From edewata at redhat.com Tue Nov 1 23:06:57 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 1 Nov 2016 18:06:57 -0500 Subject: [Pki-devel] [PATCH] 849-850 Fixed KRA key recovery via CLI in FIPS mode. Message-ID: <0f5d2641-74c1-1013-15c3-3c7b5f7c09d9@redhat.com> Based on investigation and solution provided by cfu and jmagne, the SecurityDataRecoveryService.serviceRequest() has been modified to use EncryptionUnit.unwrap_temp() for key recovery via CLI in FIPS mode. The code in SecurityDataRecoveryService.serviceRequest() has been reformatted for clarity. https://fedorahosted.org/pki/ticket/2500 ACKed and tested by cfu and jmagne. Pushed to master. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0849-Reformatted-SecurityDataRecoveryService.serviceReque.patch Type: text/x-patch Size: 7284 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0850-Fixed-KRA-key-recovery-via-CLI-in-FIPS-mode.patch Type: text/x-patch Size: 2321 bytes Desc: not available URL: From edewata at redhat.com Wed Nov 2 15:34:23 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 2 Nov 2016 10:34:23 -0500 Subject: [Pki-devel] [PATCH] 851 Fixed default OCSP port in server.xml. Message-ID: For consistency the server.xml templates for Tomcat 7 and 8 have been modified to use the same unsecure port used by the instance in the default OCSP responder URL. https://fedorahosted.org/pki/ticket/2476 Pushed to master under trivial/one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0851-Fixed-default-OCSP-port-in-server.xml.patch Type: text/x-patch Size: 2199 bytes Desc: not available URL: From edewata at redhat.com Wed Nov 2 15:34:32 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 2 Nov 2016 10:34:32 -0500 Subject: [Pki-devel] Subject: [PATCH] 852 Fixed exception message in PKCS12Util.loadFromByteArray(). Message-ID: <206b96b1-2296-b726-1347-f2795aa531a4@redhat.com> For clarity the PKCS12Util.loadFromByteArray() has been modified to generate a more accurate exception message on PKCS #12 verification failure. https://fedorahosted.org/pki/ticket/2476 Pushed to master under trivial/one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0852-Fixed-exception-message-in-PKCS12Util.loadFromByteAr.patch Type: text/x-patch Size: 1225 bytes Desc: not available URL: From edewata at redhat.com Thu Nov 3 00:37:17 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 2 Nov 2016 19:37:17 -0500 Subject: [Pki-devel] [PATCH] 853-854 Added man pages for PKCS #12 utilities. Message-ID: New man pages have been added: pki-pkcs12, pki-pkcs12-cert, and pki-pkcs12-key. The pki-core.spec has been updated to include the new man pages for PKCS #12 utilities. https://fedorahosted.org/pki/ticket/1920 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0853-Added-man-pages-for-PKCS-12-utilities.patch Type: text/x-patch Size: 14767 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0854-Updated-pki-core.spec.patch Type: text/x-patch Size: 970 bytes Desc: not available URL: From edewata at redhat.com Thu Nov 3 02:07:25 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 2 Nov 2016 21:07:25 -0500 Subject: [Pki-devel] [PATCH] 855 Added constructors to chain EPropertyException. Message-ID: To help troubleshooting, the EPropertyException has been modified to provide constructors to chain the original exception. https://fedorahosted.org/pki/ticket/2463 Pushed to master under trivial/one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0855-Added-constructors-to-chain-EPropertyException.patch Type: text/x-patch Size: 1269 bytes Desc: not available URL: From edewata at redhat.com Thu Nov 3 02:10:34 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 2 Nov 2016 21:10:34 -0500 Subject: [Pki-devel] [PATCH] 856 Fixed resource leak in OtherName. Message-ID: <5f2fdb1a-2baa-ef19-72fd-5b7940574758@redhat.com> The OtherName has been modified to always close the DerOutputStream instances. https://fedorahosted.org/pki/ticket/2530 Pushed to master under trivial/one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0856-Fixed-resource-leak-in-OtherName.patch Type: text/x-patch Size: 2393 bytes Desc: not available URL: From edewata at redhat.com Thu Nov 3 02:19:47 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 2 Nov 2016 21:19:47 -0500 Subject: [Pki-devel] [PATCH] 857 Fixed resource leak in GenericASN1Extension. Message-ID: The GenericASN1Extension has been modified to always close the DerOutputStream instance. https://fedorahosted.org/pki/ticket/2530 Pushed to master under trivial/one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0857-Fixed-resource-leak-in-GenericASN1Extension.patch Type: text/x-patch Size: 1860 bytes Desc: not available URL: From edewata at redhat.com Thu Nov 3 02:31:28 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 2 Nov 2016 21:31:28 -0500 Subject: [Pki-devel] [PATCH] 858 Fixed resource leak in OCSPNoCheckExtension. Message-ID: The OCSPNoCheckExtension has been modified to always close the DerOutputStream instance. The OCSPNoCheckExt has been modified to wrap the original exception. https://fedorahosted.org/pki/ticket/2530 Pushed to master under trivial/one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0858-Fixed-resource-leak-in-OCSPNoCheckExtension.patch Type: text/x-patch Size: 3672 bytes Desc: not available URL: From edewata at redhat.com Thu Nov 3 22:59:59 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 3 Nov 2016 17:59:59 -0500 Subject: [Pki-devel] [PATCH] 859 Fixed resource leak in ExtendedKeyUsageExtension. Message-ID: The ExtendedKeyUsageExtension has been modified to always close the DerOutputStream instance. The ExtendedKeyUsageExt has been modified to wrap the original exception. https://fedorahosted.org/pki/ticket/2530 Pushed to master under trivial/one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0859-Fixed-resource-leak-in-ExtendedKeyUsageExtension.patch Type: text/x-patch Size: 4174 bytes Desc: not available URL: From edewata at redhat.com Thu Nov 3 23:08:42 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 3 Nov 2016 18:08:42 -0500 Subject: [Pki-devel] [PATCH] 860 Fixed resource leak in InhibitAnyPolicyExtension. Message-ID: <8ce7ed4c-11c8-049e-dcbd-7faff7ec7907@redhat.com> The InhibitAnyPolicyExtension has been modified to always close the DerOutputStream instance. The InhibitAnyPolicyExtDefault has been modified to wrap the original exception. https://fedorahosted.org/pki/ticket/2530 Pushed to master under trivial/one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0860-Fixed-resource-leak-in-InhibitAnyPolicyExtension.patch Type: text/x-patch Size: 4442 bytes Desc: not available URL: From edewata at redhat.com Thu Nov 3 23:25:57 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 3 Nov 2016 18:25:57 -0500 Subject: [Pki-devel] [PATCH] 861 Replaced deprecated DefaultHttpClient. Message-ID: The deprecated DefaultHttpClient in SubsystemClient, CRMFPopClient, and OCSPProcessor has been replaced with HttpClientBuilder. https://fedorahosted.org/pki/ticket/2531 Pushed to master under trivial/one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0861-Replaced-deprecated-DefaultHttpClient.patch Type: text/x-patch Size: 5889 bytes Desc: not available URL: From edewata at redhat.com Fri Nov 4 04:00:25 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 3 Nov 2016 23:00:25 -0500 Subject: [Pki-devel] [PATCH] 862 Replaced deprecated ProxyParser. Message-ID: <94e1d75b-6ab2-5b1a-9645-69452b669827@redhat.com> The deprecated ProxyParser has been replaced with DefaultParser. https://fedorahosted.org/pki/ticket/2535 Pushed to master under trivial/one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0862-Replaced-deprecated-ProxyParser.patch Type: text/x-patch Size: 9576 bytes Desc: not available URL: From edewata at redhat.com Fri Nov 4 04:14:26 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 3 Nov 2016 23:14:26 -0500 Subject: [Pki-devel] [PATCH] 863 Reverted policy framework deprecation. Message-ID: To reduce Eclipse warnings, classes and methods related to policy framework have been undeprecated. In the future the policy framework may be removed since it has already been replaced with the profile framework. https://fedorahosted.org/pki/ticket/6 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0863-Reverted-policy-framework-deprecation.patch Type: text/x-patch Size: 86235 bytes Desc: not available URL: From alee at redhat.com Fri Nov 4 20:11:03 2016 From: alee at redhat.com (Ade Lee) Date: Fri, 04 Nov 2016 16:11:03 -0400 Subject: [Pki-devel] [PATCH] 331-333 add support for synchronous key archival and recovery requests. Message-ID: <1478290263.13297.13.camel@redhat.com> Hi all,? This is in support of Ticket?https://fedorahosted.org/pki/ticket/2532 This is preliminary set of patches - just so you can see what I'm doing in case I need to change anything. Note: With the changes, you can archive a secret like this: pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h `hostname` -p 8443 key-archive --passphrase "ooga booga" --clientKeyID "test_1" pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h `hostname` -p 8443 key-archive --passphrase "ooga booga" --clientKeyID "test_2" --express The first invocation will archive a secret and create an archival request in LDAP. ?The second will create one only in memory - and will not store it in LDAP. You can of course, see the requests created using -? pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h `hostname` -p 8443 key-request-find For retrieving the secret, you can do either: pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h aleeredhat.laptop -p 8443 key-retrieve --keyID??0x5 pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h aleeredhat.laptop -p 8443 key-retrieve --keyID??0x5 --express The first will retrieve the secret while creating a retrieval request. The second will create a retrieval request only in memory, and will not write it to LDAP. In both cases, there should be audit logs both for retrieval and archival. ? Thanks, Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0333-Add-python-client-changes.patch Type: text/x-patch Size: 6736 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0332-Add-method-to-obtain-synchronous-request-ids.patch Type: text/x-patch Size: 71405 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0331-Refactor-SecurityData-archival-and-recovery-code.patch Type: text/x-patch Size: 64521 bytes Desc: not available URL: From edewata at redhat.com Fri Nov 4 22:43:55 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 4 Nov 2016 17:43:55 -0500 Subject: [Pki-devel] [PATCH] 864 Generalized list of files in CMakeLists.txt. Message-ID: The list of source and class files in some CMake files have been generalized to allow renaming Java packages without changing the CMake files again. https://fedorahosted.org/pki/ticket/6 I've verified that the new CMake files do not change the content of the JAR files. