[Pki-devel] [PATCH] 537 Added rangeUnit property to certificate profiles.

[Endi Sukma Dewata]

A new optional property has been added to certificate profiles to
specify the range unit. The default range unit is 'day'. The code
has been modified to use the Calendar API to calculate the end of
validity range based on the range unit.

https://fedorahosted.org/pki/ticket/1226

-- 
Endi S. Dewata
-------------- next part --------------
From 899b820eee7b581710131276eab55ed927ee6da4 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata at redhat.com>
Date: Tue, 2 Dec 2014 17:25:55 -0500
Subject: [PATCH] Added rangeUnit property to certificate profiles.

A new optional property has been added to certificate profiles to
specify the range unit. The default range unit is 'day'. The code
has been modified to use the Calendar API to calculate the end of
validity range based on the range unit.

https://fedorahosted.org/pki/ticket/1226
---
 .../org/dogtagpki/server/ca/rest/CertService.java  |  5 +-
 .../cms/profile/constraint/EnrollConstraint.java   | 34 +++++++---
 .../cms/profile/constraint/ValidityConstraint.java | 72 +++++++++++++++++----
 .../netscape/cms/profile/def/EnrollDefault.java    | 33 ++++++++--
 .../netscape/cms/profile/def/ValidityDefault.java  | 73 +++++++++++++++++++---
 .../cms/servlet/admin/CMSAdminServlet.java         |  6 +-
 base/server/cmsbundle/src/UserMessages.properties  |  6 +-
 .../src/com/netscape/cmscore/apps/CMSEngine.java   |  1 +
 .../src/com/netscape/cmscore/cert/CertUtils.java   | 10 ++-
 .../src/com/netscape/cmscore/dbs/DBRegistry.java   |  2 +-
 .../src/com/netscape/cmscore/dbs/DBSubsystem.java  | 15 +++--
 .../src/com/netscape/cmscore/dbs/LDAPDatabase.java |  3 +
 .../src/com/netscape/cmscore/dbs/Repository.java   | 10 +--
 13 files changed, 214 insertions(+), 56 deletions(-)

diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
index 6b5ea2ca4ac4b03f255f92dc825c34dabcdcde6b..ee974d446b689b089221bbaf2c7b6a5780c2f6bb 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
@@ -487,8 +487,9 @@ public class CertService extends PKIService implements CertResource {
                 infos.addLink(new Link("next", uri));
             }
 
-        } catch (Exception e1) {
-            throw new PKIException("Error searching certs in CertService.searchCerts!", e1);
+        } catch (Exception e) {
+            CMS.debug(e);
+            throw new PKIException("Unable to search certificates: " + e, e);
         }
 
         return createOKResponse(infos);
diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/EnrollConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/EnrollConstraint.java
index eb3eb14f67a6dff5bcd8b048eba316daf6223cb4..96b29d669992f36b4b849eac68b2af8695c46ce8 100644
--- a/base/server/cms/src/com/netscape/cms/profile/constraint/EnrollConstraint.java
+++ b/base/server/cms/src/com/netscape/cms/profile/constraint/EnrollConstraint.java
@@ -88,18 +88,36 @@ public abstract class EnrollConstraint implements IPolicyConstraint {
     }
 
     public String getConfig(String name) {
+        return getConfig(name, "");
+    }
+
+    /**
+     * Get constraint parameter in profile configuration.
+     *
+     * @param name parameter name
+     * @param defval default value if parameter does not exist
+     * @return parameter value if exists, defval if does not exist, or null if error occured
+     */
+    public String getConfig(String name, String defval) {
+
+        if (mConfig == null) {
+            CMS.debug("Error: Missing profile configuration");
+            return null;
+        }
+
+        IConfigStore params = mConfig.getSubStore("params");
+        if (params == null) {
+            CMS.debug("Error: Missing constraint parameters");
+            return null;
+        }
+
         try {
-            if (mConfig == null)
-                return null;
-            if (mConfig.getSubStore("params") != null) {
-                String val = mConfig.getSubStore("params").getString(name);
+            return params.getString(name, defval);
 
