From jmagne at redhat.com Fri May 1 17:25:43 2015 From: jmagne at redhat.com (John Magne) Date: Fri, 1 May 2015 13:25:43 -0400 (EDT) Subject: [Pki-devel] [pki-devel][PATCH] 0030-OCSP-and-CA-minor-cloning-fixes.patch In-Reply-To: <1321797323.12241248.1430501112251.JavaMail.zimbra@redhat.com> Message-ID: <2144595553.12241345.1430501143260.JavaMail.zimbra@redhat.com> Tickets #1294, #1058 The patch does the following: 1. Allows an OCSP clone to actually install and operate. It also sets a param appropriate for an OCSP clone. Ticket #1058 The controversial part of this one is the fact that I have disabled having OCSP clones register themselves to the CA as publishing target. The master is already getting the updates and we rely upon replication to keep the clones updated. The current downside is the master is on an island with respect to updates and could be considered a single point of failure. Thus my proposal for this simple patch is to get the OCSP clone working as in existing functionality. Then we come back and propose a ticket to allow the installer OCSP clones to set up the publishers in such a way that all clones and master are registered, but when it is actually time to publish, the CRL publisher has the smarts to know that members of a clone cluster are in a group and the first successfull publish should end the processing of that group. 2. Allows the CA clone to set some params to disable certain things that a clone should not do. This was listed as a set of misc post install tasks that we are trying to automate. Code tested to work. 1. OCSP clones can be installed and the CRL were checked to be in sync when an update occured to the master. 2. The CA clone has been seen to have the required params and it looks to come up just fine. --- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0030-OCSP-and-CA-minor-cloning-fixes.patch Type: text/x-patch Size: 10200 bytes Desc: not available URL: From jmagne at redhat.com Fri May 1 22:21:32 2015 From: jmagne at redhat.com (John Magne) Date: Fri, 1 May 2015 18:21:32 -0400 (EDT) Subject: [Pki-devel] [pki-devel][PATCH] 0030-OCSP-and-CA-minor-cloning-fixes.patch In-Reply-To: <2144595553.12241345.1430501143260.JavaMail.zimbra@redhat.com> References: <2144595553.12241345.1430501143260.JavaMail.zimbra@redhat.com> Message-ID: <488368515.12914047.1430518892111.JavaMail.zimbra@redhat.com> Based on review comments from cfu and alee, and ACKS from both, pushed to master. Tickets #1294, #1058 ----- Original Message ----- From: "John Magne" To: "pki-devel" Sent: Friday, May 1, 2015 10:25:43 AM Subject: [Pki-devel] [pki-devel][PATCH] 0030-OCSP-and-CA-minor-cloning-fixes.patch Tickets #1294, #1058 The patch does the following: 1. Allows an OCSP clone to actually install and operate. It also sets a param appropriate for an OCSP clone. Ticket #1058 The controversial part of this one is the fact that I have disabled having OCSP clones register themselves to the CA as publishing target. The master is already getting the updates and we rely upon replication to keep the clones updated. The current downside is the master is on an island with respect to updates and could be considered a single point of failure. Thus my proposal for this simple patch is to get the OCSP clone working as in existing functionality. Then we come back and propose a ticket to allow the installer OCSP clones to set up the publishers in such a way that all clones and master are registered, but when it is actually time to publish, the CRL publisher has the smarts to know that members of a clone cluster are in a group and the first successfull publish should end the processing of that group. 2. Allows the CA clone to set some params to disable certain things that a clone should not do. This was listed as a set of misc post install tasks that we are trying to automate. Code tested to work. 1. OCSP clones can be installed and the CRL were checked to be in sync when an update occured to the master. 2. The CA clone has been seen to have the required params and it looks to come up just fine. --- _______________________________________________ Pki-devel mailing list Pki-devel at redhat.com https://www.redhat.com/mailman/listinfo/pki-devel From cfu at redhat.com Mon May 4 23:38:45 2015 From: cfu at redhat.com (Christina Fu) Date: Mon, 04 May 2015 16:38:45 -0700 Subject: [Pki-devel] [PATCH] pki-cfu-0055-Ticket-1295-CA-OCSP-via-GET-does-not-work.patch In-Reply-To: <55401259.1060400@redhat.com> References: <55400BDB.4090706@redhat.com> <55401259.1060400@redhat.com> Message-ID: <55480305.2040905@redhat.com> here is the patch for the upgrade script for this ticket https://fedorahosted.org/pki/ticket/1295 Please review. Note: I was able to get the xml element added to the web.xml and the server will work with the ocsp GET request, however, there is a cosmetic issue with missing blank line and a few spaces for the next element after. If anyone has ideas on how to fix this, please feel free to make suggestions. Here is how it looks like now: http://fpaste.org/218405/ thanks, Christina On 04/28/2015 04:06 PM, Christina Fu wrote: > pushed to master > commit 267635f87c5ba9382f0931ad3e1b7cb9e42c6a6d > On 04/28/2015 03:38 PM, Christina Fu wrote: >> This patch should address the issue reported in: >> https://fedorahosted.org/pki/ticket/1295 >> Please review. >> >> thanks, >> Christina >> >> >> _______________________________________________ >> Pki-devel mailing list >> Pki-devel at redhat.com >> https://www.redhat.com/mailman/listinfo/pki-devel > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cfu-0057-Ticket-1295-Upgrade-script-for-CA-OCSP-via-GET-does-.patch Type: text/x-patch Size: 3337 bytes Desc: not available URL: From edewata at redhat.com Tue May 5 04:23:37 