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0864-Generalized-list-of-files-in-CMakeLists.txt.patch Type: text/x-patch Size: 13099 bytes Desc: not available URL: From edewata at redhat.com Fri Nov 4 22:54:01 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 4 Nov 2016 17:54:01 -0500 Subject: [Pki-devel] [PATCH] 865 Moved policy framework classes to org.dogtagpki.legacy. Message-ID: To discourage the use of policy framework, the framework classes have been moved into org.dogtagpki.legacy. https://fedorahosted.org/pki/ticket/6 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0865-Moved-policy-framework-classes-to-org.dogtagpki.lega.patch Type: text/x-patch Size: 128706 bytes Desc: not available URL: From mharmsen at redhat.com Sat Nov 5 07:30:02 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Sat, 5 Nov 2016 01:30:02 -0600 Subject: [Pki-devel] Karma Requests for pki-core-10.3.5-8 Message-ID: *The following updated candidate builds of pki-core 10.3.5 were generated:* * *Fedora 24* o *pki-core-10.3.5-8.fc24 * * *Fedora 25* o *pki-core-10.3.5-8.fc25 * * *Fedora 26* o *pki-core-10.3.5-8.fc26 * *Additionally, the CentOS 7 COPR EPEL Builds of Dogtag 10.3.3 were also updated:* * https://copr.fedorainfracloud.org/coprs/g/pki/epel-7.3/repo/epel-7/group_pki-epel-7.3-epel-7.repo [group_pki-epel-7.3] name=Copr repo for epel-7.3 owned by @pki baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/epel-7.3/epel-7-$basearch/ type=rpm-md skip_if_unavailable=True gpgcheck=1 gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/epel-7.3/pubkey.gpg repo_gpgcheck=0 enabled=1 enabled_metadata=1 *These builds address the following PKI tickets:* * *PKI TRAC Ticket #850 - JSS certificate validation function does not pass up exact errors from NSS * * *PKI TRAC Ticket #1247 - Better error message when try to renew a certificate that expires outside renewal grace period * * *PKI TRAC Ticket #1536 - CA EE: Submit caUserCert request without uid does not show proper error message * * *PKI TRAC Ticket #2460 - Typo in comment line of UserPwdDirAuthentication.java * * *PKI TRAC ticket #2486 - Automatic recovery of encryption cert is not working when a token is physically damaged and a temporary token is issued * * *PKI TRAC Ticket #2498 - Token format with external reg fails when op.format.externalRegAddToToken.revokeCert=true * * *PKI TRAC Ticket #2500 - Problems with FIPS mode * * *PKI TRAC Ticket #2510 - PIN_RESET policy is not giving expected results when set on a token * * *PKI TRAC Ticket #2513 - TPS token enrollment fails to setupSecureChannel when TPS and TKS security db is on fips mode. * *Please provide Karma for the following builds:* * *Fedora 24* o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-393715962d pki-core-10.3.5-8.fc24 * * *Fedora 25* o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-d0eb45e120 pki-core-10.3.5-8.fc25 * -------------- next part -------------- An HTML attachment was scrubbed... URL: From cfu at redhat.com Tue Nov 8 01:23:28 2016 From: cfu at redhat.com (Christina Fu) Date: Mon, 7 Nov 2016 17:23:28 -0800 Subject: [Pki-devel] [PATCH] 853-854 Added man pages for PKCS #12 utilities. In-Reply-To: References: Message-ID: <78a9795a-d9fb-ebb3-13be-48c2fbfd1946@redhat.com> looks good. The only thing I had question with was whether the referred to in the man pages was in DER binary encoding or base64 encoded PEM. It would help if you clarify that. Conditional ACK. Christina On 11/02/2016 05:37 PM, Endi Sukma Dewata wrote: > New man pages have been added: pki-pkcs12, pki-pkcs12-cert, and > pki-pkcs12-key. > > The pki-core.spec has been updated to include the new man pages > for PKCS #12 utilities. > > https://fedorahosted.org/pki/ticket/1920 > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Tue Nov 8 17:36:38 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 8 Nov 2016 11:36:38 -0600 Subject: [Pki-devel] [PATCH] 853-854 Added man pages for PKCS #12 utilities. In-Reply-To: <78a9795a-d9fb-ebb3-13be-48c2fbfd1946@redhat.com> References: <78a9795a-d9fb-ebb3-13be-48c2fbfd1946@redhat.com> Message-ID: <548aaefc-4946-c4f5-c84a-ae0410ea6d02@redhat.com> On 11/7/2016 7:23 PM, Christina Fu wrote: > looks good. The only thing I had question with was whether the file> referred to in the man pages was in DER binary encoding or base64 > encoded PEM. It would help if you clarify that. > > Conditional ACK. > > Christina Thanks! I fixed the pkcs12-cert-export section to clarify that it exports a PEM file. The other section about importing a cert file is actually not implemented yet, so I removed it (sorry!) and updated the wiki page as well. The patches are pushed to master. -- Endi S. Dewata From alee at redhat.com Wed Nov 9 15:59:09 2016 From: alee at redhat.com (Ade Lee) Date: Wed, 09 Nov 2016 10:59:09 -0500 Subject: [Pki-devel] [PATCH] 331-333 add support for synchronous key archival and recovery requests. In-Reply-To: <1478290263.13297.13.camel@redhat.com> References: <1478290263.13297.13.camel@redhat.com> Message-ID: <1478707149.16937.23.camel@redhat.com> Based on feedback by Endi, I have reworked the patches. As Endi pointed out, it makes little sense for the client to determine whether or not a request is stored to ldap or not. ?This should be a server side decision. Accordingly, I have modified retrieveKey() as follows: When clients call retrieveKey(), three possible alternatives now obtain: 1. client passes in an approved request. Request is processed? ? ?and the secret is retrieved. 2. client passes in key_id and wrapping parameters and either: ? a) request can be processed immediately and synchronously ? ? ?and request is created, and secret is returned. ? b) request cannot be processed immediately.??Recovery request ? ? ?is created and request_id returned to the client ? ?? Depending on server configuration, the requests in case (2a) will be stored in ldap or will be ephemeral (in memory only). ???? More complicated realm based logic to determine if requests can be processed synchronously (and possibly ephemerally) will be added in a later patch. Python client patches coming soon as well. *********************************************************************** You can test the patches as follows: (archive and retrieve a passphrase) pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h `hostname` -p 8443 key-archive --passphrase "foobar" --clientKeyID "test_1" pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h `hostname` -p 8443 key-retrieve --keyID 0xc (retrieve the passphrase using an approved recovery request) pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h `hostname` -p 8443 key-retrieve --keyID 0xc pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h `hostname` -p 8443 key-request-review --action approve 0x36 pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h `hostname` -p 8443 key-retrieve --requestID 0x36 The above should create requests (archival and recovery) in LDAP. Add the following to CS.cfg (and restart the KRA): kra.ephemeral=true Redo the above tests, and no requests should be written to LDAP. Finally, test a case where more than one approval is needed. Add the following to CS.cfg and restart the KRA. kra.noOfRequiredSecurityDataRecoveryAgents=2 pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h `hostname` -p 8443 key-retrieve --keyID 0xc This should return a recovery request ID (which will be written to LDAP). You will need another agent to approve this request before it can be used to retrieve the key. Ade On Fri, 2016-11-04 at 16:11 -0400, Ade Lee wrote: > Hi all,? > > This is in support of Ticket?https://fedorahosted.org/pki/ticket/2532 > > This is preliminary set of patches - just so you can see what I'm > doing > in case I need to change anything. > > Note: With the changes, you can archive a secret like this: > > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h > `hostname` -p 8443 key-archive --passphrase "ooga booga" -- > clientKeyID > "test_1" > > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h > `hostname` -p 8443 key-archive --passphrase "ooga booga" -- > clientKeyID > "test_2" --express > > The first invocation will archive a secret and create an archival > request in LDAP. ?The second will create one only in memory - and > will > not store it in LDAP. > > You can of course, see the requests created using -? > > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h > `hostname` -p 8443 key-request-find > > For retrieving the secret, you can do either: > > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h > aleeredhat.laptop -p 8443 key-retrieve --keyID??0x5 > > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h > aleeredhat.laptop -p 8443 key-retrieve --keyID??0x5 --express > > The first will retrieve the secret while creating a retrieval > request. > The second will create a retrieval request only in memory, and will > not > write it to LDAP. > > In both cases, there should be audit logs both for retrieval and > archival. > ? > Thanks, > Ade -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0338-Fix-approvals-for-asynchronous-requests.patch Type: text/x-patch Size: 1412 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0337-Add-field-to-KeyData-to-allow-request-to-be-returned.patch Type: text/x-patch Size: 8866 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0336-Add-option-to-pass-existing-request-to-retrieveKeyCL.patch Type: text/x-patch Size: 6124 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0335-Modify-retrieval-and-archival-mechanisms-in-KRA-REST.patch Type: text/x-patch Size: 49956 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0334-Refactor-SecurityData-archival-and-recovery-code.patch Type: text/x-patch Size: 64521 bytes Desc: not available URL: From alee at redhat.com Wed Nov 9 19:55:17 2016 From: alee at redhat.com (Ade Lee) Date: Wed, 09 Nov 2016 14:55:17 -0500 Subject: [Pki-devel] [PATCH] 861 Replaced deprecated DefaultHttpClient. In-Reply-To: References: Message-ID: <1478721317.16937.46.camel@redhat.com> ACK On Thu, 2016-11-03 at 18:25 -0500, Endi Sukma Dewata wrote: > The deprecated DefaultHttpClient in SubsystemClient, CRMFPopClient, > and OCSPProcessor has been replaced with HttpClientBuilder. > > https://fedorahosted.org/pki/ticket/2531 > > Pushed to master under trivial/one-liner rule. > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Wed Nov 9 19:56:41 2016 From: alee