-                return val;
-            }
         } catch (EBaseException e) {
-            CMS.debug(e.toString());
+            CMS.debug(e);
+            return null;
         }
-        return "";
     }
 
     public void init(IProfile profile, IConfigStore config)
diff --git a/base/server/cms/src/com/netscape/cms/profile/constraint/ValidityConstraint.java b/base/server/cms/src/com/netscape/cms/profile/constraint/ValidityConstraint.java
index accbd9d2dfb0ddb5c52c001a8e4563baef290dea..eaf0b3bbfd7d1584263ef53a12faac37ff62b3c5 100644
--- a/base/server/cms/src/com/netscape/cms/profile/constraint/ValidityConstraint.java
+++ b/base/server/cms/src/com/netscape/cms/profile/constraint/ValidityConstraint.java
@@ -18,6 +18,7 @@
 package com.netscape.cms.profile.constraint;
 
 import java.io.IOException;
+import java.util.Calendar;
 import java.util.Date;
 import java.util.Locale;
 
@@ -50,6 +51,7 @@ import com.netscape.cms.profile.def.ValidityDefault;
 public class ValidityConstraint extends EnrollConstraint {
 
     public static final String CONFIG_RANGE = "range";
+    public static final String CONFIG_RANGE_UNIT = "rangeUnit";
     public static final String CONFIG_NOT_BEFORE_GRACE_PERIOD = "notBeforeGracePeriod";
     public static final String CONFIG_CHECK_NOT_BEFORE = "notBeforeCheck";
     public static final String CONFIG_CHECK_NOT_AFTER = "notAfterCheck";
@@ -58,6 +60,7 @@ public class ValidityConstraint extends EnrollConstraint {
     public ValidityConstraint() {
         super();
         addConfigName(CONFIG_RANGE);
+        addConfigName(CONFIG_RANGE_UNIT);
         addConfigName(CONFIG_NOT_BEFORE_GRACE_PERIOD);
         addConfigName(CONFIG_CHECK_NOT_BEFORE);
         addConfigName(CONFIG_CHECK_NOT_AFTER);
@@ -86,6 +89,9 @@ public class ValidityConstraint extends EnrollConstraint {
         if (name.equals(CONFIG_RANGE)) {
             return new Descriptor(IDescriptor.INTEGER, null, "365",
                     CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_RANGE"));
+        } else if (name.equals(CONFIG_RANGE_UNIT)) {
+            return new Descriptor(IDescriptor.STRING, null, "day",
+                    CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_RANGE_UNIT"));
         } else if (name.equals(CONFIG_NOT_BEFORE_GRACE_PERIOD)) {
             return new Descriptor(IDescriptor.INTEGER, null, "0",
                     CMS.getUserMessage(locale, "CMS_PROFILE_VALIDITY_NOT_BEFORE_GRACE_PERIOD"));
@@ -99,33 +105,57 @@ public class ValidityConstraint extends EnrollConstraint {
         return null;
     }
 
+    public int convertRangeUnit(String unit) throws Exception {
+
+        if (unit.equals("year")) {
+            return Calendar.YEAR;
+
+        } else if (unit.equals("month")) {
+            return Calendar.MONTH;
+
+        } else if (unit.equals("day")) {
+            return Calendar.DAY_OF_YEAR;
+
+        } else if (unit.equals("hour")) {
+            return Calendar.HOUR_OF_DAY;
+
+        } else if (unit.equals("minute")) {
+            return Calendar.MINUTE;
+
+        } else {
+            throw new Exception("Invalid range unit: " + unit);
+        }
+    }
+
     /**
      * Validates the request. The request is not modified
      * during the validation.
      */
     public void validate(IRequest request, X509CertInfo info)
             throws ERejectException {
-        CertificateValidity v = null;
 
+        CertificateValidity v;
         try {
             v = (CertificateValidity) info.get(X509CertInfo.VALIDITY);
         } catch (Exception e) {
             throw new ERejectException(CMS.getUserMessage(getLocale(request),
                         "CMS_PROFILE_VALIDITY_NOT_FOUND"));
         }
-        Date notBefore = null;
 
+        Date notBefore;
         try {
             notBefore = (Date) v.get(CertificateValidity.NOT_BEFORE);
+            CMS.debug("ValidityConstraint: not before: " + notBefore);
         } catch (IOException e) {
             CMS.debug("ValidityConstraint: not before not found");
             throw new ERejectException(CMS.getUserMessage(getLocale(request),
                         "CMS_PROFILE_VALIDITY_NOT_FOUND"));
         }
-        Date notAfter = null;
 
