL: From alee at redhat.com Fri Apr 26 15:15:28 2013 From: alee at redhat.com (Ade Lee) Date: Fri, 26 Apr 2013 11:15:28 -0400 Subject: [Pki-devel] [PATCH] 130 - set log level to DEBUG in log file for pkispawn In-Reply-To: <1366987281.13305.4.camel@aleeredhat.laptop> References: <1366987281.13305.4.camel@aleeredhat.laptop> Message-ID: <1366989328.13305.5.camel@aleeredhat.laptop> acked by Endi. pushed to master. On Fri, 2013-04-26 at 10:41 -0400, Ade Lee wrote: > The log file is not very useful without the level of logging. > If you have occasion to go to the log file, then you want to > see all the gory details, This of course is valid for pkidestroy too. > > Also removed an unneeded import introduced by mistake. > > Please review, > > Ade > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Fri Apr 26 16:02:18 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 26 Apr 2013 11:02:18 -0500 Subject: [Pki-devel] [PATCH] 237 Updated default client database location for CLI. In-Reply-To: <517A95DB.8080509@redhat.com> References: <5179B1E2.5070207@redhat.com> <517A95DB.8080509@redhat.com> Message-ID: <517AA50A.4010202@redhat.com> On 4/26/2013 9:57 AM, Endi Sukma Dewata wrote: > On 4/25/2013 5:44 PM, Endi Sukma Dewata wrote: >> The default client database location for CLI has been changed to >> ~/.dogtag/nssdb. The code that initializes the database has been >> moved from PKIConnection to PKIClient. > > New patch attached. The initialization is returned to the MainCLI. ACKed by Ade. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Fri Apr 26 16:02:40 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 26 Apr 2013 11:02:40 -0500 Subject: [Pki-devel] [PATCH] 238 Added option to download CA cert chain from admin interface. In-Reply-To: <517A95E4.3080202@redhat.com> References: <5179B1E6.4090107@redhat.com> <517A95E4.3080202@redhat.com> Message-ID: <517AA520.1010202@redhat.com> On 4/26/2013 9:57 AM, Endi Sukma Dewata wrote: > On 4/25/2013 5:44 PM, Endi Sukma Dewata wrote: >> A new --ca-admin--server option has been added to the client-import-cert >> CLI to download the CA certificate chain from the admin interface. >> >> Ticket #491 > > New patch attached. The new option has been removed, but the method to > download from an alternate servlet is retained. ACKed by Ade. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Fri Apr 26 16:03:18 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 26 Apr 2013 11:03:18 -0500 Subject: [Pki-devel] [PATCH] 239 Fixed missing classpath for javadoc. In-Reply-To: <517A9601.8040405@redhat.com> References: <517A9601.8040405@redhat.com> Message-ID: <517AA546.6060402@redhat.com> On 4/26/2013 9:58 AM, Endi Sukma Dewata wrote: > The CMake script has been fixed to include the commons-io library > when building javadoc. > > Ticket #491 ACKed by Ade. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Fri Apr 26 17:14:59 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 26 Apr 2013 12:14:59 -0500 Subject: [Pki-devel] [PATCH] 240 Replaced ~/.pki with ~/.dogtag. Message-ID: <517AB613.5080402@redhat.com> The default folder for to store user files in the home directory has been changed from .pki to .dogtag. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0240-Replaced-.pki-with-.dogtag.patch Type: text/x-patch Size: 4290 bytes Desc: not available URL: From edewata at redhat.com Sat Apr 27 20:13:57 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sat, 27 Apr 2013 15:13:57 -0500 Subject: [Pki-devel] [PATCH] 240 Replaced ~/.pki with ~/.dogtag. In-Reply-To: <517AB613.5080402@redhat.com> References: <517AB613.5080402@redhat.com> Message-ID: <517C3185.3050709@redhat.com> On 4/26/2013 12:14 PM, Endi Sukma Dewata wrote: > The default folder for to store user files in the home directory > has been changed from .pki to .dogtag. ACKed by Ade. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Sat Apr 27 20:19:42 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sat, 27 Apr 2013 15:19:42 -0500 Subject: [Pki-devel] [PATCH] 241 Ignoring warnings/errors during installation. Message-ID: <517C32DE.3070203@redhat.com> The code used by pkispawn and pkidestroy has been modified to ignore certificate validity warnings/errors that happens during installation. The instanceCreationMode is now redundant and has been removed from ClientConfig. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0241-Ignoring-warnings-errors-during-installation.patch Type: text/x-patch Size: 11996 bytes Desc: not available URL: From edewata at redhat.com Sat Apr 27 20:19:45 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sat, 27 Apr 2013 15:19:45 -0500 Subject: [Pki-devel] [PATCH] 242 Added separate CLI option for client database password. Message-ID: <517C32E1.5080204@redhat.com> Previously the -w option is used to specify the password for either the username/password authentication or client database password to do client certificate authentication. Since the passwords now may be used at the same time, a new -c option has been added for the client database password. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0242-Added-separate-CLI-option-for-client-database-passwo.patch Type: text/x-patch Size: 4984 bytes Desc: not available URL: From edewata at redhat.com Sat Apr 27 20:19:52 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Sat, 27 Apr 2013 15:19:52 -0500 Subject: [Pki-devel] [PATCH] 243 Reverting to old CLI behavior on client database initialization. Message-ID: <517C32E8.3080302@redhat.com> Recently the CLI was changed to initialize the default client database automatically which will create it if it did not exist before. This was causing a problem since the database was not created with a password. To create the database properly a separate command is needed. For now the CLI is reverted to the old behavior where it initializes the database only if it requires for SSL connection and/or client authentication. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0243-Reverting-to-old-CLI-behavior-on-client-database-ini.patch Type: text/x-patch Size: 9546 bytes Desc: not available URL: From alee at redhat.com Sun Apr 28 05:55:32 2013 From: alee at redhat.com (Ade Lee) Date: Sun, 28 Apr 2013 01:55:32 -0400 Subject: [Pki-devel] [PATCH] 241 Ignoring warnings/errors during installation. In-Reply-To: <517C32DE.3070203@redhat.com> References: <517C32DE.3070203@redhat.com> Message-ID: <1367128532.16323.1.camel@aleeredhat.laptop> ack - pushed to master. On Sat, 2013-04-27 at 15:19 -0500, Endi Sukma Dewata wrote: > The code used by pkispawn and pkidestroy has been modified to ignore > certificate validity warnings/errors that happens during installation. > > The instanceCreationMode is now redundant and has been removed from > ClientConfig. > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Sun Apr 28 05:57:47 2013 From: alee at redhat.com (Ade Lee) Date: Sun, 28 Apr 2013 01:57:47 -0400 Subject: [Pki-devel] [PATCH] 242 Added separate CLI option for client database password. In-Reply-To: <517C32E1.5080204@redhat.com> References: <517C32E1.5080204@redhat.com> Message-ID: <1367128667.16323.4.camel@aleeredhat.laptop> ack pushed to master. Three changes added: 1. call to kraconnector-delete needed arg change from -w to -c. 2. call to get-install-token in pkidestroy had database location of instance added. 3. man page updated. On Sat, 2013-04-27 at 15:19 -0500, Endi Sukma Dewata wrote: > Previously the -w option is used to specify the password for > either the username/password authentication or client database > password to do client certificate authentication. Since the > passwords now may be used at the same time, a new -c option > has been added for the client database password. > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Sun Apr 28 05:58:09 2013 From: alee at redhat.com (Ade Lee) Date: Sun, 28 Apr 2013 01:58:09 -0400 Subject: [Pki-devel] [PATCH] 243 Reverting to old CLI behavior on client database initialization. In-Reply-To: <517C32E8.3080302@redhat.com> References: <517C32E8.3080302@redhat.com> Message-ID: <1367128689.16323.5.camel@aleeredhat.laptop> ack. Pushed to master, On Sat, 2013-04-27 at 15:19 -0500, Endi Sukma Dewata wrote: > Recently the CLI was changed to initialize the default client database > automatically which will create it if it did not exist before. This was > causing a problem since the database was not created with a password. > To create the database properly a separate command is needed. For now > the CLI is reverted to the old behavior where it initializes the > database only if it requires for SSL connection and/or client > authentication. > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Mon