at redhat.com (Ade Lee) Date: Wed, 09 Nov 2016 14:56:41 -0500 Subject: [Pki-devel] [PATCH] 863 Reverted policy framework deprecation. In-Reply-To: References: Message-ID: <1478721401.16937.47.camel@redhat.com> ACK On Thu, 2016-11-03 at 23:14 -0500, Endi Sukma Dewata wrote: > To reduce Eclipse warnings, classes and methods related to policy > framework have been undeprecated. In the future the policy > framework may be removed since it has already been replaced with > the profile framework. > > https://fedorahosted.org/pki/ticket/6 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Wed Nov 9 19:56:56 2016 From: alee at redhat.com (Ade Lee) Date: Wed, 09 Nov 2016 14:56:56 -0500 Subject: [Pki-devel] [PATCH] 864 Generalized list of files in CMakeLists.txt. In-Reply-To: References: Message-ID: <1478721416.16937.48.camel@redhat.com> ACK On Fri, 2016-11-04 at 17:43 -0500, Endi Sukma Dewata wrote: > The list of source and class files in some CMake files have been > generalized to allow renaming Java packages without changing the > CMake files again. > > https://fedorahosted.org/pki/ticket/6 > > I've verified that the new CMake files do not change the content of > the? > JAR files. > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Wed Nov 9 19:57:11 2016 From: alee at redhat.com (Ade Lee) Date: Wed, 09 Nov 2016 14:57:11 -0500 Subject: [Pki-devel] [PATCH] 865 Moved policy framework classes to org.dogtagpki.legacy. In-Reply-To: References: Message-ID: <1478721431.16937.49.camel@redhat.com> ACK On Fri, 2016-11-04 at 17:54 -0500, Endi Sukma Dewata wrote: > To discourage the use of policy framework, the framework classes > have been moved into org.dogtagpki.legacy. > > https://fedorahosted.org/pki/ticket/6 > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From jmagne at redhat.com Thu Nov 10 23:40:02 2016 From: jmagne at redhat.com (John Magne) Date: Thu, 10 Nov 2016 18:40:02 -0500 (EST) Subject: [Pki-devel] [PATCH] 331-333 add support for synchronous key archival and recovery requests. In-Reply-To: <1478290263.13297.13.camel@redhat.com> References: <1478290263.13297.13.camel@redhat.com> Message-ID: <1843050166.14433162.1478821202786.JavaMail.zimbra@redhat.com> Looked over all these and it looks good. Post checkin ACK :) Just a couple of questions: 1. Code like this: if (!synchronous) { + // Has to be in this state or it won't go anywhere. + request.setRequestStatus(RequestStatus.BEGIN); + queue.processRequest(request); + } else { + kra.processSynchronousRequest(request); + } I know we are handling the synchronous request with a processor and such, but the standard async request is being handled with the same queue method. Would it look nicer to have a layer for the standard case, like processAsynchRequest? No big deal. 2. Did we do a sanity sweep of the various scenarios to make sure that they refactor is good with respect to legacy code paths? I"m sure we have but was just asking. 3. Also I realize that the "realm" param is not yet supported but is a hook for future code, if we have to touch anything again, might help to give a comment in the key methods as to why it is not yet being used. thanks, jack ----- Original Message ----- > From: "Ade Lee" > To: pki-devel at redhat.com > Sent: Friday, November 4, 2016 1:11:03 PM > Subject: [Pki-devel] [PATCH] 331-333 add support for synchronous key archival and recovery requests. > > Hi all, > > This is in support of Ticket?https://fedorahosted.org/pki/ticket/2532 > > This is preliminary set of patches - just so you can see what I'm doing > in case I need to change anything. > > Note: With the changes, you can archive a secret like this: > > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h > `hostname` -p 8443 key-archive --passphrase "ooga booga" --clientKeyID > "test_1" > > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h > `hostname` -p 8443 key-archive --passphrase "ooga booga" --clientKeyID > "test_2" --express > > The first invocation will archive a secret and create an archival > request in LDAP. ?The second will create one only in memory - and will > not store it in LDAP. > > You can of course, see the requests created using - > > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h > `hostname` -p 8443 key-request-find > > For retrieving the secret, you can do either: > > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h > aleeredhat.laptop -p 8443 key-retrieve --keyID??0x5 > > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h > aleeredhat.laptop -p 8443 key-retrieve --keyID??0x5 --express > > The first will retrieve the secret while creating a retrieval request. > The second will create a retrieval request only in memory, and will not > write it to LDAP. > > In both cases, there should be audit logs both for retrieval and > archival. > ? > Thanks, > Ade > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From alee at redhat.com Fri Nov 11 14:20:21 2016 From: alee at redhat.com (Ade Lee) Date: Fri, 11 Nov 2016 09:20:21 -0500 Subject: [Pki-devel] [PATCH] 331-333 add support for synchronous key archival and recovery requests. In-Reply-To: <1478707149.16937.23.camel@redhat.com> References: <1478290263.13297.13.camel@redhat.com> <1478707149.16937.23.camel@redhat.com> Message-ID: <1478874021.16937.67.camel@redhat.com> Thanks for reviews (Endi and Jack). ?Pushed to master with a few minor changes to auditing. Ade On Wed, 2016-11-09 at 10:59 -0500, Ade Lee wrote: > Based on feedback by Endi, I have reworked the patches. > As Endi pointed out, it makes little sense for the client to > determine > whether or not a request is stored to ldap or not. ?This should be a > server side decision. > > Accordingly, I have modified retrieveKey() as follows: > > When clients call retrieveKey(), three possible alternatives now > obtain: > > 1. client passes in an approved request. Request is processed? > ? ?and the secret is retrieved. > 2. client passes in key_id and wrapping parameters and either: > ? a) request can be processed immediately and synchronously > ? ? ?and request is created, and secret is returned. > ? b) request cannot be processed immediately.??Recovery request > ? ? ?is created and request_id returned to the client > ? ?? > Depending on server configuration, the requests in case (2a) will be > stored in ldap or will be ephemeral (in memory only). > ???? > More complicated realm based logic to determine if requests > can be processed synchronously (and possibly ephemerally) will be > added > in a later patch. > > Python client patches coming soon as well. > > ********************************************************************* > ** > You can test the patches as follows: > > (archive and retrieve a passphrase) > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h > `hostname` -p 8443 key-archive --passphrase "foobar" --clientKeyID > "test_1" > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h > `hostname` -p 8443 key-retrieve --keyID??0xc > > (retrieve the passphrase using an approved recovery request) > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h > `hostname` -p 8443 key-retrieve --keyID 0xc > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h > `hostname` -p 8443 key-request-review --action approve??0x36 > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h > `hostname` -p 8443 key-retrieve --requestID 0x36 > > The above should create requests (archival and recovery) in LDAP. > Add the following to CS.cfg (and restart the KRA): > > ????kra.ephemeral=true > > Redo the above tests, and no requests should be written to LDAP. > > Finally, test a case where more than one approval is needed. > Add the following to CS.cfg and restart the KRA. > > ????kra.noOfRequiredSecurityDataRecoveryAgents=2 > > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h > `hostname` -p 8443 key-retrieve --keyID 0xc > > This should return a recovery request ID (which will be written to > LDAP). > You will need another agent to approve this request before it can be > used to retrieve the key. > > Ade > > On Fri, 2016-11-04 at 16:11 -0400, Ade Lee wrote: > > > > Hi all,? > > > > This is in support of Ticket?https://fedorahosted.org/pki/ticket/25 > > 32 > > > > This is preliminary set of patches - just so you can see what I'm > > doing > > in case I need to change anything. > > > > Note: With the changes, you can archive a secret like this: > > > > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h > > `hostname` -p 8443 key-archive --passphrase "ooga booga" -- > > clientKeyID > > "test_1" > > > > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h > > `hostname` -p 8443 key-archive --passphrase "ooga booga" -- > > clientKeyID > > "test_2" --express > > > > The first invocation will archive a secret and create an archival > > request in LDAP. ?The second will create one only in memory - and > > will > > not store it in LDAP. > > > > You can of course, see the requests created using -? > > > > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h > > `hostname` -p 8443 key-request-find > > > > For retrieving the secret, you can do either: > > > > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h > > aleeredhat.laptop -p 8443 key-retrieve --keyID??0x5 > > > > pki -d . -n "PKI Administrator for laptop" -P https -c redhat123 -h > > aleeredhat.laptop -p 8443 key-retrieve --keyID??0x5 --express > > > > The first will retrieve the secret while creating a retrieval > > request. > > The second will create a retrieval request only in memory, and will > > not > > write it to LDAP. > > > > In both cases, there should be audit logs both for retrieval and > > archival. > > ? > > Thanks, > > Ade > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Fri Nov 11 22:40:56 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 11 Nov 2016 16:40:56 -0600 Subject: [Pki-devel] [PATCH] 863 Reverted policy framework deprecation. In-Reply-To: <1478721401.16937.47.camel@redhat.com> References: <1478721401.16937.47.camel@redhat.com> Message-ID: On 11/9/2016 1:56 PM, Ade Lee wrote: > ACK Thanks! Pushed to master. -- Endi S. Dewata From edewata at redhat.com Fri Nov 11 22:41:00 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 11 Nov 2016 16:41:00 -0600 Subject: [Pki-devel] [PATCH] 864 Generalized list of files in CMakeLists.txt. In-Reply-To: <1478721416.16937.48.camel@redhat.com> References: <1478721416.16937.48.camel@redhat.com> Message-ID: On 11/9/2016 1:56 PM, Ade Lee wrote: > ACK Thanks! Pushed to master. -- Endi S. Dewata From edewata at redhat.com Fri Nov 11 22:41:07 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 11 Nov 2016 16:41:07 -0600 Subject: [Pki-devel] [PATCH] 865 Moved policy framework classes to