+        Date notAfter;
         try {
             notAfter = (Date) v.get(CertificateValidity.NOT_AFTER);
+            CMS.debug("ValidityConstraint: not after: " + notAfter);
         } catch (IOException e) {
             CMS.debug("ValidityConstraint: not after not found");
             throw new ERejectException(CMS.getUserMessage(getLocale(request),
@@ -138,18 +168,34 @@ public class ValidityConstraint extends EnrollConstraint {
                         "CMS_PROFILE_NOT_AFTER_BEFORE_NOT_BEFORE"));
         }
 
-        long millisDiff = notAfter.getTime() - notBefore.getTime();
-        CMS.debug("ValidityConstraint: millisDiff="
-                + millisDiff + " notAfter=" + notAfter.getTime() + " notBefore=" + notBefore.getTime());
-        long long_days = (millisDiff / 1000) / 86400;
-        CMS.debug("ValidityConstraint: long_days: " + long_days);
-        int days = (int) long_days;
-        CMS.debug("ValidityConstraint: days: " + days);
-
-        if (days > Integer.parseInt(getConfig(CONFIG_RANGE))) {
+        String rangeStr = getConfig(CONFIG_RANGE, "365");
+        CMS.debug("ValidityConstraint: range: " + rangeStr);
+        int range = Integer.parseInt(rangeStr);
+
+        String rangeUnitStr = getConfig(CONFIG_RANGE_UNIT, "day");
+        CMS.debug("ValidityConstraint: range unit: " + rangeUnitStr);
+
+        int rangeUnit;
+        try {
+            rangeUnit = convertRangeUnit(rangeUnitStr);
+        } catch (Exception e) {
+            throw new ERejectException(CMS.getUserMessage(getLocale(request),
+                    "CMS_PROFILE_VALIDITY_INVALID_RANGE_UNIT",
+                    rangeUnitStr));
+        }
+
+        // calculate the end of validity range
+        Calendar date = Calendar.getInstance();
+        date.setTime(notBefore);
+        date.add(rangeUnit, range);
+
+        Date limit = date.getTime();
+        CMS.debug("ValidityConstraint: limit: " + limit);
+
+        if (notAfter.after(limit)) {
             throw new ERejectException(CMS.getUserMessage(getLocale(request),
                         "CMS_PROFILE_VALIDITY_OUT_OF_RANGE",
-                        Integer.toString(days)));
+                        notAfter.toString(), limit.toString()));
         }
 
         // 613828
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java
index 417f78123881508afbf9a78e2ab31c4507e28bfb..5c2029a0f008c2a01bffdd655913008be3138c33 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/EnrollDefault.java
@@ -107,15 +107,36 @@ public abstract class EnrollDefault implements IPolicyDefault, ICertInfoPolicyDe
     }
 
     public String getConfig(String name) {
+        return getConfig(name, "");
+    }
+
+    /**
+     * Get constraint parameter in profile configuration.
+     *
+     * @param name parameter name
+     * @param defval default value if parameter does not exist
+     * @return parameter value if exists, defval if does not exist, or null if error occured
+     */
+    public String getConfig(String name, String defval) {
+
+        if (mConfig == null) {
+            CMS.debug("Error: Missing profile configuration");
+            return null;
+        }
+
+        IConfigStore params = mConfig.getSubStore("params");
+        if (params == null) {
+            CMS.debug("Error: Missing constraint parameters");
+            return null;
+        }
+
         try {
-            if (mConfig == null)
-                return null;
-            if (mConfig.getSubStore("params") != null) {
-                return mConfig.getSubStore("params").getString(name);
-            }
+            return params.getString(name, defval);
+
         } catch (EBaseException e) {
+            CMS.debug(e);
+            return null;
         }
-        return "";
     }
 
     public void init(IProfile profile, IConfigStore config)
diff --git a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java
index b649c7076727494ceb23417add5910b540cadc69..02807346fbddc4ffc4d0a36d49fcb6262de231ad 100644
--- a/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java
+++ b/base/server/cms/src/com/netscape/cms/profile/def/ValidityDefault.java
@@ -20,6 +20,7 @@ package com.netscape.cms.profile.def;
 import java.io.IOException;
 import java.text.ParsePosition;
 import java.text.SimpleDateFormat;
+import java.util.Calendar;
 import java.util.Date;
 import java.util.Locale;
 