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 04 May 2015 23:23:37 -0500 Subject: [Pki-devel] [PATCH] 589 Fixed authentication data in audit log. Message-ID: <554845C9.9060105@redhat.com> The REST methods may be executed by different threads even though they are invoked in the same session. A new interceptor has been added to all subsystems to make sure the SessionContext is created properly for each thread. This will fix the authentication data in the audit log. The SessionContext has also been improved to use ThreadLocal instead of a global Hashtable. https://fedorahosted.org/pki/ticket/1054 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0589-Fixed-authentication-data-in-audit-log.patch Type: text/x-patch Size: 15141 bytes Desc: not available URL: From edewata at redhat.com Tue May 5 14:11:36 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 05 May 2015 09:11:36 -0500 Subject: [Pki-devel] [PATCH] pki-cfu-0055-Ticket-1295-CA-OCSP-via-GET-does-not-work.patch In-Reply-To: <55480305.2040905@redhat.com> References: <55400BDB.4090706@redhat.com> <55401259.1060400@redhat.com> <55480305.2040905@redhat.com> Message-ID: <5548CF98.5060305@redhat.com> On 5/4/2015 6:38 PM, Christina Fu wrote: > here is the patch for the upgrade script for this ticket > https://fedorahosted.org/pki/ticket/1295 > Please review. > > Note: I was able to get the xml element added to the web.xml and the > server will work with the ocsp GET request, however, there is a cosmetic > issue with missing blank line and a few spaces for the next element > after. If anyone has ideas on how to fix this, please feel free to make > suggestions. > Here is how it looks like now: > http://fpaste.org/218405/ > > thanks, > Christina A few minor issues: 1. I was able to fix the missing blank line and spaces with the changes that you mentioned on IRC: mapping.tail = '\n\n ' You might want to test it again (and make sure the web.xml is clean). 2. The indentations of the XML elements in OCSPGETServletMappingData should match those in the web.xml (3 and 6 spaces). 3. Recently we implemented direct deployment for all subsystems (commit 533b33a753801b3cc91529d83ac75f2214f86fcf), so newly deployed subsystems will not have a web.xml in the instance folder (they will be updated automatically during RPM upgrade). However, old subsystems (or custom subsystems) will still have it. So we should perform the upgrade only if the file exists. Without this check, you might see an error in pki-server-upgrade log. 4. Since this is the first upgrade script for 10.2.4, there should be a 10.2.4 folder in base/common/upgrade as well with just a .gitignore file. These issues should be easy to fix before push. ACK. -- Endi S. Dewata From edewata at redhat.com Tue May 5 19:17:51 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 05 May 2015 14:17:51 -0500 Subject: [Pki-devel] [PATCH] 589 Fixed authentication data in audit log. In-Reply-To: <554845C9.9060105@redhat.com> References: <554845C9.9060105@redhat.com> Message-ID: <5549175F.60008@redhat.com> On 5/4/2015 11:23 PM, Endi Sukma Dewata wrote: > The REST methods may be executed by different threads even though > they are invoked in the same session. A new interceptor has been > added to all subsystems to make sure the SessionContext is created > properly for each thread. This will fix the authentication data in > the audit log. The SessionContext has also been improved to use > ThreadLocal instead of a global Hashtable. > > https://fedorahosted.org/pki/ticket/1054 Cleaned up imports. ACKed by Ade. Pushed to master. -- Endi S. Dewata From jmagne at redhat.com Tue May 5 21:27:19 2015 From: jmagne at redhat.com (John Magne) Date: Tue, 5 May 2015 17:27:19 -0400 (EDT) Subject: [Pki-devel] [pki-devel][PATCH] 0031-Ticket-572-CRL-scheduler-adds-extra-CRL-generation-a.patch In-Reply-To: <1334299418.14407143.1430861118751.JavaMail.zimbra@redhat.com> Message-ID: <1177673410.14407736.1430861239547.JavaMail.zimbra@redhat.com> Patch addresses the issue with least amount of change, isolated to the specific problem case. The case is when we have a daily schedule that spans only one day. When the last member of the daily schedule fires, the system thinks the next update should be at midnight the following morning instead of the first entry of the schedule for the next day. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0031-Ticket-572-CRL-scheduler-adds-extra-CRL-generation-a.patch Type: text/x-patch Size: 3402 bytes Desc: not available URL: From cfu at redhat.com Wed May 6 01:04:57 2015 From: cfu at redhat.com (Christina Fu) Date: Tue, 05 May 2015 18:04:57 -0700 Subject: [Pki-devel] [PATCH] pki-cfu-0055-Ticket-1295-CA-OCSP-via-GET-does-not-work.patch In-Reply-To: <5548CF98.5060305@redhat.com> References: <55400BDB.4090706@redhat.com> <55401259.1060400@redhat.com> <55480305.2040905@redhat.com> <5548CF98.5060305@redhat.com> Message-ID: <554968B9.1070308@redhat.com> Thanks Endi. All comments addressed... commit 2aa7ed131f4d229269088775513f23ec8b3793ec Author: Christina Fu Date: Mon May 4 15:51:48 2015 -0700 Ticket 1295 Upgrade script for - CA: OCSP via GET does not work Christina On 05/05/2015 07:11 AM, Endi Sukma Dewata wrote: > On 5/4/2015 6:38 PM, Christina Fu wrote: >> here is the patch for the upgrade script for this ticket >> https://fedorahosted.org/pki/ticket/1295 >> Please review. >> >> Note: I was able to get the xml element added to the web.xml and the >> server will work with the ocsp GET request, however, there is a cosmetic >> issue with missing blank line and a few spaces for the next element >> after. If anyone has ideas on how to fix this, please feel free to make >> suggestions. >> Here is how it looks like now: >> http://fpaste.org/218405/ >> >> thanks, >> Christina > > A few minor issues: > > 1. I was able to fix the missing blank line and spaces with the > changes that you mentioned on IRC: > > mapping.tail = '\n\n ' > > You might want to test it again (and make sure the web.xml is clean). > > 2. The indentations of the XML elements in OCSPGETServletMappingData > should match those in the web.xml (3 and 6 spaces). > > 3. Recently we implemented direct deployment for all subsystems > (commit 533b33a753801b3cc91529d83ac75f2214f86fcf), so newly deployed > subsystems will not have a web.xml in the instance folder (they will > be updated automatically during RPM upgrade). However, old subsystems > (or custom subsystems) will still have it. So we should perform the > upgrade only if the file exists. Without this check, you might see an > error in pki-server-upgrade log. > > 4. Since this is the first upgrade script for 10.2.4, there should be > a 10.2.4 folder in base/common/upgrade as well with just a .gitignore > file. > > These issues should be easy to fix before push. ACK. > From edewata at redhat.com Wed May 6 05:30:57 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 06 May 2015 00:30:57 -0500 Subject: [Pki-devel] [PATCH] 590 Fixed migration tool to update Tomcat libraries. Message-ID: <5549A711.8000404@redhat.com> The migration tool has been fixed to update the links to Tomcat libraries in the instance folder to match the current Tomcat version installed on the system. https://fedorahosted.org/pki/ticket/1353 -- Endi S. Dewata -------------- next part -------------- From a17d65e85c9b69ff1f2a317fef99f5c530382196 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 6 May 2015 00:08:30 -0400 Subject: [PATCH] Fixed migration tool to update Tomcat libraries. The migration tool has been fixed to update the links to Tomcat libraries in the instance folder to match the current Tomcat version installed on the system. https://fedorahosted.org/pki/ticket/1353 --- base/server/python/pki/server/__init__.py | 6 ++-- base/server/python/pki/server/cli/migrate.py | 41 ++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 2 deletions(-) diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py index bbdfedc2c36a73662762b817bb1c0054b762cdbf..9eaadc1ef307bfc1c2b0d3e74f1d77c8fc4b5e4c 100644 --- a/base/server/python/pki/server/__init__.py +++ b/base/server/python/pki/server/__init__.py @@ -50,6 +50,7 @@ class PKIServer(object): return instances + class PKISubsystem(object): def __init__(self, instance, subsystem_name): @@ -104,10 +105,11 @@ class PKIInstance(object): if self.type >= 10: self.base_dir = os.path.join(INSTANCE_BASE_DIR, name) - self.conf_dir = os.path.join(self.base_dir, 'conf') else: self.base_dir = os.path.join(pki.BASE_DIR, name) - self.conf_dir = os.path.join(self.base_dir, 'conf') + + self.conf_dir = os.path.join(self.base_dir, 'conf') + self.lib_dir = os.path.join(self.base_dir, 'lib') self.registry_dir = os.path.join(pki.server.REGISTRY_DIR, 'tomcat', self.name) self.registry_file = os.path.join(self.registry_dir, self.name) diff --git a/base/server/python/pki/server/cli/migrate.py b/base/server/python/pki/server/cli/migrate.py index 5b387cd6728dfcc44e808359c3740e8cd9d59c52..665d046d1ef99204a3aaea2faa6a4e6b33e46c4f 100644 --- a/base/server/python/pki/server/cli/migrate.py +++ b/base/server/python/pki/server/cli/migrate.py @@ -20,7 +20,9 @@ # import getopt +import grp import os +import pwd import sys from lxml import etree @@ -106,6 +108,8 @@ class MigrateCLI(pki.cli.CLI): pki_context_xml = os.path.join(instance.conf_dir, 'Catalina', 'localhost', 'pki.xml') self.migrate_context_xml(pki_context_xml, tomcat_version) + self.migrate_tomcat_libraries(instance.lib_dir) + def migrate_server_xml(self, filename, tomcat_version): if self.verbose: @@ -379,6 +383,9 @@ class MigrateCLI(pki.cli.CLI): def migrate_context_xml(self, filename, tomcat_version): + if not os.path.exists(filename): + return + if self.verbose: print 'Migrating %s' % filename @@ -429,3 +436,37 @@ class MigrateCLI(pki.cli.CLI): context.append(resources) resources.set('allowLinking', 'true') + + def migrate_tomcat_libraries(self, lib_dir): + + tomcat_dir = '/usr/share/tomcat/lib' + uid = pwd.getpwnam('pkiuser').pw_uid + gid = grp.getgrnam('pkiuser').gr_gid + + # remove old links + for filename in os.listdir(lib_dir): + + if not filename.endswith(".jar"): + continue + + path = os.path.join(lib_dir, filename) + + if self.verbose: + print 'Removing %s' % path + + os.remove(path) + + # create new links + for filename in os.listdir(tomcat_dir): + + if not filename.endswith(".jar"): + continue + + source = os.path.join(tomcat_dir, filename) + dest = os.path.join(lib_dir, filename) + + if self.verbose: + print 'Creating %s' % dest + + os.symlink(source, dest) + os.lchown(dest, uid, gid) -- 1.9.3 From cfu at redhat.com Wed May 6 17:33:55 2015 From: cfu at redhat.com (Christina Fu) Date: Wed, 06 May 2015 10:33:55 -0700 Subject: [Pki-devel] [pki-devel][PATCH] 0031-Ticket-572-CRL-scheduler-adds-extra-CRL-generation-a.patch In-Reply-To: <1177673410.14407736.1430861239547.JavaMail.zimbra@redhat.com> References: <1177673410.14407736.1430861239547.JavaMail.zimbra@redhat.com> Message-ID: <554A5083.7030901@redhat.com> ACK Christina On 05/05/2015 02:27 PM, John Magne wrote: > Patch addresses the issue with least amount of change, isolated to the specific problem case. > > The case is when we have a daily schedule that spans only one day. When the last member of the > daily schedule fires, the system thinks the next update should be at midnight the following morning > instead of the first entry of the schedule for the next day. > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Wed May 6 20:19:56 2015 From: alee at redhat.com (Ade Lee) Date: Wed, 06 May 2015 16:19:56 -0400 Subject: [Pki-devel] [PATCH] patch to nuxwdog to add systemd support Message-ID: <1430943596.15344.34.camel@localhost.localdomain> The attached patch adds systemd support. When the STARTED_BY_SYSTEMD environment variable is set, nuxwdog will call "systemd-ask-password" to get the password from systemd. To get this to work, we needed to temporarily disable the signal handler used to handle SIGCHLD so as not to interfere with the handling of the response from systemd-ask-password. Also fixed an error condition. Please review, Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: nuxwdog-systemd.patch Type: text/x-patch Size: 5191 bytes Desc: not available URL: From alee at redhat.com Wed May 6 20:25:56 2015 From: alee at redhat.com (Ade Lee) Date: Wed, 06 May 2015 16:25:56 -0400 Subject: [Pki-devel] [PATCH] patch to pki-core for nuxwdog systemd support Message-ID: <1430943956.18232.4.camel@localhost.localdomain> Patches to get nuxwdog working with systemd This patch adds some new unit files and targets for starting instances with nuxwdog, as well as logic within the pki-server nuxwdog module to switch to/from the old and new systemd unit files. It also corrects some issues found in additional testing of the nuxwdog change scripts. To use nuxwdog to start the instance, a user needs to do the following: 1. Create an instance normally. 2. Run: pki-server instance-nuxwdog-enable 3. Start the instance using: systemctl start pki-tomcatd-nuxwdog@.service To revert the instance, simply do the following: 1. Run: pki-server instance-nuxwdog-disable 2. Start the instance using: systemctl start pki-tomcatd@.service To do all this, you need the latest nuxwdog (with the patches I just posted). Whats missing: 1. documentation. That will come next. 2. right now -- under nuxwdog, java runs as root. We will need to change this. 3. Not integrated with pkispawn. Basically, if you want to add a new subsystem to an nuxwdog-ed instance, you will need to revert to a non-nuxwdog instance first. Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0255-Patches-to-get-nuxwdog-working-with-systemd.patch Type: text/x-patch Size: 12741 bytes Desc: not available URL: From edewata at redhat.com Wed May 6 20:30:42 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 06 May 2015 15:30:42 -0500 Subject: [Pki-devel] [PATCH] 591 Added options for internal token and replication passwords. Message-ID: <554A79F2.6070800@redhat.com> The installation code has been modified such that it provides several options for internal token and replication passwords: * reuse the same admin/database passwords (default) * specify new psaswords * generate new random passwords https://fedorahosted.org/pki/ticket/1354 -- Endi S. Dewata -------------- next part -------------- From 385897582fcc6d3c954528d11dce7aabf31e2c17 Mon Sep 17 00:00:00 2001 From: "Endi S. Dewata" Date: Wed, 6 May 2015 16:19:19 -0400 Subject: [PATCH] Added options for internal token and replication passwords. The installation code has been modified such that it provides several options for internal token and replication passwords: * reuse the same admin/database passwords (default) * specify new psaswords * generate new random passwords https://fedorahosted.org/pki/ticket/1354 --- .../certsrv/system/ConfigurationRequest.java | 157 +++------------------ .../certsrv/system/SystemConfigResource.java | 10 -- .../dogtagpki/server/rest/SystemConfigService.java | 42 ++++-- base/server/etc/default.cfg | 10 ++ .../python/pki/server/deployment/pkihelper.py | 3 + .../python/pki/server/deployment/pkiparser.py | 32 ++++- 6 files changed, 89 insertions(+), 165 deletions(-) diff --git a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java index 0caa215fbd6334ad6656002470f69d6b8426c861..932745c481c6863e11960b0b60e3a10bd57a30f8 100644 --- a/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java +++ b/base/common/src/com/netscape/certsrv/system/ConfigurationRequest.java @@ -21,7 +21,6 @@ import java.net.URI; import java.net.URISyntaxException; import java.util.List; -import javax.ws.rs.core.MultivaluedMap; import javax.xml.bind.annotation.XmlAccessType; import javax.xml.bind.annotation.XmlAccessorType; import javax.xml.bind.annotation.XmlElement; @@ -29,8 +28,6 @@ import javax.xml.bind.annotation.XmlRootElement; import javax.xml.bind.annotation.adapters.XmlAdapter; import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter; -import org.apache.commons.lang.StringUtils; - /** * @author alee * @@ -38,69 +35,6 @@ import org.apache.commons.lang.StringUtils; @XmlRootElement(name="ConfigurationRequest") @XmlAccessorType(XmlAccessType.FIELD) public class ConfigurationRequest { - private static final String PIN = "pin"; - private static final String TOKEN = "token"; - private static final String TOKEN_PASSWORD = "tokenPassword"; - private static final String SECURITY_DOMAIN_TYPE = "securityDomainType"; - private static final String SECURITY_DOMAIN_URI = "securityDomainUri"; - private static final String SECURITY_DOMAIN_NAME = "securityDomainName"; - private static final String SECURITY_DOMAIN_USER = "securityDomainUser"; - private static final String SECURITY_DOMAIN_PASSWORD = "securityDomainPassword"; - private static final String IS_CLONE = "isClone"; - private static final String CLONE_URI = "cloneUri"; - private static final String SUBSYSTEM_NAME = "subsystemName"; - private static final String P12_FILE = "p12File"; - private static final String P12_PASSWORD = "p12Password"; - private static final String HIERARCHY = "hierarchy"; - private static final String DSHOST = "dsHost"; - private static final String DSPORT = "dsPort"; - private static final String BASEDN = "basedn"; - private static final String CREATE_NEW_DB = "createNewDB"; - private static