org.dogtagpki.legacy. In-Reply-To: <1478721431.16937.49.camel@redhat.com> References: <1478721431.16937.49.camel@redhat.com> Message-ID: <06a602b5-2f1f-f22b-45fe-9fbbd7035377@redhat.com> On 11/9/2016 1:57 PM, Ade Lee wrote: > ACK Thanks! Rebased and pushed to master. -- Endi S. Dewata From edewata at redhat.com Tue Nov 15 21:57:49 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 15 Nov 2016 15:57:49 -0600 Subject: [Pki-devel] [PATCH] 866 Fixed problem installing subordinate CA with HSM in FIPS mode. Message-ID: <7b3623ea-4a65-e9e7-7959-ddd5e2891e23@redhat.com> Due to certutil issue (bug #1393668) the installation code has been modified to import certificates into the NSS database in two steps. This workaround is needed to install subordinate CA with HSM in FIPS mode. First, the certificate will be imported into the HSM using the HSM password without the trust attributes. Then, the certificate will be imported into the internal token using the internal token password with the trust attributes. https://fedorahosted.org/pki/ticket/2543 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0866-Fixed-problem-installing-subordinate-CA-with-HSM-in-.patch Type: text/x-patch Size: 4630 bytes Desc: not available URL: From jmagne at redhat.com Wed Nov 16 02:20:09 2016 From: jmagne at redhat.com (John Magne) Date: Tue, 15 Nov 2016 21:20:09 -0500 (EST) Subject: [Pki-devel] [pki-devel][PATCH] In-Reply-To: <1994138437.17510637.1479262712718.JavaMail.zimbra@redhat.com> Message-ID: <1554093259.17510753.1479262809543.JavaMail.zimbra@redhat.com> Ticket: TPS throws "err=6" when attempting to format and e : https://fedorahosted.org/pki/ticket/2544 Fix tested on standard card, it does what it is supposed to do. It checks first to make sure the lifecycle state needs to be changed before attempting to do so. This will prevent any cards that return an error when one tries to over write the value with the same value it had before. -------------- next part -------------- A non-text attachment was scrubbed... Name: 0085-Change-lifecycle-at-end-of-enrollment-if-it-is-not-a.patch Type: text/x-patch Size: 5199 bytes Desc: not available URL: From cfu at redhat.com Wed Nov 16 02:55:37 2016 From: cfu at redhat.com (Christina Fu) Date: Tue, 15 Nov 2016 18:55:37 -0800 Subject: [Pki-devel] [PATCH] 866 Fixed problem installing subordinate CA with HSM in FIPS mode. In-Reply-To: <7b3623ea-4a65-e9e7-7959-ddd5e2891e23@redhat.com> References: <7b3623ea-4a65-e9e7-7959-ddd5e2891e23@redhat.com> Message-ID: <961ed9fd-51e6-a2ba-8a6e-d4029a2b7113@redhat.com> looks good. if tested to work, ack. Christina On 11/15/2016 01:57 PM, Endi Sukma Dewata wrote: > Due to certutil issue (bug #1393668) the installation code has > been modified to import certificates into the NSS database in > two steps. This workaround is needed to install subordinate CA > with HSM in FIPS mode. > > First, the certificate will be imported into the HSM using the > HSM password without the trust attributes. Then, the certificate > will be imported into the internal token using the internal token > password with the trust attributes. > > https://fedorahosted.org/pki/ticket/2543 > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Wed Nov 16 05:00:28 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 15 Nov 2016 23:00:28 -0600 Subject: [Pki-devel] [PATCH] 866 Fixed problem installing subordinate CA with HSM in FIPS mode. In-Reply-To: <961ed9fd-51e6-a2ba-8a6e-d4029a2b7113@redhat.com> References: <7b3623ea-4a65-e9e7-7959-ddd5e2891e23@redhat.com> <961ed9fd-51e6-a2ba-8a6e-d4029a2b7113@redhat.com> Message-ID: <1c6c83e2-32ab-9bf9-5745-fe0ced39b952@redhat.com> On 11/15/2016 8:55 PM, Christina Fu wrote: > looks good. if tested to work, ack. > > Christina Thanks! Pushed to master. -- Endi S. Dewata From edewata at redhat.com Wed Nov 16 05:02:21 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 15 Nov 2016 23:02:21 -0600 Subject: [Pki-devel] [PATCH] 867 Fixed hanging subordinate CA with HSM installation in FIPS mode. Message-ID: <88ae6cf2-680a-dd13-dd30-625f7690959c@redhat.com> When installing subordinate CA with HSM, the installer calls the pki CLI (which is implemented using JSS) to validate the imported CA certificate in HSM. Normally, the HSM password is specified as CLI parameter, but in FIPS mode JSS requires both the HSM and the internal token passwords. Since the CLI only takes one password, JSS will prompt for the missing one on the console causing the installation to hang. As a temporary solution, the pki-server subsystem-cert-validate command has been modified to validate certificates stored in the internal token only and it will use the internal token password, so only a single password is required. Further investigation in CLI/JSS/NSS is needed to support validating certificates in HSM without password prompts. https://fedorahosted.org/pki/ticket/2543 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0867-Fixed-hanging-subordinate-CA-with-HSM-installation-i.patch Type: text/x-patch Size: 2792 bytes Desc: not available URL: From edewata at redhat.com Wed Nov 16 17:22:54 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 16 Nov 2016 11:22:54 -0600 Subject: [Pki-devel] [PATCH] 867 Fixed hanging subordinate CA with HSM installation in FIPS mode. In-Reply-To: <88ae6cf2-680a-dd13-dd30-625f7690959c@redhat.com> References: <88ae6cf2-680a-dd13-dd30-625f7690959c@redhat.com> Message-ID: On 11/15/2016 11:02 PM, Endi Sukma Dewata wrote: > When installing subordinate CA with HSM, the installer calls the > pki CLI (which is implemented using JSS) to validate the imported > CA certificate in HSM. Normally, the HSM password is specified as > CLI parameter, but in FIPS mode JSS requires both the HSM and the > internal token passwords. Since the CLI only takes one password, > JSS will prompt for the missing one on the console causing the > installation to hang. > > As a temporary solution, the pki-server subsystem-cert-validate > command has been modified to validate certificates stored in the > internal token only and it will use the internal token password, > so only a single password is required. Further investigation in > CLI/JSS/NSS is needed to support validating certificates in HSM > without password prompts. > > https://fedorahosted.org/pki/ticket/2543 ACKed by alee (thanks!). Pushed to master. -- Endi S. Dewata From cfu at redhat.com Thu Nov 17 02:25:49 2016 From: cfu at redhat.com (Christina Fu) Date: Wed, 16 Nov 2016 18:25:49 -0800 Subject: [Pki-devel] [pki-devel][PATCH] In-Reply-To: <1554093259.17510753.1479262809543.JavaMail.zimbra@redhat.com> References: <1554093259.17510753.1479262809543.JavaMail.zimbra@redhat.com> Message-ID: I compared this patch with the original C patch. There was a check in C that does not exist in your Java patch: 1019 if(data.size() != 3){ 1020 lifecycle = 0xf0; 1021 RA::Error(LL_PER_PDU, "RA_Processor::GetLifecycle", "apdu response is the wrong size, the size is: %x", data.size()); 1022 goto loser; 1023 } Why does it not apply in Java? Thanks, Christina On 11/15/2016 06:20 PM, John Magne wrote: > > Ticket: TPS throws "err=6" when attempting to format and e : https://fedorahosted.org/pki/ticket/2544 > > Fix tested on standard card, it does what it is supposed to do. It checks first to make sure the lifecycle > state needs to be changed before attempting to do so. This will prevent any cards that return an error when > one tries to over write the value with the same value it had before. > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Thu Nov 17 22:23:49 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Thu, 17 Nov 2016 16:23:49 -0600 Subject: [Pki-devel] [PATCH] 868-871 Added man pages for logging configuration Message-ID: Attached are patches to clean up and to add man pages for the logging configuration. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0868-Removed-unused-subsystem-logging.properties.patch Type: text/x-patch Size: 20015 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0869-Updated-logging.properties.patch Type: text/x-patch Size: 5556 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0870-Updated-log4j.properties.patch Type: text/x-patch Size: 4877 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0871-Added-man-pages-for-logging-configuration.patch Type: text/x-patch Size: 10487 bytes Desc: not available URL: From mharmsen at redhat.com Fri Nov 18 01:18:29 2016 From: mharmsen at redhat.com (Matthew Harmsen) Date: Thu, 17 Nov 2016 18:18:29 -0700 Subject: [Pki-devel] [PATCH] 868-871 Added man pages for logging configuration In-Reply-To: References: Message-ID: <250b10e4-7000-9f38-93ff-92ab516b00f3@redhat.com> On 11/17/2016 03:23 PM, Endi Sukma Dewata wrote: > Attached are patches to clean up and to add man pages for the logging > configuration. > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel ACK (presuming customization and troubleshooting have been tested) with the following caveats: * pki-edewata-0868-Removed-unused-subsystem-logging.properties.patch o This patch needs to be split into two separate and distinct patches: + patch 1 contains base/ca and base/kra changes + patch 2 contains base/ocsp, base/tks, and base/tps changes * pki-edewata-0869-Updated-logging.properties.patch o fine as is * pki-edewata-0870-Updated-log4j.properties.patch o fine as is * pki-edewata-0871-Added-man-pages-for-logging-configuration.patch o suggest adding a CUSTOMIZATION section header to the pki-logging.5 man page: + .SH CUSTOMIZATION To customize the logging configuration, copy the default logging configuration file into /etc/pki/logging.properties, then change the configuration as needed. o similarly, I suggest adding the following headers (or something similar) to the pki-server-logging.5 man page: + .SH CUSTOMIZATION To customize JUL configuration, replace the link with a copy of the default configuration: + .SH TROUBLESHOOTING To troubleshoot RESTEasy issues add the following line (unless Log4j is installed in Tomcat classpath): + .SH TOMCAT LOGGING .SS Log4j + .SH PKI LOGGING .SS Internal Logging * Add a separate check-in to 'pki/specs/pki-core.spec' to include the man pages in their appropriate RPMS: o %files -n pki-base ... %{_sbindir}/pki-upgrade *%{_mandir}/man5/pki-logging.5.gz* %{_mandir}/man8/pki-upgrade.8.gz ... o %files -n pki-server ... %{_mandir}/man5/pki_default.cfg.5.gz *%{_mandir}/man5/pki-server-logging.5.gz** *%{_mandir}/man8/pki-server-upgrade.8.gz -------------- next part -------------- An HTML attachment was scrubbed... URL: From edewata at redhat.com Fri Nov 18 06:14:53 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 18 Nov 2016 00:14:53 -0600 Subject: [Pki-devel] [PATCH] 868-871 Added man pages for logging configuration In-Reply-To: <250b10e4-7000-9f38-93ff-92ab516b00f3@redhat.com> References: <250b10e4-7000-9f38-93ff-92ab516b00f3@redhat.com> Message-ID: <1c06fa5b-c3c6-8ac3-8f69-18fe5de4dc5a@redhat.com> On 11/17/2016 7:18 PM, Matthew Harmsen wrote: > ACK (presuming customization and troubleshooting have been tested) with > the following caveats: > > * pki-edewata-0868-Removed-unused-subsystem-logging.properties.patch > o This patch needs to be split into two separate and distinct patches: > + patch 1 contains base/ca and base/kra changes > + patch 2 contains base/ocsp, base/tks, and base/tps changes > * pki-edewata-0869-Updated-logging.properties.patch > o fine as is > * pki-edewata-0870-Updated-log4j.properties.patch > o fine as is > * pki-edewata-0871-Added-man-pages-for-logging-configuration.patch > o suggest adding a CUSTOMIZATION section header to the > pki-logging.5 man page: > + .SH CUSTOMIZATION > > To customize the logging configuration, copy the default > logging configuration file into /etc/pki/logging.properties, > then change the configuration as needed. > o similarly, I suggest adding the following headers (or something > similar) to the pki-server-logging.5 man page: > + .SH CUSTOMIZATION > > To customize JUL configuration, replace the link with a copy > of the default configuration: > + .SH TROUBLESHOOTING > > To troubleshoot RESTEasy issues add the following line > (unless Log4j is installed in Tomcat classpath): > + .SH TOMCAT LOGGING > > .SS Log4j > + .SH PKI LOGGING > > .SS Internal Logging > * Add a separate check-in to 'pki/specs/pki-core.spec' to include the > man pages in their appropriate RPMS: > o %files -n pki-base > ... > %{_sbindir}/pki-upgrade > *%{_mandir}/man5/pki-logging.5.gz* > %{_mandir}/man8/pki-upgrade.8.gz > ... > o %files -n pki-server > ... > %{_mandir}/man5/pki_default.cfg.5.gz > *%{_mandir}/man5/pki-server-logging.5.gz** > *%{_mandir}/man8/pki-server-upgrade.8.gz Thanks! The patches are split and updated as suggested. Also another patch was added for the spec file. They are pushed to master. -- Endi S. Dewata From edewata at redhat.com Fri Nov 18 15:56:41 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 18 Nov 2016 09:56:41 -0600 Subject: [Pki-devel] [PATCH] 872 Update PKCS12Util to use SLF4J. Message-ID: The PKCS12Util class has been modified to use SLF4J logging framework. The CMake scripts has been modified to include SLF4J libraries in the classpath. The spec file has been modified to add SLF4J dependencies. https://fedorahosted.org/pki/ticket/195 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0872-Update-PKCS12Util-to-use-SLF4J.patch Type: text/x-patch Size: 14461 bytes Desc: not available URL: From cfu at redhat.com Fri Nov 18 20:23:54 2016 From: cfu at redhat.com (Christina Fu) Date: Fri, 18 Nov 2016 12:23:54 -0800 Subject: [Pki-devel] [PATCH] pki-cfu-0156-Ticket-2534-Automatic-recovery-of-encryption-cert-CA.patch Message-ID: <9e810504-6e46-702a-4aec-4f9364451289@redhat.com> https://fedorahosted.org/pki/ticket/2534 Automatic recovery of encryption cert - CA and TPS tokendb shows different certificate status This patch fixes the reported issue so now the auto-recovered certificate will reflect the actual status of the certificate. Also, since the externalReg tracks its own recovered certificate status, it is consolidated with the certificate status tracking mechanism added in this patch so that they can be uniformly managed. thanks, Christina -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-cfu-0156-Ticket-2534-Automatic-recovery-of-encryption-cert-CA.patch Type: text/x-patch Size: 35369 bytes Desc: not available URL: From edewata at redhat.com Fri Nov 18 21:00:04 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 18 Nov 2016 15:00:04 -0600 Subject: [Pki-devel] [PATCH] 873 Added subsystem logging.properties for debugging. Message-ID: <7501e427-c1ae-e6ed-af5c-6d5ba5f5f592@redhat.com> A new logging.properties has been added to each subsystem to define the PKI packages to be logged in the debug log. The server logging.properties has been updated to define the debug log handlers for each subsystem. The pki.policy has been modified to allow Tomcat to read the default logging.properties files in /usr/share/pki and to generate debug logs in instance subfolders. https://fedorahosted.org/pki/ticket/195 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0873-Added-subsystem-logging.properties-for-debugging.patch Type: text/x-patch Size: 14656 bytes Desc: not available URL: From edewata at redhat.com Fri Nov 18 21:00:11 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Fri, 18 Nov 2016 15:00:11 -0600 Subject: [Pki-devel] [PATCH] 874 Updated PKI server logging service to use SLF4J. Message-ID: <884cba46-0db7-9741-14c0-4340b312eb3d@redhat.com> The PKI server logging service has been modified to utilize SLF4J internally while maintaining the same API. This will allow incremental transition to SLF4J. https://fedorahosted.org/pki/ticket/195 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0874-Updated-PKI-server-logging-service-to-use-SLF4J.patch Type: text/x-patch Size: 6484 bytes Desc: not available URL: From cfu at redhat.com Sat Nov 19 01:42:40 2016 From: cfu at redhat.com (Christina Fu) Date: Fri, 18 Nov 2016 17:42:40 -0800 Subject: [Pki-devel] [PATCH] pki-cfu-0156-Ticket-2534-Automatic-recovery-of-encryption-cert-CA.patch In-Reply-To: <9e810504-6e46-702a-4aec-4f9364451289@redhat.com> References: <9e810504-6e46-702a-4aec-4f9364451289@redhat.com> Message-ID: got verbal ack from jmagne. Pushed to master: commit c633da8d43894258d9a4b1050a0d16316c17dbd5 thanks, Christina On 11/18/2016 12:23 PM, Christina Fu wrote: > https://fedorahosted.org/pki/ticket/2534 Automatic recovery of > encryption cert - CA and TPS tokendb shows different certificate status > > This patch fixes the reported issue so now the auto-recovered > certificate will reflect the actual status of the certificate. Also, > since the externalReg tracks its own recovered certificate status, it > is consolidated with the certificate status tracking mechanism added > in this patch so that they can be uniformly managed. > > thanks, > > Christina > > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From alee at redhat.com Mon Nov 21 23:33:02 2016 From: alee at redhat.com (Ade Lee) Date: Mon, 21 Nov 2016 18:33:02 -0500 Subject: [Pki-devel] [PATCH] 339-340 fixes for new Key REST logic Message-ID: <1479771182.12615.8.camel@redhat.com> Patch 340: commit 0e1c6e0634f5d3b3d4b8a3d7293b23f1953cf542 Author: Ade Lee Date:???Mon Nov 21 17:42:11 2016 -0500 ????Fix bug in getting secrets from approved request ???? ????When request was approved and retrieved through the rest ????interface, the corresponding volatile requests object was not ????created due to the new flow.??This makes sure the volatile request ????is created. Patch 339: commit 2e37a2fe6173a9968fd76fb7ff93e7cc188aa700 Author: Ade Lee Date:???Mon Nov 21 12:01:09 2016 -0500 ????Add python-client code for key resource changes -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0340-Fix-bug-in-getting-secrets-from-approved-request.patch Type: text/x-patch Size: 7889 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-vakwetu-0339-Add-python-client-code-for-key-resource-changes.patch Type: text/x-patch Size: 7204 bytes Desc: not available URL: From edewata at redhat.com Mon Nov 21 23:36:54 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 21 Nov 2016 17:36:54 -0600 Subject: [Pki-devel] [PATCH] 875 Updated server logging.properties. Message-ID: <07b54073-bce9-040d-9148-f1f088829132@redhat.com> The server logging.properties has been modified to log low level messages into catalina log for troubleshooting non-PKI issues (e.g. RESTEasy). High level messages (i.e. errors and warnings) will continue to be logged on the console. The pki-server-logging man page has been updated accordingly. https://fedorahosted.org/pki/ticket/195 -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0875-Updated-server-logging.properties.patch Type: text/x-patch Size: 5307 bytes Desc: not available URL: From edewata at redhat.com Mon Nov 21 23:49:56 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 21 Nov 2016 17:49:56 -0600 Subject: [Pki-devel] [PATCH] 874 Updated PKI server logging service to use SLF4J. In-Reply-To: <884cba46-0db7-9741-14c0-4340b312eb3d@redhat.com> References: <884cba46-0db7-9741-14c0-4340b312eb3d@redhat.com> Message-ID: <4e8406ec-e2f6-22ad-37cb-155a8770ba10@redhat.com> On 11/18/2016 3:00 PM, Endi Sukma Dewata wrote: > The PKI server logging service has been modified to utilize SLF4J > internally while maintaining the same API. This will allow > incremental transition to SLF4J. > > https://fedorahosted.org/pki/ticket/195 New patch attached for some cleanups. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0874-1-Updated-PKI-server-logging-service-to-use-SLF4J.patch Type: text/x-patch Size: 7388 bytes Desc: not available URL: From edewata at redhat.com Mon Nov 21 23:50:01 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Mon, 21 Nov 2016 17:50:01 -0600 Subject: [Pki-devel] [PATCH] 873 Added subsystem logging.properties for debugging. In-Reply-To: <7501e427-c1ae-e6ed-af5c-6d5ba5f5f592@redhat.com> References: <7501e427-c1ae-e6ed-af5c-6d5ba5f5f592@redhat.com> Message-ID: <1e9d193b-d439-c9f9-d4cb-4d274de1922f@redhat.com> On 11/18/2016 3:00 PM, Endi Sukma Dewata wrote: > A new logging.properties has been added to each subsystem to > define the PKI packages to be logged in the debug log. The > server logging.properties has been updated to define the debug > log handlers for each subsystem. > > The pki.policy has been modified to allow Tomcat to read the > default logging.properties files in /usr/share/pki and to > generate debug logs in instance subfolders. > > https://fedorahosted.org/pki/ticket/195 New patch attached for some cleanups. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0873-1-Added-subsystem-logging.properties-for-debugging.patch Type: text/x-patch Size: 11358 bytes Desc: not available URL: From alee at redhat.com Tue Nov 22 17:11:56 2016 From: alee at redhat.com (Ade Lee) Date: Tue, 22 Nov 2016 12:11:56 -0500 Subject: [Pki-devel] [PATCH] 339-340 fixes for new Key REST logic In-Reply-To: <1479771182.12615.8.camel@redhat.com> References: <1479771182.12615.8.camel@redhat.com> Message-ID: <1479834716.12615.9.camel@redhat.com> Acked by Endi. Pushed to Master. On Mon, 2016-11-21 at 18:33 -0500, Ade Lee wrote: > Patch 340: > commit 0e1c6e0634f5d3b3d4b8a3d7293b23f1953cf542 > Author: Ade Lee > Date:???Mon Nov 21 17:42:11 2016 -0500 > > ????Fix bug in getting secrets from approved request > ???? > ????When request was approved and retrieved through the rest > ????interface, the corresponding volatile requests object was not > ????created due to the new flow.??This makes sure the volatile > request > ????is created. > > Patch 339: > commit 2e37a2fe6173a9968fd76fb7ff93e7cc188aa700 > Author: Ade Lee > Date:???Mon Nov 21 12:01:09 2016 -0500 > > ????Add python-client code for key resource changes > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Tue Nov 22 18:41:45 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Tue, 22 Nov 2016 12:41:45 -0600 Subject: [Pki-devel] [PATCH] 876 Updated pki-cert man page. Message-ID: <8da57b77-69d4-dc01-ae7f-e8777c51bda3@redhat.com> The pki-cert man page has been updated to clarify that certain profiles may require authentication and the CLI supports certain authentication types. https://fedorahosted.org/pki/ticket/2289 Pushed to master under trivial/one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0876-Updated-pki-cert-man-page.patch Type: text/x-patch Size: 1418 bytes Desc: not available URL: From jmagne at redhat.com Wed Nov 23 00:04:44 2016 From: jmagne at redhat.com (John Magne) Date: Tue, 22 Nov 2016 19:04:44 -0500 (EST) Subject: [Pki-devel] [pki-devel][PATCH] In-Reply-To: References: <1554093259.17510753.1479262809543.JavaMail.zimbra@redhat.com> Message-ID: <986725368.1638738.1479859483994.JavaMail.zimbra@redhat.com> Verbally discussed issue with cfu, was given cond ack upon fixing the issue: Issue has been fixed, checked into master. commit cdb8d2f7a3655b4ba97b70a9460721e0d2d8afe7 Author: Jack Magne Date: Tue Nov 15 17:37:07 2016 -0800 Change lifecycle at end of enrollment if it is not already set. TPS throws "err=6" when attempting to format and enroll G&D Cards. https://bugzilla.redhat.com/show_bug.cgi?id=1320283 This fix addresses this bug , but also: Fixes this issue: Applet upgrade during rekey operation results in formatted token. Also, it takes care of a related issue where the new apdu needed for the lifecycle state causes the testing tool "tpslcient" to seg fault. The fix here is a minimal fix to have tpsclient return an error when it gets this apdu it can't handle, instead of crashing. Closed ticket # 2544 ----- Original Message ----- > From: "Christina Fu" > To: pki-devel at redhat.com > Sent: Wednesday, November 16, 2016 6:25:49 PM > Subject: Re: [Pki-devel] [pki-devel][PATCH] > > > > I compared this patch with the original C patch. There was a check in C that > does not exist in your Java patch: > 1019 > if(data.size() != 3){ > > 1020 > lifecycle = 0xf0; > > 1021 > RA::Error(LL_PER_PDU, "RA_Processor::GetLifecycle", "apdu response is the > wrong size, the size is: %x", data.size()); > > 1022 > goto loser; > > 1023 > } > > Why does it not apply in Java? > > Thanks, > Christina > > On 11/15/2016 06:20 PM, John Magne wrote: > > > > Ticket: TPS throws "err=6" when attempting to format and e : > https://fedorahosted.org/pki/ticket/2544 Fix tested on standard card, it > does what it is supposed to do. It checks first to make sure the lifecycle > state needs to be changed before attempting to do so. This will prevent any > cards that return an error when > one tries to over write the value with the same value it had before. > > > _______________________________________________ > Pki-devel mailing list Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel > > > _______________________________________________ > Pki-devel mailing list > Pki-devel at redhat.com > https://www.redhat.com/mailman/listinfo/pki-devel From edewata at redhat.com Wed Nov 23 21:33:19 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 23 Nov 2016 15:33:19 -0600 Subject: [Pki-devel] [PATCH] 877 Refactored PKIConnection.get(). Message-ID: <0462db40-1181-c179-a058-a55771e52ca9@redhat.com> The PKIConnection has been modified to provide two get() methods: one returning a generic Response object wnd the other returning an object with the specified type. The ConfigurationUtils has been modified accordingly. https://fedorahosted.org/pki/ticket/1517 Pushed to master and 10.3 branch under trivial/one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0877-Refactored-PKIConnection.get.patch Type: text/x-patch Size: 2650 bytes Desc: not available URL: From edewata at redhat.com Wed Nov 23 21:33:42 2016 From: edewata at redhat.com (Endi Sukma Dewata) Date: Wed, 23 Nov 2016 15:33:42 -0600 Subject: [Pki-devel] [PATCH] 878 Fixed problem with pki user-cert-add. Message-ID: <8dbce6fd-3e82-5edd-c823-16b4a224f2e3@redhat.com> Previously the pki user-cert-add fails to check whether the server has a CA subsystem when it's invoked over SSL. That is because the CLI tries to establish a new but improperly set up SSL connection. Now the CLI has been modified to use the existing server connection. https://fedorahosted.org/pki/ticket/1517 Pushed to master and 10.3 branch under trivial/one-liner rule. -- Endi S. Dewata -------------- next part -------------- A non-text attachment was scrubbed... Name: pki-edewata-0878-Fixed-problem-with-pki-user-cert-add.patch Type: text/x-patch Size: 2871 bytes Desc: not available URL: From ftweedal at redhat.com Tue Nov 29 08:58:34 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 29 Nov 2016 18:58:34 +1000 Subject: [Pki-devel] [PATCH] 0137 Remove unused member Message-ID: <20161129085834.GB28337@dhcp-40-8.bne.redhat.com> Just a drive-by removal of an unused class member. Pushed under one-liner rule. Thanks, Fraser -------------- next part -------------- From e613f485e9ed08b9b5e6b2ad568a0953b742b0e5 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Mon, 28 Nov 2016 14:52:11 +1000 Subject: [PATCH] Remove unused member --- base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java | 1 - 1 file changed, 1 deletion(-) diff --git a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java index ea5108445356e848ecb9520c7147a75181c11c51..ff97bfa6ce395fcf70ff9e39b0cd47f9416e2493 100644 --- a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java +++ b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java @@ -89,7 +89,6 @@ public abstract class BasicProfile implements IProfile { protected Vector mOutputIds = new Vector(); protected Hashtable mUpdaters = new Hashtable(); protected Vector mUpdaterIds = new Vector(); - protected IProfileAuthenticator mAuthenticator = null; protected String mAuthInstanceId = null; protected String mId = null; protected String mAuthzAcl = ""; -- 2.7.4 From ftweedal at redhat.com Tue Nov 29 09:02:12 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 29 Nov 2016 19:02:12 +1000 Subject: [Pki-devel] [PATCH] 0138 Move AuthToken key constants to IAuthToken Message-ID: <20161129090212.GC28337@dhcp-40-8.bne.redhat.com> The attached patch moves some string constants from AuthToken to IAuthToken. External authentication support will bring a new implementation of IAuthToken so moving these to the interface simplifies things. Thanks, Fraser -------------- next part -------------- From 8118f83cc7691e48c63111a050540c9180fd29e5 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 29 Nov 2016 16:10:58 +1000 Subject: [PATCH 138/141] Move AuthToken key constants to IAuthToken Part of: https://fedorahosted.org/pki/ticket/1359 --- .../netscape/certsrv/authentication/AuthToken.java | 34 ---------------------- .../certsrv/authentication/IAuthToken.java | 34 ++++++++++++++++++++++ 2 files changed, 34 insertions(+), 34 deletions(-) diff --git a/base/common/src/com/netscape/certsrv/authentication/AuthToken.java b/base/common/src/com/netscape/certsrv/authentication/AuthToken.java index 0febf87727d2ebde9dbcacbd5059f9b9afa13701..53959b131f2d9a99e6b9b65640f8546e84468c66 100644 --- a/base/common/src/com/netscape/certsrv/authentication/AuthToken.java +++ b/base/common/src/com/netscape/certsrv/authentication/AuthToken.java @@ -51,40 +51,6 @@ import com.netscape.certsrv.usrgrp.Certificates; public class AuthToken implements IAuthToken { protected Hashtable mAttrs = null; - /* Subject name of the certificate in the authenticating entry */ - public static final String TOKEN_CERT_SUBJECT = "tokenCertSubject"; - - /* NotBefore value of the certificate in the authenticating entry */ - public static final String TOKEN_CERT_NOTBEFORE = "tokenCertNotBefore"; - - /* NotAfter value of the certificate in the authenticating entry */ - public static final String TOKEN_CERT_NOTAFTER = "tokenCertNotAfter"; - - /* Cert Extentions value of the certificate in the authenticating entry */ - public static final String TOKEN_CERT_EXTENSIONS = "tokenCertExts"; - - /* Serial number of the certificate in the authenticating entry */ - public static final String TOKEN_CERT_SERIALNUM = "certSerial"; - - /** - * Certificate to be renewed - */ - public static final String TOKEN_CERT = "tokenCert"; - - /* Certificate to be revoked */ - public static final String TOKEN_CERT_TO_REVOKE = "tokenCertToRevoke"; - - /** - * Name of the authentication manager that created the AuthToken - * as a string. - */ - public static final String TOKEN_AUTHMGR_INST_NAME = "authMgrInstName"; - - /** - * Time of authentication as a java.util.Date - */ - public static final String TOKEN_AUTHTIME = "authTime"; - /** * Constructs an instance of a authentication token. * The token by default contains the following attributes:
diff --git a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java index a71432446edcf6b5d838f1115df16b26acd01dce..a3f240e9c35987462eb2f176de650a769df1005c 100644 --- a/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java +++ b/base/common/src/com/netscape/certsrv/authentication/IAuthToken.java @@ -41,6 +41,40 @@ public interface IAuthToken { public static final String UID = "uid"; public static final String GROUPS = "groups"; + /* Subject name of the certificate in the authenticating entry */ + public static final String TOKEN_CERT_SUBJECT = "tokenCertSubject"; + + /* NotBefore value of the certificate in the authenticating entry */ + public static final String TOKEN_CERT_NOTBEFORE = "tokenCertNotBefore"; + + /* NotAfter value of the certificate in the authenticating entry */ + public static final String TOKEN_CERT_NOTAFTER = "tokenCertNotAfter"; + + /* Cert Extentions value of the certificate in the authenticating entry */ + public static final String TOKEN_CERT_EXTENSIONS = "tokenCertExts"; + + /* Serial number of the certificate in the authenticating entry */ + public static final String TOKEN_CERT_SERIALNUM = "certSerial"; + + /** + * Certificate to be renewed + */ + public static final String TOKEN_CERT = "tokenCert"; + + /* Certificate to be revoked */ + public static final String TOKEN_CERT_TO_REVOKE = "tokenCertToRevoke"; + + /** + * Name of the authentication manager that created the AuthToken + * as a string. + */ + public static final String TOKEN_AUTHMGR_INST_NAME = "authMgrInstName"; + + /** + * Time of authentication as a java.util.Date + */ + public static final String TOKEN_AUTHTIME = "authTime"; + /** * Sets an attribute value within this AttrSet. * -- 2.7.4 From ftweedal at redhat.com Tue Nov 29 09:04:26 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 29 Nov 2016 19:04:26 +1000 Subject: [Pki-devel] [PATCH] 0139 Merge duplicate authz plugin code into superclass Message-ID: <20161129090426.GD28337@dhcp-40-8.bne.redhat.com> The attached patch merges some duplicate authz manager code into the existing AAclAuthz superclass. It simplifies things if we end up adding a new authz manager as part of external authentication / GSS-API support. But it's a nice refactor to do anyway :) Thanks, Fraser -------------- next part -------------- From afc5fc3da5f1ea61305fb237e002bbe8b3d26e8c Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 25 Nov 2016 14:29:40 +1000 Subject: [PATCH 139/141] Merge duplicate authz plugin code into superclass DirAclAuthz and BasicAclAuthz both extend AAclAuthz, but there is still a lot of duplicate code. Push the duplicated bits up into the AAclAuthz. Also remove abstract method flushResourceACLs() from AAclAuthz, and its implementation from BasicAclAuthz, because it is only implemented (meaningfully) by DirAclAuthz. Part of: https://fedorahosted.org/pki/ticket/1359 --- .../com/netscape/cms/authorization/AAclAuthz.java | 93 ++++++++++--- .../netscape/cms/authorization/BasicAclAuthz.java | 144 +-------------------- .../netscape/cms/authorization/DirAclAuthz.java | 105 +-------------- 3 files changed, 78 insertions(+), 264 deletions(-) diff --git a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java index b3e447cfca49951fe78f6b4896652921ffc43406..f95c98174a06dba9ebf3e43238e566be2e6b5594 100644 --- a/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java +++ b/base/server/cms/src/com/netscape/cms/authorization/AAclAuthz.java @@ -30,6 +30,9 @@ import com.netscape.certsrv.acls.IACL; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authorization.AuthzToken; +import com.netscape.certsrv.authorization.EAuthzAccessDenied; +import com.netscape.certsrv.authorization.EAuthzInternalError; +import com.netscape.certsrv.authorization.IAuthzManager; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; import com.netscape.certsrv.evaluators.IAccessEvaluator; @@ -61,7 +64,7 @@ import com.netscape.cmsutil.util.Utils; * @version $Revision$, $Date$ * @see ACL Files */ -public abstract class AAclAuthz { +public abstract class AAclAuthz implements IAuthzManager { protected static final String PROP_CLASS = "class"; protected static final String PROP_IMPL = "impl"; @@ -69,6 +72,12 @@ public abstract class AAclAuthz { protected static final String ACLS_ATTR = "aclResources"; + /* name of this authorization manager instance */ + private String mName = null; + + /* name of the authorization manager plugin */ + private String mImplName = null; + private IConfigStore mConfig = null; private Hashtable mACLs = new Hashtable(); @@ -93,14 +102,14 @@ public abstract class AAclAuthz { /** * Initializes */ - protected void init(IConfigStore config) + public void init(String name, String implName, IConfigStore config) throws EBaseException { - + mName = name; + mImplName = implName; + mConfig = config; mLogger = CMS.getLogger(); CMS.debug("AAclAuthz: init begins"); - mConfig = config; - // load access evaluators specified in the config file IConfigStore mainConfig = CMS.getConfigStore(); IConfigStore evalConfig = mainConfig.getSubStore(PROP_EVAL); @@ -144,6 +153,20 @@ public abstract class AAclAuthz { } /** + * gets the name of this authorization manager instance + */ + public String getName() { + return mName; + } + + /** + * gets the plugin name of this authorization manager. + */ + public String getImplName() { + return mImplName; + } + + /** * Parse ACL resource attributes, then update the ACLs memory store * This is intended to be used if storing ACLs on ldap is not desired, * and the caller is expected to call this method to add resource @@ -818,7 +841,7 @@ public abstract class AAclAuthz { } } - private void log(int level, String msg) { + protected void log(int level, String msg) { if (mLogger == null) return; mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHORIZATION, @@ -830,24 +853,58 @@ public abstract class AAclAuthz { **********************************/ /** - * update acls. called after memory upate is done to flush to permanent - * storage. - *

- */ - protected abstract void flushResourceACLs() throws EACLsException; - - /** - * an abstract class that enforces implementation of the - * authorize() method that will authorize an operation on a - * particular resource + * check the authorization permission for the user associated with + * authToken on operation + * + * Example: + * + * For example, if UsrGrpAdminServlet needs to authorize the + * caller it would do be done in the following fashion: + * + * try { + * authzTok = mAuthz.authorize( + * "DirAclAuthz", authToken, RES_GROUP, "read"); + * } catch (EBaseException e) { + * log(ILogger.LL_FAILURE, "authorize call: " + e.toString()); + * } * * @param authToken the authToken associated with a user * @param resource - the protected resource name * @param operation - the protected resource operation name - * @exception EBaseException If an internal error occurred. + * @exception EAuthzAccessDenied If access was denied + * @exception EAuthzInternalError If an internal error occurred. * @return authzToken */ - public abstract AuthzToken authorize(IAuthToken authToken, String resource, String operation) throws EBaseException; + public AuthzToken authorize(IAuthToken authToken, String resource, String operation) + throws EAuthzInternalError, EAuthzAccessDenied { + try { + checkPermission(authToken, resource, operation); + // compose AuthzToken + AuthzToken authzToken = new AuthzToken(this); + authzToken.set(AuthzToken.TOKEN_AUTHZ_RESOURCE, resource); + authzToken.set(AuthzToken.TOKEN_AUTHZ_OPERATION, operation); + authzToken.set(AuthzToken.TOKEN_AUTHZ_STATUS, AuthzToken.AUTHZ_STATUS_SUCCESS); + CMS.debug(mName + ": authorization passed"); + return authzToken; + } catch (EACLsException e) { + // audit here later + log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_AUTHORIZATION_FAILED")); + String params[] = { resource, operation }; + log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_AUTHZ_ACCESS_DENIED_2", params)); + + throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_ERROR")); + } + } + + public AuthzToken authorize(IAuthToken authToken, String expression) + throws EAuthzAccessDenied { + if (evaluateACLs(authToken, expression)) { + return (new AuthzToken(this)); + } else { + String params[] = { expression }; + throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params)); + } + } public String getOrder() { IConfigStore mainConfig = CMS.getConfigStore(); diff --git a/base/server/cms/src/com/netscape/cms/authorization/BasicAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/BasicAclAuthz.java index c883758b39ee018ab6aeb82bdfb5242bcc32c439..6b33c2041d0b41ac5db31c3ebf8a3ae1d33632b9 100644 --- a/base/server/cms/src/com/netscape/cms/authorization/BasicAclAuthz.java +++ b/base/server/cms/src/com/netscape/cms/authorization/BasicAclAuthz.java @@ -18,12 +18,7 @@ package com.netscape.cms.authorization; // cert server imports. -import com.netscape.certsrv.acls.EACLsException; import com.netscape.certsrv.apps.CMS; -import com.netscape.certsrv.authentication.IAuthToken; -import com.netscape.certsrv.authorization.AuthzToken; -import com.netscape.certsrv.authorization.EAuthzAccessDenied; -import com.netscape.certsrv.authorization.EAuthzInternalError; import com.netscape.certsrv.authorization.IAuthzManager; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; @@ -38,23 +33,6 @@ import com.netscape.certsrv.logging.ILogger; public class BasicAclAuthz extends AAclAuthz implements IAuthzManager, IExtendedPluginInfo { - // members - - /* name of this authorization manager instance */ - private String mName = null; - - /* name of the authorization manager plugin */ - private String mImplName = null; - - /* configuration store */ - @SuppressWarnings("unused") - private IConfigStore mConfig; - - /* the system logger */ - private ILogger mLogger = null; - - protected static final String PROP_BASEDN = "basedn"; - static { mExtendedPluginInfo.add("nothing for now"); } @@ -80,135 +58,15 @@ public class BasicAclAuthz extends AAclAuthz */ public void init(String name, String implName, IConfigStore config) throws EBaseException { - mName = name; - mImplName = implName; - mConfig = config; - mLogger = CMS.getLogger(); - - super.init(config); + super.init(name, implName, config); log(ILogger.LL_INFO, "initialization done"); } /** - * gets the name of this authorization manager instance - */ - public String getName() { - return mName; - } - - /** - * gets the plugin name of this authorization manager. - */ - public String getImplName() { - return mImplName; - } - - /** - * check the authorization permission for the user associated with - * authToken on operation - *

- * Example: - *

- * For example, if UsrGrpAdminServlet needs to authorize the caller it would do be done in the following fashion: - * - * 

-     * try {
-     *     authzTok = mAuthz.authorize("DirACLBasedAuthz", authToken, RES_GROUP, "read");
-     * } catch (EBaseException e) {
-     *     log(ILogger.LL_FAILURE, "authorize call: " + e.toString());
-     * }
-     *