Apr 29 16:09:47 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 29 Apr 2013 11:09:47 -0500 Subject: [Pki-devel] [PATCH] 244 Fixed server upgrade problem on new installation. Message-ID: <517E9B4B.3020600@redhat.com> The PKIServerUpgrader.get_current_version() incorrectly returns None if there is no instance on the system. It has been modified to return the target version so that no upgrade operation will occur. Bugzilla #957690 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0244-Fixed-server-upgrade-problem-on-new-installation.patch Type: text/x-patch Size: 1229 bytes Desc: not available URL: From edewata at redhat.com Mon Apr 29 20:03:13 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 29 Apr 2013 15:03:13 -0500 Subject: [Pki-devel] [PATCH] 244 Fixed server upgrade problem on new installation. In-Reply-To: <517E9B4B.3020600@redhat.com> References: <517E9B4B.3020600@redhat.com> Message-ID: <517ED201.4070302@redhat.com> On 4/29/2013 11:09 AM, Endi Sukma Dewata wrote: > The PKIServerUpgrader.get_current_version() incorrectly returns None > if there is no instance on the system. It has been modified to return > the target version so that no upgrade operation will occur. > > Bugzilla #957690 ACKed by Ade. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Mon Apr 29 20:05:02 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 29 Apr 2013 15:05:02 -0500 Subject: [Pki-devel] [PATCH] 245 Added upgrade scriptlet to add JNI_JAR_DIR. Message-ID: <517ED26E.3080102@redhat.com> A new upgrade scriptlet has been added to add JNI_JAR_DIR into pki.conf. The code to manipulate property files has been refactored from PKIUpgradeTracker into a separate PropertyFile class to allow reuse. The pki-base package has been modified to deliver a default pki.conf in /usr/share/pki/etc and copy it into /etc/pki if it doesn't exist. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0245-Added-upgrade-scriptlet-to-add-JNI_JAR_DIR.patch Type: text/x-patch Size: 18361 bytes Desc: not available URL: From edewata at redhat.com Mon Apr 29 20:53:30 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 29 Apr 2013 15:53:30 -0500 Subject: [Pki-devel] [PATCH] 246 Fixed undefined BASE_DIR. Message-ID: <517EDDCA.4060505@redhat.com> The pki.server module has been fixed to include the module name of the BASE_DIR. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0246-Fixed-undefined-BASE_DIR.patch Type: text/x-patch Size: 1672 bytes Desc: not available URL: From edewata at redhat.com Mon Apr 29 20:59:01 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 29 Apr 2013 15:59:01 -0500 Subject: [Pki-devel] [PATCH] 245 Added upgrade scriptlet to add JNI_JAR_DIR. In-Reply-To: <517ED26E.3080102@redhat.com> References: <517ED26E.3080102@redhat.com> Message-ID: <517EDF15.7010504@redhat.com> On 4/29/2013 3:05 PM, Endi Sukma Dewata wrote: > A new upgrade scriptlet has been added to add JNI_JAR_DIR into > pki.conf. The code to manipulate property files has been refactored > from PKIUpgradeTracker into a separate PropertyFile class to allow > reuse. > > The pki-base package has been modified to deliver a default pki.conf > in /usr/share/pki/etc and copy it into /etc/pki if it doesn't exist. ACKed by Ade. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Mon Apr 29 20:59:30 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 29 Apr 2013 15:59:30 -0500 Subject: [Pki-devel] [PATCH] 246 Fixed undefined BASE_DIR. In-Reply-To: <517EDDCA.4060505@redhat.com> References: <517EDDCA.4060505@redhat.com> Message-ID: <517EDF32.2000301@redhat.com> On 4/29/2013 3:53 PM, Endi Sukma Dewata wrote: > The pki.server module has been fixed to include the module name > of the BASE_DIR. ACKed by Ade. Pushed to master. -- Endi S. Dewata From edewata at redhat.com Mon Apr 29 21:59:52 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 29 Apr 2013 16:59:52 -0500 Subject: [Pki-devel] [PATCH] 247 Fixed undefined PKIException. Message-ID: <517EED58.6050306@redhat.com> The pki.server module has been fixed to include the module name of the PKIException. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0247-Fixed-undefined-PKIException.patch Type: text/x-patch Size: 1265 bytes Desc: not available URL: From edewata at redhat.com Mon Apr 29 22:16:37 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 29 Apr 2013 17:16:37 -0500 Subject: [Pki-devel] [PATCH] 247 Fixed undefined PKIException. In-Reply-To: <517EED58.6050306@redhat.com> References: <517EED58.6050306@redhat.com> Message-ID: <517EF145.6050504@redhat.com> On 4/29/2013 4:59 PM, Endi Sukma Dewata wrote: > The pki.server module has been fixed to include the module name > of the PKIException. ACKed by Ade. Pushed to master. -- Endi S. Dewata From mharmsen at redhat.com Tue Apr 30 02:18:14 2013 From: mharmsen at redhat.com (Matthew Harmsen) Date: Mon, 29 Apr 2013 19:18:14 -0700 Subject: [Pki-devel] AVCs for Dogtag 10.0.2 RA and TPS . . . Message-ID: <517F29E6.5010007@redhat.com> Ade, I successfully installed a CA, KRA, OCSP, and TKS using command-line pkispawn with a configuration file. Thus far, I have provided a Karma point for TPS and for RA; currently having trouble with pki-console (due to my X Display not working, not the package itself). Once you re-spin pki-core, I can perform a GUI install of these subsystems and provide a karma point for both pki-coreand dogtag-pki-theme (once I confirm that console is working). After this, in order to confirm that dogtag-pki is working, I will need to remove all of the packages from my system and configure it to point to the appropriate test repo to make certain that it will grab the correct versions of Dogtag. Per your request, here are the TPS and RA AVC's showing up in the audit.log (I installed the TPS prior to the RA without cleaning the audit log):* * *TPS:* *# getenforce* Permissive *# cat /var/log/audit/audit.log | audit2allow -R* require { type httpd_suexec_exec_t; type pki_tps_t; class file { read getattr execute }; } #============= pki_tps_t ============== allow pki_tps_t httpd_suexec_exec_t:file { read getattr execute }; files_manage_generic_tmp_dirs(pki_tps_t) files_manage_generic_tmp_files(pki_tps_t) *RA:* *# getenforce* Permissive *# cat /var/log/audit/audit.log | audit2allow -R* require { type pki_tps_t; type pki_ra_t; type httpd_suexec_exec_t; class file { getattr read execute }; } #============= pki_ra_t ============== allow pki_ra_t httpd_suexec_exec_t:file { read getattr execute }; files_manage_generic_tmp_dirs(pki_ra_t) files_manage_generic_tmp_files(pki_ra_t) #============= pki_tps_t ============== allow pki_tps_t httpd_suexec_exec_t:file { read getattr execute }; files_manage_generic_tmp_dirs(pki_tps_t) files_manage_generic_tmp_files(pki_tps_t) -- Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Tue Apr 30 02:44:21 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 29 Apr 2013 21:44:21 -0500 Subject: [Pki-devel] [PATCH] 248 Restored /etc/pki/pki.conf. Message-ID: <517F3005.8030302@redhat.com> The /etc/pki/pki.conf has been restored. The upgrade tracker now will be appended to pki.conf on fresh installation. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0248-Restored-etc-pki-pki.conf.patch Type: text/x-patch Size: 2297 bytes Desc: not available URL: From edewata at redhat.com Tue Apr 30 03:57:12 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 29 Apr 2013 22:57:12 -0500 Subject: [Pki-devel] [PATCH] 248 Restored /etc/pki/pki.conf. In-Reply-To: <517F3005.8030302@redhat.com> References: <517F3005.8030302@redhat.com> Message-ID: <517F4118.5000009@redhat.com> On 4/29/2013 9:44 PM, Endi Sukma Dewata wrote: > The /etc/pki/pki.conf has been restored. The upgrade tracker now > will be appended to pki.conf on fresh installation. Revised the patch to use separate tracker file. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0248-1-Restored-etc-pki-pki.conf.patch Type: text/x-patch Size: 3960 bytes Desc: not available URL: From edewata at redhat.com Tue Apr 30 04:29:25 2013 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 29 Apr 2013 23:29:25 -0500 Subject: [Pki-devel] [PATCH] 248 Restored /etc/pki/pki.conf. In-Reply-To: <517F4118.5000009@redhat.com> References: <517F3005.8030302@redhat.com> <517F4118.5000009@redhat.com> Message-ID: <517F48A5.4080905@redhat.com> On 4/29/2013 10:57 PM, Endi Sukma Dewata wrote: > On 4/29/2013 9:44 PM, Endi Sukma Dewata wrote: >> The /etc/pki/pki.conf has been restored. The upgrade tracker now >> will be appended to pki.conf on fresh installation. > > Revised the patch to use separate tracker file. Added -f to the rm command. ACKed by Ade. Pushed to master. -- Endi S. Dewata