@@ -44,6 +45,7 @@ import com.netscape.certsrv.request.IRequest;
  */
 public class ValidityDefault extends EnrollDefault {
     public static final String CONFIG_RANGE = "range";
+    public static final String CONFIG_RANGE_UNIT = "rangeUnit";
     public static final String CONFIG_START_TIME = "startTime";
 
     public static final String VAL_NOT_BEFORE = "notBefore";
@@ -51,11 +53,10 @@ public class ValidityDefault extends EnrollDefault {
 
     public static final String DATE_FORMAT = "yyyy-MM-dd HH:mm:ss";
 
-    private long mDefault = 86400000; // 1 days
-
     public ValidityDefault() {
         super();
         addConfigName(CONFIG_RANGE);
+        addConfigName(CONFIG_RANGE_UNIT);
         addConfigName(CONFIG_START_TIME);
         addValueName(VAL_NOT_BEFORE);
         addValueName(VAL_NOT_AFTER);
@@ -93,6 +94,12 @@ public class ValidityDefault extends EnrollDefault {
                     "7305",
                     CMS.getUserMessage(locale,
                             "CMS_PROFILE_VALIDITY_RANGE"));
+        } else if (name.equals(CONFIG_RANGE_UNIT)) {
+            return new Descriptor(IDescriptor.STRING,
+                    null,
+                    "day",
+                    CMS.getUserMessage(locale,
+                            "CMS_PROFILE_VALIDITY_RANGE_UNIT"));
         } else if (name.equals(CONFIG_START_TIME)) {
             return new Descriptor(IDescriptor.STRING,
                     null,
@@ -216,13 +223,37 @@ public class ValidityDefault extends EnrollDefault {
                 getConfig(CONFIG_RANGE));
     }
 
+    public int convertRangeUnit(String unit) throws Exception {
+
+        if (unit.equals("year")) {
+            return Calendar.YEAR;
+
+        } else if (unit.equals("month")) {
+            return Calendar.MONTH;
+
+        } else if (unit.equals("day")) {
+            return Calendar.DAY_OF_YEAR;
+
+        } else if (unit.equals("hour")) {
+            return Calendar.HOUR_OF_DAY;
+
+        } else if (unit.equals("minute")) {
+            return Calendar.MINUTE;
+
+        } else {
+            throw new Exception("Invalid range unit: " + unit);
+        }
+    }
+
     /**
      * Populates the request with this policy default.
      */
     public void populate(IRequest request, X509CertInfo info)
             throws EProfileException {
+
         // always + 60 seconds
         String startTimeStr = getConfig(CONFIG_START_TIME);
+        CMS.debug("ValidityDefault: start time: " + startTimeStr);
         try {
             startTimeStr = mapPattern(request, startTimeStr);
         } catch (IOException e) {
@@ -233,21 +264,43 @@ public class ValidityDefault extends EnrollDefault {
             startTimeStr = "60";
         }
         int startTime = Integer.parseInt(startTimeStr);
+
         Date notBefore = new Date(CMS.getCurrentDate().getTime() + (1000 * startTime));
-        long notAfterVal = 0;
+        CMS.debug("ValidityDefault: not before: " + notBefore);
 
+        String rangeStr = getConfig(CONFIG_RANGE, "7305");
+        CMS.debug("ValidityDefault: range: " + rangeStr);
+
+        int range;
         try {
-            String rangeStr = getConfig(CONFIG_RANGE);
             rangeStr = mapPattern(request, rangeStr);
-            notAfterVal = notBefore.getTime() +
-                    (mDefault * Integer.parseInt(rangeStr));
-        } catch (Exception e) {
-            // configured value is not correct
-            CMS.debug("ValidityDefault: populate " + e.toString());
+            range = Integer.parseInt(rangeStr);
+        } catch (IOException e) {
+            CMS.debug(e);
             throw new EProfileException(CMS.getUserMessage(
                         getLocale(request), "CMS_INVALID_PROPERTY", CONFIG_RANGE));
         }
-        Date notAfter = new Date(notAfterVal);
+
+        String rangeUnitStr = getConfig(CONFIG_RANGE_UNIT, "day");
+        CMS.debug("ValidityDefault: range unit: " + rangeUnitStr);
+
+        int rangeUnit;
+        try {
+            rangeUnit = convertRangeUnit(rangeUnitStr);
+        } catch (Exception e) {
+            CMS.debug(e);
+            throw new EProfileException(CMS.getUserMessage(
+                        getLocale(request), "CMS_INVALID_PROPERTY", CONFIG_RANGE_UNIT));
+        }
+
+        // calculate the end of validity range
+        Calendar date = Calendar.getInstance();
+        date.setTime(notBefore);
+        date.add(rangeUnit, range);
+
+        Date notAfter = date.getTime();
+        CMS.debug("ValidityDefault: not after: " + notAfter);
+
         CertificateValidity validity =
                 new CertificateValidity(notBefore, notAfter);
 
diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
index 74c1a94a608fa3c3188ff4dda8b69a014f3f454e..b8cf27cc5697f5f4b356d49ba679f8f1105b44d5 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
@@ -1898,6 +1898,8 @@ public final class CMSAdminServlet extends AdminServlet {
                     certpath = value;
             }
 
+            CMS.debug("CMSAdminServlet: installCert(" + nickname + ")");
+
             try {
                 if (pkcs == null || pkcs.equals("")) {
                     if (certpath == null || certpath.equals("")) {
@@ -2191,7 +2193,7 @@ public final class CMSAdminServlet extends AdminServlet {
 
             boolean verified = CMS.verifySystemCertByNickname(nickname, null);
             if (verified == true) {
-                CMS.debug("CMSAdminServlet: installCert(): verifySystemCertByNickname() succeeded:" + nickname);
+                CMS.debug("CMSAdminServlet: installCert(): verifySystemCertByNickname() succeeded: " + nickname);
                 auditMessage = CMS.getLogMessage(
                         LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
                         auditSubjectID,
@@ -2200,7 +2202,7 @@ public final class CMSAdminServlet extends AdminServlet {
 
                 audit(auditMessage);
             } else {
-                CMS.debug("CMSAdminServlet: installCert(): verifySystemCertByNickname() failed:" + nickname);
+                CMS.debug("CMSAdminServlet: installCert(): verifySystemCertByNickname() failed: " + nickname);
                 auditMessage = CMS.getLogMessage(
                                 LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
                                 auditSubjectID,
diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties
index fe43094e6b2a0531502570bc626da557fc9061ae..2dc1f268c844d742328c0c9a94c5625b1b5f264b 100644
--- a/base/server/cmsbundle/src/UserMessages.properties
+++ b/base/server/cmsbundle/src/UserMessages.properties
@@ -833,12 +833,14 @@ CMS_PROFILE_GENERAL_NAMES=General Names
 CMS_PROFILE_VALIDITY_CHECK_NOT_BEFORE=Check Not Before against current time
 CMS_PROFILE_VALIDITY_CHECK_NOT_AFTER=Check Not After against Not Before
 CMS_PROFILE_VALIDITY_NOT_BEFORE_GRACE_PERIOD=Grace period for Not Before being set in the future (in seconds).
-CMS_PROFILE_VALIDITY_RANGE=Validity Range (in days)
+CMS_PROFILE_VALIDITY_RANGE=Validity Range
+CMS_PROFILE_VALIDITY_RANGE_UNIT=Validity Range Unit (default: day)
 CMS_PROFILE_VALIDITY_START_TIME=Relative Start Time (in seconds)
 CMS_PROFILE_NOT_BEFORE_RANDOM_BITS=Not Before Random Bits
 CMS_PROFILE_NOT_AFTER_RANDOM_BITS=Not After Random Bits
 CMS_PROFILE_BYPASS_CA_NOTAFTER=Bypass CA notAfter constraint
-CMS_PROFILE_VALIDITY_OUT_OF_RANGE=Validity Out of Range {0} days
+CMS_PROFILE_VALIDITY_INVALID_RANGE_UNIT=Invalid Range Unit: {0}
+CMS_PROFILE_VALIDITY_OUT_OF_RANGE=Validity Out of Range: {0} is after {1}
 CMS_PROFILE_RENEW_GRACE_BEFORE=Renewal Grace Period Before
 CMS_PROFILE_RENEW_GRACE_AFTER=Renewal Grace Period After
 CMS_PROFILE_RENEW_OUTSIDE_GRACE_PERIOD=Outside of Renewal Grace Period: {0}
diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
index 68c64824e37bcad282a5bbeabf6b943fabf39481..04ff5ec46cab59eaf8e32e709677fcae66a33420 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -1420,6 +1420,7 @@ public class CMSEngine implements ICMSEngine {
     }
 