final String BINDDN = "binddn"; - private static final String DATABASE = "database"; - private static final String SECURECONN = "secureConn"; - private static final String REMOVEDATA = "removeData"; - private static final String MASTER_REPLICATION_PORT = "masterReplicationPort"; - private static final String CLONE_REPLICATION_PORT = "cloneReplicationPort"; - private static final String REPLICATE_SCHEMA = "replicateSchema"; - private static final String REPLICATION_SECURITY = "replicationSecurity"; - private static final String SETUP_REPLICATION = "setupReplication"; - private static final String ISSUING_CA = "issuingCa"; - private static final String BACKUP_KEYS = "backupKeys"; - private static final String BACKUP_FILE = "backupFile"; - private static final String BACKUP_PASSWORD = "backupPassword"; - private static final String ADMIN_UID = "adminUid"; - private static final String ADMIN_EMAIL = "adminEmail"; - private static final String ADMIN_PASSWORD = "adminPassword"; - private static final String ADMIN_CERT_REQUEST = "adminCertRequest"; - private static final String ADMIN_CERT_REQUEST_TYPE = "adminCertRequestType"; - private static final String ADMIN_SUBJECT_DN = "adminSubjectDN"; - private static final String ADMIN_NAME = "adminName"; - private static final String ADMIN_PROFILE_ID = "adminProfileID"; - private static final String IMPORT_ADMIN_CERT = "importAdminCert"; - private static final String ADMIN_CERT = "adminCert"; - private static final String STANDALONE = "standAlone"; - private static final String STEP_TWO = "stepTwo"; - private static final String GENERATE_SERVER_CERT = "generateServerCert"; - private static final String SUBORDINATE_SECURITY_DOMAIN_NAME = "subordinateSecurityDomainName"; - - // TPS specific parameters - private static final String AUTHDB_BASEDN = "authdbBaseDN"; - private static final String AUTHDB_HOST = "authdbHost"; - private static final String AUTHDB_PORT = "authdbPort"; - private static final String AUTHDB_SECURE_CONN = "authdbSecureConn"; - private static final String CA_URI = "caUri"; - private static final String TKS_URI = "tksUri"; - private static final String KRA_URI = "kraUri"; - private static final String ENABLE_SERVER_SIDE_KEYGEN = "enableServerSideKeygen"; - - // TKS/TPS shared secret parameters - private static final String IMPORT_SHARED_SECRET = "importSharedSecret"; - - // Parameters for shared tomcat instances - private static final String GENERATE_SUBSYSTEM_CERT="generateSubsystemCert"; - private static final String SHARED_DB = "sharedDB"; - private static final String SHARED_DBUSER_DN = "sharedDBUserDN"; //defaults public static final String TOKEN_DEFAULT = "Internal Key Storage Token"; @@ -190,6 +124,12 @@ public class ConfigurationRequest { protected String replicationSecurity; @XmlElement + protected String replicationPasswordSource; + + @XmlElement + protected String replicationPassword; + + @XmlElement protected String setupReplication; @XmlElement @@ -292,75 +232,6 @@ public class ConfigurationRequest { // required for JAXB } - public ConfigurationRequest(MultivaluedMap form) throws URISyntaxException { - pin = form.getFirst(PIN); - token = form.getFirst(TOKEN); - tokenPassword = form.getFirst(TOKEN_PASSWORD); - securityDomainType = form.getFirst(SECURITY_DOMAIN_TYPE); - securityDomainUri = form.getFirst(SECURITY_DOMAIN_URI); - securityDomainName = form.getFirst(SECURITY_DOMAIN_NAME); - securityDomainUser = form.getFirst(SECURITY_DOMAIN_USER); - securityDomainPassword = form.getFirst(SECURITY_DOMAIN_PASSWORD); - isClone = form.getFirst(IS_CLONE); - cloneUri = form.getFirst(CLONE_URI); - subsystemName = form.getFirst(SUBSYSTEM_NAME); - p12File = form.getFirst(P12_FILE); - p12Password = form.getFirst(P12_PASSWORD); - hierarchy = form.getFirst(HIERARCHY); - dsHost = form.getFirst(DSHOST); - dsPort = form.getFirst(DSPORT); - baseDN = form.getFirst(BASEDN); - createNewDB = form.getFirst(CREATE_NEW_DB); - bindDN = form.getFirst(BINDDN); - database = form.getFirst(DATABASE); - secureConn = form.getFirst(SECURECONN); - removeData = form.getFirst(REMOVEDATA); - masterReplicationPort = form.getFirst(MASTER_REPLICATION_PORT); - cloneReplicationPort = form.getFirst(CLONE_REPLICATION_PORT); - replicateSchema = form.getFirst(REPLICATE_SCHEMA); - replicationSecurity = form.getFirst(REPLICATION_SECURITY); - setupReplication = form.getFirst(SETUP_REPLICATION); - //TODO - figure out how to get the cert requests - issuingCA = form.getFirst(ISSUING_CA); - backupFile = form.getFirst(BACKUP_FILE); - backupPassword = form.getFirst(BACKUP_PASSWORD); - backupKeys = form.getFirst(BACKUP_KEYS); - adminUID = form.getFirst(ADMIN_UID); - adminEmail = form.getFirst(ADMIN_EMAIL); - adminPassword = form.getFirst(ADMIN_PASSWORD); - adminCertRequest = form.getFirst(ADMIN_CERT_REQUEST); - adminCertRequestType = form.getFirst(ADMIN_CERT_REQUEST_TYPE); - adminSubjectDN = form.getFirst(ADMIN_SUBJECT_DN); - adminName = form.getFirst(ADMIN_NAME); - adminProfileID = form.getFirst(ADMIN_PROFILE_ID); - adminCert = form.getFirst(ADMIN_CERT); - importAdminCert = form.getFirst(IMPORT_ADMIN_CERT); - standAlone = form.getFirst(STANDALONE); - stepTwo = form.getFirst(STEP_TWO); - generateServerCert = form.getFirst(GENERATE_SERVER_CERT); - authdbBaseDN = form.getFirst(AUTHDB_BASEDN); - authdbHost = form.getFirst(AUTHDB_HOST); - authdbPort = form.getFirst(AUTHDB_PORT); - authdbSecureConn = form.getFirst(AUTHDB_SECURE_CONN); - subordinateSecurityDomainName = form.getFirst(SUBORDINATE_SECURITY_DOMAIN_NAME); - - String value = form.getFirst(CA_URI); - if (!StringUtils.isEmpty(value)) setCaUri(new URI(value)); - - value = form.getFirst(TKS_URI); - if (!StringUtils.isEmpty(value)) setTksUri(new URI(value)); - - value = form.getFirst(KRA_URI); - if (!StringUtils.isEmpty(value)) setKraUri(new URI(value)); - - enableServerSideKeyGen = form.getFirst(ENABLE_SERVER_SIDE_KEYGEN); - importSharedSecret = form.getFirst(IMPORT_SHARED_SECRET); - - generateSubsystemCert = form.getFirst(GENERATE_SUBSYSTEM_CERT); - sharedDB = form.getFirst(SHARED_DB); - sharedDBUserDN = form.getFirst(SHARED_DBUSER_DN); - } - public String getSubsystemName() { return subsystemName; } @@ -637,6 +508,22 @@ public class ConfigurationRequest { this.replicationSecurity = replicationSecurity; } + public String getReplicationPasswordSource() { + return replicationPasswordSource; + } + + public void setReplicationPasswordSource(String replicationPasswordSource) { + this.replicationPasswordSource = replicationPasswordSource; + } + + public String getReplicationPassword() { + return replicationPassword; + } + + public void setReplicationPassword(String replicationPassword) { + this.replicationPassword = replicationPassword; + } + public boolean getSetupReplication() { // default to true if (setupReplication == null) { diff --git a/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java b/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java index 2a490805dbfb3f3a94771fa03be7865d36153d4a..0cebb607433aea8571ff524df42872e9ae781c43 100644 --- a/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java +++ b/base/common/src/com/netscape/certsrv/system/SystemConfigResource.java @@ -17,13 +17,8 @@ // --- END COPYRIGHT BLOCK --- package com.netscape.certsrv.system; -import java.net.URISyntaxException; - -import javax.ws.rs.Consumes; import javax.ws.rs.POST; import javax.ws.rs.Path; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.core.MultivaluedMap; /** @@ -34,10 +29,5 @@ public interface SystemConfigResource { @POST @Path("configure") - @Consumes({ MediaType.APPLICATION_FORM_URLENCODED }) - public ConfigurationResponse configure(MultivaluedMap form) throws URISyntaxException; - - @POST - @Path("configure") public ConfigurationResponse configure(ConfigurationRequest data); } diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java index 12dd54dac37f9677ca9cddfefc9c870a53ca671b..d074cd4af0926160f8df1bb6030c054ade0c9f0a 100644 --- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java +++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java @@ -19,7 +19,6 @@ package org.dogtagpki.server.rest; import java.math.BigInteger; import java.net.MalformedURLException; -import java.net.URISyntaxException; import java.net.URL; import java.security.NoSuchAlgorithmException; import java.security.PublicKey; @@ -31,7 +30,6 @@ import java.util.Random; import javax.servlet.http.HttpServletRequest; import javax.ws.rs.core.Context; import javax.ws.rs.core.HttpHeaders; -import javax.ws.rs.core.MultivaluedMap; import javax.ws.rs.core.Request; import javax.ws.rs.core.UriInfo; @@ -110,15 +108,6 @@ public class SystemConfigService extends PKIService implements SystemConfigResou } /* (non-Javadoc) - * @see com.netscape.cms.servlet.csadmin.SystemConfigurationResource#configure(javax.ws.rs.core.MultivaluedMap) - */ - @Override - public ConfigurationResponse configure(MultivaluedMap form) throws URISyntaxException { - ConfigurationRequest data = new ConfigurationRequest(form); - return configure(data); - } - - /* (non-Javadoc) * @see com.netscape.cms.servlet.csadmin.SystemConfigurationResource#configure(com.netscape.cms.servlet.csadmin.data.ConfigurationData) */ @Override @@ -697,7 +686,32 @@ public class SystemConfigService extends PKIService implements SystemConfigResou try { /* BZ 430745 create password for replication manager */ - String replicationpwd = Integer.toString(new Random().nextInt()); + String replicationPasswordSource = data.getReplicationPasswordSource(); + if (StringUtils.isEmpty(replicationPasswordSource)) { + replicationPasswordSource = "default"; + } + CMS.debug("Replication password source: " + replicationPasswordSource); + + String replicationPassword; + + if ("default".equals(replicationPasswordSource)) { + + // use user-provided password if specified + replicationPassword = data.getReplicationPassword(); + + if (StringUtils.isEmpty(replicationPassword)) { + // otherwise use internal database password + replicationPassword = data.getBindpwd(); + } + + } else if ("random".equals(replicationPasswordSource)) { + // generate random password + replicationPassword = Integer.toString(new Random().nextInt()); + + } else { + CMS.debug("Invalid replication password source: " + replicationPasswordSource); + throw new BadRequestException("Invalid replication password source: " + replicationPasswordSource); + } IConfigStore psStore = null; String passwordFile = null; @@ -705,14 +719,14 @@ public class SystemConfigService extends PKIService implements SystemConfigResou psStore = CMS.createFileConfigStore(passwordFile); psStore.putString("internaldb", data.getBindpwd()); if (data.getSetupReplication()) { - psStore.putString("replicationdb", replicationpwd); + psStore.putString("replicationdb", replicationPassword); } psStore.commit(false); if (!data.getStepTwo()) { ConfigurationUtils.populateDB(); - cs.putString("preop.internaldb.replicationpwd", replicationpwd); + cs.putString("preop.internaldb.replicationpwd", replicationPassword); cs.putString("preop.database.removeData", "false"); if (data.getSharedDB()) { cs.putString("preop.internaldb.dbuser", data.getSharedDBUserDN()); diff --git a/base/server/etc/default.cfg b/base/server/etc/default.cfg index 3b082020d055bd4a46cfbefc36c81ae46d4d6c4b..e6d7512e9dc04b1ff4a634908c2182ab3c580fd6 100644 --- a/base/server/etc/default.cfg +++ b/base/server/etc/default.cfg @@ -24,6 +24,7 @@ sensitive_parameters= pki_ds_password pki_one_time_pin pki_pin + pki_replication_password pki_security_domain_password pki_token_password @@ -98,6 +99,15 @@ pki_issuing_ca_hostname=%(pki_security_domain_hostname)s pki_issuing_ca_https_port=%(pki_security_domain_https_port)s pki_issuing_ca_uri=https://%(pki_issuing_ca_hostname)s:%(pki_issuing_ca_https_port)s pki_issuing_ca=%(pki_issuing_ca_uri)s + +# Valid values: default, random +pki_pin_source= +pki_pin= + +# Valid values: default, random +pki_replication_password_source= +pki_replication_password= + pki_restart_configured_instance=True pki_security_domain_hostname=%(pki_hostname)s pki_security_domain_https_port=8443 diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py index b9d48eea3d9f3ce89766b93fecb16195fada67e1..239ae3788e32704595645b8b922555c7c481a67e 100644 --- a/base/server/python/pki/server/deployment/pkihelper.py +++ b/base/server/python/pki/server/deployment/pkihelper.py @@ -3873,6 +3873,9 @@ class ConfigClient: if not self.clone: self.set_admin_parameters(data) + data.replicationPasswordSource = self.mdict['pki_replication_password_source'] + data.replicationPassword = self.mdict['pki_replication_password'] + # Issuing CA Information self.set_issuing_ca_parameters(data) diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py index 39cef9413171f6a22bb2292edc1f7a18d07257fc..2899bcde9ea9d8bbd4627e621d427350138a8efa 100644 --- a/base/server/python/pki/server/deployment/pkiparser.py +++ b/base/server/python/pki/server/deployment/pkiparser.py @@ -327,10 +327,14 @@ class PKIConfigParser: # means that we need to deal with escaping '%' characters # that might be present. no_interpolation = ( - 'pki_admin_password', 'pki_backup_password', + 'pki_admin_password', + 'pki_backup_password', 'pki_client_database_password', 'pki_client_pkcs12_password', - 'pki_ds_password', 'pki_security_domain_password') + 'pki_ds_password', + 'pki_pin', + 'pki_replicationdb_password', + 'pki_security_domain_password') print 'Loading deployment configuration from ' + \ config.user_deployment_cfg + '.' @@ -552,18 +556,34 @@ class PKIConfigParser: self.mdict['pki_user_deployment_cfg'] = config.user_deployment_cfg self.mdict['pki_deployed_instance_name'] = \ config.pki_deployed_instance_name + + self.flatten_master_dict() + # Generate random 'pin's for use as security database passwords # and add these to the "sensitive" key value pairs read in from # the configuration file pin_low = 100000000000 pin_high = 999999999999 - self.mdict['pki_pin'] = \ - random.randint(pin_low, pin_high) + + pin_source = self.mdict['pki_pin_source'] + if not pin_source: + pin_source = 'default' + + if pin_source == 'default': + # use user-provided PIN if specified + if not self.mdict['pki_pin']: + # otherwise use the admin password + self.mdict['pki_pin'] = self.mdict['pki_admin_password'] + + elif pin_source == 'random': + self.mdict['pki_pin'] = \ + random.randint(pin_low, pin_high) + else: + raise Exception('Invalid security database PIN source: %s' % pin_source) + self.mdict['pki_client_pin'] = \ random.randint(pin_low, pin_high) - self.flatten_master_dict() - pkilogging.sensitive_parameters = \ self.mdict['sensitive_parameters'].split() -- 1.9.3 From edewata at redhat.com Wed May 6 21:28:32 2015 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 06 May 2015 16:28:32 -0500 Subject: [Pki-devel] [PATCH] 590 Fixed migration tool to update Tomcat libraries. In-Reply-To: <5549A711.8000404@redhat.com> References: <5549A711.8000404@redhat.com> Message-ID: <554A8780.1020901@redhat.com> On 5/6/2015 12:30 AM, Endi Sukma Dewata wrote: > The migration tool has been fixed to update the links to Tomcat > libraries in the instance folder to match the current Tomcat > version installed on the system. > > https://fedorahosted.org/pki/ticket/1353 Removed hard-coded instance user & group. ACKed by Ade. Pushed to master. -- Endi S. Dewata From jmagne at redhat.com Thu May 7 00:03:35 2015 From: jmagne at redhat.com (John Magne) Date: Wed, 6 May 2015 20:03:35 -0400 (EDT) Subject: [Pki-devel] [pki-devel][PATCH] 0032-Fix-1351-pki-securitydomain-get-install-token-fails-.patch In-Reply-To: <1702398292.15236282.1430956859099.JavaMail.zimbra@redhat.com> Message-ID: <1191414671.15237396.1430957015804.JavaMail.zimbra@redhat.com> Ticket #1351 : https://fedorahosted.org/pki/ticket/1351 Simple fix to prevent the user from invoking the "securitydomain-get-install-token" sub command of the : "pki securitydomain" command. The man page no longer shows this option and the module is no longer callable from the pki command at the command line prompt. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0032-Fix-1351-pki-securitydomain-get-install-token-fails-.patch Type: text/x-patch Size: 13083 bytes Desc: not available URL: From jmagne at redhat.com Thu May 7 00:08:01 2015 From: jmagne at redhat.com (John Magne) Date: Wed, 6 May 2015 20:08:01 -0400 (EDT) Subject: [Pki-devel] [pki-devel][PATCH] 0031-Ticket-572-CRL-scheduler-adds-extra-CRL-generation-a.patch In-Reply-To: <554A5083.7030901@redhat.com> References: <1177673410.14407736.1430861239547.JavaMail.zimbra@redhat.com> <554A5083.7030901@redhat.com> Message-ID: <892527189.15238059.1430957281048.JavaMail.zimbra@redhat.com> ACKED by cfu: Pushed to master. ----- Original Message ----- > From: "Christina Fu" > To: pki-devel at redhat.com > Sent: Wednesday, May 6, 2015 10:33:55 AM > Subject: Re: [Pki-devel] [pki-devel][PATCH] 0031-Ticket-572-CRL-scheduler-adds-extra-CRL-generation-a.patch > > ACK > > Christina > > On 05/05/2015 02:27 PM, John Magne wrote: > > > > Patch addresses the issue with least amount of change, isolated to the > specific problem case. > > The case is when we have a daily schedule that spans only one day. When the > last member of the > daily schedule fires, the system thinks the next update should be at midnight > the following morning > instead of the first entry of the schedule for the next day. > > > _______________________________________________ > Pki-devel mailing list Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From ftweedal at redhat.com Thu May 7 04:36:03 2015 From: ftweedal at redhat.com (Fraser Tweedale) Date: Thu, 7 May 2015 14:36:03 +1000 Subject: [Pki-devel] [PATCH] 0026 Add lightweight sub-CA support In-Reply-To: <20150306081628.GL7251@dhcp-40-8.bne.redhat.com> References: <20150306081628.GL7251@dhcp-40-8.bne.redhat.com> Message-ID: <20150507043603.GZ16379@dhcp-40-8.bne.redhat.com> Please find updated sub-CA patch that adds subca management REST API and CLI commands, and sub-CA creation. There is still more work to do so I am not looking for ACKs right now, but I would like review in particular of the sub-CA creation routine. Dogtag web UI for selecting a sub-CA is deferred so if you want to send issuance/revocation requests to a sub-CA you will still need to (from earlier mail): > 3. When submitting requests or other queries via HTTP, edit the > initial link target or form action to include the query parameter: > "?caRef=${SUB_CA_HANDLE}" > (Subsequent pages should not require this intervention.) Cheers, Fraser -------------- next part -------------- >From 297fa7b80677c36baf595cba1bacbdd398590acf Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 28 Jan 2015 02:41:10 -0500 Subject: [PATCH] Add lightweight sub-CA support --- .../shared/webapps/ca/agent/ca/queryCert.template | 9 +- .../webapps/ca/agent/ca/reasonToRevoke.template | 8 +- .../shared/webapps/ca/agent/ca/srchCert.template | 2 + base/ca/shared/webapps/ca/ee/ca/queryCert.template | 6 +- .../webapps/ca/ee/ca/reasonToRevoke.template | 8 +- .../src/com/netscape/ca/CertificateAuthority.java | 169 ++++++++++++++++++++- base/ca/src/com/netscape/ca/SigningUnit.java | 10 +- .../dogtagpki/server/ca/rest/CAApplication.java | 3 + .../org/dogtagpki/server/ca/rest/SubCAService.java | 165 ++++++++++++++++++++ .../src/com/netscape/certsrv/ca/CAClient.java | 3 +- .../netscape/certsrv/ca/ICertificateAuthority.java | 28 ++++ .../netscape/certsrv/profile/IEnrollProfile.java | 5 + .../netscape/certsrv/security/ISigningUnit.java | 8 + .../src/com/netscape/certsrv/subca/CAData.java | 88 +++++++++++ .../com/netscape/certsrv/subca/SubCAClient.java | 49 ++++++ .../com/netscape/certsrv/subca/SubCAResource.java | 29 ++++ .../src/com/netscape/cmstools/cli/CACLI.java | 2 + .../src/com/netscape/cmstools/subca/SubCACLI.java | 51 +++++++ .../netscape/cmstools/subca/SubCACreateCLI.java | 66 ++++++++ .../com/netscape/cmstools/subca/SubCAShowCLI.java | 57 +++++++ .../cms/profile/common/CAEnrollProfile.java | 7 +- .../netscape/cms/profile/common/EnrollProfile.java | 3 + .../cms/profile/def/AuthInfoAccessExtDefault.java | 8 +- .../def/AuthorityKeyIdentifierExtDefault.java | 17 ++- .../netscape/cms/profile/def/CAEnrollDefault.java | 4 +- .../netscape/cms/servlet/cert/DisplayBySerial.java | 31 ++-- .../com/netscape/cms/servlet/cert/DoRevoke.java | 15 +- .../cms/servlet/cert/EnrollmentProcessor.java | 9 ++ .../com/netscape/cms/servlet/cert/ListCerts.java | 23 ++- .../netscape/cms/servlet/cert/ReasonToRevoke.java | 13 +- .../com/netscape/cms/servlet/cert/SrchCerts.java | 24 ++- .../com/netscape/cms/servlet/csadmin/CertUtil.java | 38 +++-- .../com/netscape/cms/servlet/ocsp/OCSPServlet.java | 5 +- 33 files changed, 874 insertions(+), 89 deletions(-) create mode 100644 base/ca/src/org/dogtagpki/server/ca/rest/SubCAService.java create mode 100644 base/common/src/com/netscape/certsrv/subca/CAData.java create mode 100644 base/common/src/com/netscape/certsrv/subca/SubCAClient.java create mode 100644 base/common/src/com/netscape/certsrv/subca/SubCAResource.java create mode 100644 base/java-tools/src/com/netscape/cmstools/subca/SubCACLI.java create mode 100644 base/java-tools/src/com/netscape/cmstools/subca/SubCACreateCLI.java create mode 100644 base/java-tools/src/com/netscape/cmstools/subca/SubCAShowCLI.java diff --git a/base/ca/shared/webapps/ca/agent/ca/queryCert.template b/base/ca/shared/webapps/ca/agent/ca/queryCert.template index 40ee64b0c0b62a0ff409f2617b956647b8779b59..39f933bcd9cd777a22e1baf4fdc4d8e33e5295bc 100644 --- a/base/ca/shared/webapps/ca/agent/ca/queryCert.template +++ b/base/ca/shared/webapps/ca/agent/ca/queryCert.template @@ -321,8 +321,10 @@ function displayCertificateRecord(i, cert) ""+ " \n"+ " "+ ""+ @@ -419,6 +421,7 @@ function doNext(element) var form = element.form; // form.action = "/"+result.header.op; form.action = "/ca/agent/ca/listCerts"; + form.caRef.value = result.header.caRef || ""; form.op.value = result.header.op; form.queryCertFilter.value = result.header.queryCertFilter; form.direction.value= "down"; @@ -472,6 +475,8 @@ document.write( "\n"+ "\n"+ +"\n"+ "\n"+ ""+ " \n"+ " "+ ""+ diff --git a/base/ca/shared/webapps/ca/ee/ca/reasonToRevoke.template b/base/ca/shared/webapps/ca/ee/ca/reasonToRevoke.template index 2a608438b1f46b7695a8692ed857ce7de6e07d42..d81e37a1dab30b079fcbb82c19f6a8ec940deb46 100644 --- a/base/ca/shared/webapps/ca/ee/ca/reasonToRevoke.template +++ b/base/ca/shared/webapps/ca/ee/ca/reasonToRevoke.template @@ -187,9 +187,9 @@ function displayCertInfo() document.write(""); for (var i = 0; i < result.recordSet.length; ++i ) { if (result.recordSet[i].serialNumber != null) { - if (result.header.caSerialNumber != null && - result.recordSet[i].serialNumber == - result.header.caSerialNumber) { + if (result.header.caSerialNumber != null + && result.recordSet[i].serialNumber == result.header.caSerialNumber + && (result.header.caRef || "") == "") { document.write(renderRowWithoutCheckbox("Serial Number: ", toHex(result.recordSet[i].serialNumber))); } else { @@ -448,6 +448,8 @@ function revokeCert(serialNumber)