     public boolean verifySystemCertByNickname(String nickname, String certificateUsage) {
+        CMS.debug("CMSEngine: verifySystemCertByNickname(" + nickname + ", " + certificateUsage + ")");
         return CertUtils.verifySystemCertByNickname(nickname, certificateUsage);
     }
 
diff --git a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
index 9dc33e541c23736a86a25ece441fbe7723fa1820..244c36dc7e0bbac181ce37d6344cc849a70ba873 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
@@ -831,6 +831,7 @@ public class CertUtils {
      * returns true if it verifies; false if any not
      */
     public static boolean verifySystemCertByNickname(String nickname, String certusage) {
+        CMS.debug("CertUtils: verifySystemCertByNickname(" + nickname + "," + certusage + ")");
         boolean r = true;
         CertificateUsage cu = null;
         cu = getCertificateUsage(certusage);
@@ -850,9 +851,9 @@ public class CertUtils {
             if (cu.getUsage() != CryptoManager.CertificateUsage.CheckAllUsages.getUsage()) {
                 if (cm.isCertValid(nickname, true, cu)) {
                     r = true;
-                    CMS.debug("CertUtils: verifySystemCertByNickname() passed:" + nickname);
+                    CMS.debug("CertUtils: verifySystemCertByNickname() passed: " + nickname);
                 } else {
-                    CMS.debug("CertUtils: verifySystemCertByNickname() failed:" + nickname);
+                    CMS.debug("CertUtils: verifySystemCertByNickname() failed: " + nickname);
                     r = false;
                 }
             } else {
@@ -864,7 +865,7 @@ public class CertUtils {
                     CMS.debug("CertUtils: verifySystemCertByNickname() failed: cert is good for nothing:" + nickname);
                 } else {
                     r = true;
-                    CMS.debug("CertUtils: verifySystemCertByNickname() passed:" + nickname);
+                    CMS.debug("CertUtils: verifySystemCertByNickname() passed: " + nickname);
 
                     if ((ccu & CryptoManager.CertificateUsage.SSLServer.getUsage()) != 0)
                         CMS.debug("CertUtils: verifySystemCertByNickname(): cert is SSLServer");
@@ -905,6 +906,9 @@ public class CertUtils {
      * returns true if it verifies; false if any not
      */
     public static boolean verifySystemCertByTag(String tag) {
+
+        CMS.debug("CertUtils: verifySystemCertByTag(" + tag + ")");
+
         String auditMessage = null;
         IConfigStore config = CMS.getConfigStore();
         boolean r = true;
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/DBRegistry.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/DBRegistry.java
index 653850e02d8a8641bf4420f6198357ce67ef24d2..cd475cd56a8484b1844f06997e5712ac366f6cda 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/DBRegistry.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/DBRegistry.java
@@ -460,7 +460,7 @@ public class DBRegistry implements IDBRegistry, ISubsystem {
             throw new EDBException(CMS.getLogMessage("CMS_DBS_MISSING_OBJECT_CLASS"));
         }
 
-        //CMS.debug("createObject: attrs " + attrs.toString());
+        CMS.debug("createObject: attrs " + attrs);
 
         attrs.remove("objectclass");
 
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/DBSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/DBSubsystem.java
index be674bfd59ca8d377a0a1919bc8419eb25a8308f..46b83547272874f64ebf5fac3b48c0136a488efd 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/DBSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/DBSubsystem.java
@@ -640,6 +640,7 @@ public class DBSubsystem implements IDBSubsystem {
 
             tmpConfig.putString(PROP_BASEDN, mBaseDN);
         } catch (EBaseException e) {
+            CMS.debug(e);
             if (CMS.isPreOpMode())
                 return;
             throw e;
@@ -648,15 +649,18 @@ public class DBSubsystem implements IDBSubsystem {
         try {
             mLdapConnFactory.init(tmpConfig);
         } catch (ELdapServerDownException e) {
+            CMS.debug(e);
             if (CMS.isPreOpMode())
                 return;
             throw new EDBNotAvailException(
                     CMS.getUserMessage("CMS_DBS_INTERNAL_DIR_UNAVAILABLE"));
-        } catch (ELdapException ex) {
+        } catch (ELdapException e) {
+            CMS.debug(e);
             if (CMS.isPreOpMode())
                 return;
-            throw new EDBException(CMS.getUserMessage("CMS_DBS_INTERNAL_DIR_ERROR", ex.toString()));
+            throw new EDBException(CMS.getUserMessage("CMS_DBS_INTERNAL_DIR_ERROR", e.toString()));
         } catch (EBaseException e) {
+            CMS.debug(e);
             if (CMS.isPreOpMode())
                 return;
             throw e;
@@ -767,8 +771,9 @@ public class DBSubsystem implements IDBSubsystem {
             reg.registerAttribute(ICRLIssuingPointRecord.ATTR_EXPIRED_CERTS, new
                     ObjectStreamMapper(CRLDBSchema.LDAP_ATTR_EXPIRED_CERTS));
 
-            if (!reg.isObjectClassRegistered(
-                    RepositoryRecord.class.getName())) {
+            boolean registered = reg.isObjectClassRegistered(RepositoryRecord.class.getName());
+            CMS.debug("registered: " + registered);
+            if (!registered) {
                 String repRecordOC[] = new String[2];
 
                 repRecordOC[0] = RepositorySchema.LDAP_OC_TOP;
@@ -776,6 +781,7 @@ public class DBSubsystem implements IDBSubsystem {
                 reg.registerObjectClass(
                         RepositoryRecord.class.getName(), repRecordOC);
             }
+
             if (!reg.isAttributeRegistered(IRepositoryRecord.ATTR_SERIALNO)) {
                 reg.registerAttribute(IRepositoryRecord.ATTR_SERIALNO,
                         new BigIntegerMapper(RepositorySchema.LDAP_ATTR_SERIALNO));
@@ -790,6 +796,7 @@ public class DBSubsystem implements IDBSubsystem {
             }
 
         } catch (EBaseException e) {
+            CMS.debug(e);
             if (CMS.isPreOpMode())
                 return;
             throw e;
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/LDAPDatabase.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/LDAPDatabase.java
index cfe9588070c29857978817d65a6ffd52947c20d4..0e3ffc13bc13bdbbeb0a2687793770297508a1d1 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/LDAPDatabase.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/LDAPDatabase.java
@@ -55,6 +55,9 @@ public abstract class LDAPDatabase<E extends IDBObj> extends Database<E> {
     }
 
     public void register(Class<E> recordType) throws EBaseException {
+
+        CMS.debug("registering " + recordType.getName());
+
         IDBRegistry dbRegistry = dbSubsystem.getRegistry();
 
         // register object classes
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/Repository.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/Repository.java
index e6b6e831e4981396902989ecc3e730a6cab6cc28..0d789cc6434a078e7cba4d02b4cbeccb838cd09c 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/Repository.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/Repository.java
@@ -132,7 +132,7 @@ public abstract class Repository implements IRepository {
     protected BigInteger getSerialNumber() throws EBaseException {
         IDBSSession s = mDB.createSession();
 
-        CMS.debug("Repository: getSerialNumber.");
+        CMS.debug("Repository: getSerialNumber()");
         RepositoryRecord rec = null;
 
         try {
@@ -327,7 +327,7 @@ public abstract class Repository implements IRepository {
     }
 
     protected void initCacheIfNeeded() throws EBaseException {
-        if (mLastSerialNo == null) 
+        if (mLastSerialNo == null)
             initCache();
     }
 
@@ -401,15 +401,15 @@ public abstract class Repository implements IRepository {
         BigInteger retSerial = new BigInteger(mLastSerialNo.toString());
 
         CMS.debug("Repository: getNextSerialNumber: returning retSerial " + retSerial);
-        return retSerial; 
+        return retSerial;
     }
 
     /**
      * Checks to see if range needs to be switched.
-     *      
+     *
      * @exception EBaseException thrown when next range is not allocated
      */
-    protected void checkRange() throws EBaseException 
+    protected void checkRange() throws EBaseException
     {
         // check if we have reached the end of the range
         // if so, move to next range
-- 
1.8.4.2