- * - * @param authToken the authToken associated with a user - * @param resource - the protected resource name - * @param operation - the protected resource operation name - * @exception EAuthzInternalError if an internal error occurred. - * @exception EAuthzAccessDenied if access denied - * @return authzToken if success - */ - public AuthzToken authorize(IAuthToken authToken, String resource, String operation) - throws EAuthzInternalError, EAuthzAccessDenied { - AuthzToken authzToken = new AuthzToken(this); - - try { - checkPermission(authToken, resource, operation); - - CMS.debug("BasicAclAuthz: authorization passed"); - - // compose AuthzToken - authzToken.set(AuthzToken.TOKEN_AUTHZ_RESOURCE, resource); - authzToken.set(AuthzToken.TOKEN_AUTHZ_OPERATION, operation); - authzToken.set(AuthzToken.TOKEN_AUTHZ_STATUS, - AuthzToken.AUTHZ_STATUS_SUCCESS); - } catch (EACLsException e) { - // audit here later - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_AUTHORIZATION_FAILED")); - String params[] = { resource, operation }; - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_AUTHZ_ACCESS_DENIED_2", params)); - - throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_ERROR")); - } - - return authzToken; - } - - public AuthzToken authorize(IAuthToken authToken, String expression) - throws EAuthzAccessDenied { - if (evaluateACLs(authToken, expression)) { - return (new AuthzToken(this)); - } else { - String params[] = { expression }; - throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params)); - } - } - - /** - * This currently does not flush to permanent storage - * - * @param id is the resource id - * @param strACLs - */ - public void updateACLs(String id, String rights, String strACLs, - String desc) throws EACLsException { - try { - super.updateACLs(id, rights, strACLs, desc); - // flushResourceACLs(); - } catch (EACLsException ex) { - - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_FLUSH_RESOURCES", ex.toString())); - - throw new EACLsException(CMS.getUserMessage("CMS_ACL_UPDATE_FAIL")); - } - } - - /** - * updates resourceACLs to permanent storage. - * currently not implemented for this authzMgr - */ - protected void flushResourceACLs() throws EACLsException { - log(ILogger.LL_FAILURE, "flushResourceACL() is not implemented"); - throw new EACLsException(CMS.getUserMessage("CMS_ACL_METHOD_NOT_IMPLEMENTED")); - } - - /** * graceful shutdown */ public void shutdown() { log(ILogger.LL_INFO, "shutting down"); } - - /** - * Logs a message for this class in the system log file. - * - * @param level The log level. - * @param msg The message to log. - * @see com.netscape.certsrv.logging.ILogger - */ - protected void log(int level, String msg) { - if (mLogger == null) - return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHORIZATION, - level, msg); - } } diff --git a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java index 4f14f4c4098c31bdad8b85260a1ea14b1c917f52..bcb81f3d0e390545fed2fbf530cf9b57e6bc48ea 100644 --- a/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java +++ b/base/server/cms/src/com/netscape/cms/authorization/DirAclAuthz.java @@ -24,8 +24,6 @@ import com.netscape.certsrv.acls.EACLsException; import com.netscape.certsrv.apps.CMS; import com.netscape.certsrv.authentication.IAuthToken; import com.netscape.certsrv.authorization.AuthzToken; -import com.netscape.certsrv.authorization.EAuthzAccessDenied; -import com.netscape.certsrv.authorization.EAuthzInternalError; import com.netscape.certsrv.authorization.IAuthzManager; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.IConfigStore; @@ -54,18 +52,6 @@ public class DirAclAuthz extends AAclAuthz // members - /* name of this authentication manager instance */ - private String mName = null; - - /* name of the authentication manager plugin */ - private String mImplName = null; - - /* configuration store */ - private IConfigStore mConfig; - - /* the system logger */ - private ILogger mLogger = null; - protected static final String PROP_BASEDN = "basedn"; private ILdapConnFactory mLdapConnFactory = null; @@ -118,15 +104,10 @@ public class DirAclAuthz extends AAclAuthz */ public void init(String name, String implName, IConfigStore config) throws EBaseException { - mName = name; - mImplName = implName; - mConfig = config; - mLogger = CMS.getLogger(); - - super.init(config); + super.init(name, implName, config); // initialize LDAP connection factory - IConfigStore ldapConfig = mConfig.getSubStore("ldap"); + IConfigStore ldapConfig = config.getSubStore("ldap"); if (ldapConfig == null) { log(ILogger.LL_MISCONF, "failed to get config ldap info"); @@ -186,75 +167,6 @@ public class DirAclAuthz extends AAclAuthz } /** - * gets the name of this authorization manager instance - */ - public String getName() { - return mName; - } - - /** - * gets the plugin name of this authorization manager. - */ - public String getImplName() { - return mImplName; - } - - /** - * check the authorization permission for the user associated with - * authToken on operation - *

- * Example: - *

- * For example, if UsrGrpAdminServlet needs to authorize the caller it would do be done in the following fashion: - * - * 

-     * try {
-     *     authzTok = mAuthz.authorize("DirAclAuthz", authToken, RES_GROUP, "read");
-     * } catch (EBaseException e) {
-     *     log(ILogger.LL_FAILURE, "authorize call: " + e.toString());
-     * }
-     *
- * - * @param authToken the authToken associated with a user - * @param resource - the protected resource name - * @param operation - the protected resource operation name - * @exception EBaseException If an internal error occurred. - * @return authzToken - */ - public AuthzToken authorize(IAuthToken authToken, String resource, String operation) - throws EAuthzInternalError, EAuthzAccessDenied { - AuthzToken authzToken = new AuthzToken(this); - - try { - checkPermission(authToken, resource, operation); - // compose AuthzToken - authzToken.set(AuthzToken.TOKEN_AUTHZ_RESOURCE, resource); - authzToken.set(AuthzToken.TOKEN_AUTHZ_OPERATION, operation); - authzToken.set(AuthzToken.TOKEN_AUTHZ_STATUS, AuthzToken.AUTHZ_STATUS_SUCCESS); - CMS.debug("DirAclAuthz: authorization passed"); - } catch (EACLsException e) { - // audit here later - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_EVALUATOR_AUTHORIZATION_FAILED")); - String params[] = { resource, operation }; - log(ILogger.LL_FAILURE, CMS.getLogMessage("AUTHZ_AUTHZ_ACCESS_DENIED_2", params)); - - throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_ERROR")); - } - - return authzToken; - } - - public AuthzToken authorize(IAuthToken authToken, String expression) - throws EAuthzAccessDenied { - if (evaluateACLs(authToken, expression)) { - return (new AuthzToken(this)); - } else { - String params[] = { expression }; - throw new EAuthzAccessDenied(CMS.getUserMessage("CMS_AUTHORIZATION_AUTHZ_ACCESS_DENIED", params)); - } - } - - /** * update acls. when memory update is done, flush to ldap. *

* Currently, it is possible that when the memory is updated successfully, and the ldap isn't, the memory upates @@ -353,17 +265,4 @@ public class DirAclAuthz extends AAclAuthz } } - /** - * Logs a message for this class in the system log file. - * - * @param level The log level. - * @param msg The message to log. - * @see com.netscape.certsrv.logging.ILogger - */ - protected void log(int level, String msg) { - if (mLogger == null) - return; - mLogger.log(ILogger.EV_SYSTEM, null, ILogger.S_AUTHORIZATION, - level, msg); - } } -- 2.7.4 From ftweedal at redhat.com Tue Nov 29 09:08:48 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 29 Nov 2016 19:08:48 +1000 Subject: [Pki-devel] [PATCH] 0140 Allow ':' to appear in ACL expressions Message-ID: <20161129090848.GE28337@dhcp-40-8.bne.redhat.com> With current ACL parsing, if you have a ':' in a group name (as occurs with FreeIPA permissions, which matter for upcoming external principal support) you are stuffed. This commit fixes that. It is really a band aid - the existing parsing code is poor and should be replaced with a nice combinatorial parser... but who has the time for that right now? ?\_(?)_/? Note that if there is a ':' in any of the ACL descriptions/comments (the final field) this change breaks it. We don't have any occurrences of that in our codebase. Thanks, Fraser -------------- next part -------------- From 4e13cd0c960558b0f590c5f74ef0b52f0eb667f2 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 25 Nov 2016 18:04:22 +1000 Subject: [PATCH 140/141] Allow ':' to appear in ACL expressions Currently if ':' appears in an ACL expression (e.g. a group name, as occurs in FreeIPA permissions), the ACL gets parsed incorrectly. Look backwards from end of string for the final ':', so that the ACL parses correctly. Part of: https://fedorahosted.org/pki/ticket/1359 --- base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java index e37ba25e0446108e266a1b068a7ba2a6e60fb769..9b87f6e2437a398ffd6c4956a8e91809918ab8b9 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java +++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java @@ -681,8 +681,10 @@ public class CMSEngine implements ICMSEngine { acl = new ACL(resource, rights, resACLs); + // search *backwards* for final instance of ':', to handle case + // where acl expressions contain colon, e.g. in a group name. String stx = st.substring(idx2 + 1); - int idx3 = stx.indexOf(":"); + int idx3 = stx.lastIndexOf(":"); String aclStr = stx.substring(0, idx3); // getting list of acl entries -- 2.7.4 From ftweedal at redhat.com Tue Nov 29 09:12:28 2016 From: ftweedal at redhat.com (Fraser Tweedale) Date: Tue, 29 Nov 2016 19:12:28 +1000 Subject: [Pki-devel] [PATCH] 0141 Add getAuthzManagerNameByRealm to IAuthzSubsystem Message-ID: <20161129091228.GF28337@dhcp-40-8.bne.redhat.com> This patch renames (a better name) and moves to the IAuthzSubsystem interface a method in AuthzSubsystem that may be useful for doing authorisation checks for external principals. Thanks, Fraser -------------- next part -------------- From 6a1ddf4cf79e40ff0a0702e063afa6e6237f0fb6 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 25 Nov 2016 21:08:56 +1000 Subject: [PATCH 141/141] Add getAuthzManagerNameByRealm to IAuthzSubsystem The getAuthzManagerByRealm public method is defined in AuthzSubsystem but to support external principals we want to make this part of the IAuthzSubsystem interface, so other classes (e.g. ACLInterceptor) can use it. Part of: https://fedorahosted.org/pki/ticket/1359 --- .../netscape/certsrv/authorization/IAuthzSubsystem.java | 9 +++++++++ .../netscape/cmscore/authorization/AuthzSubsystem.java | 16 +++++++++------- 2 files changed, 18 insertions(+), 7 deletions(-) diff --git a/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java b/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java index c7d8df56bbfb1bf8af6c51ce491fc1384560b4a8..6fcf8e7b03eb596bb7914912474eeb3c298b6da1 100644 --- a/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java +++ b/base/common/src/com/netscape/certsrv/authorization/IAuthzSubsystem.java @@ -21,6 +21,7 @@ import java.util.Enumeration; import java.util.Hashtable; import com.netscape.certsrv.authentication.IAuthToken; +import com.netscape.certsrv.authorization.EAuthzUnknownRealm; import com.netscape.certsrv.base.EBaseException; import com.netscape.certsrv.base.ISubsystem; @@ -181,4 +182,12 @@ public interface IAuthzSubsystem extends ISubsystem { * @return an authorization manager interface */ public IAuthzManager get(String name); + + /** + * Given a realm name, return the name of an authz manager for that realm. + * + * @throws EAuthzUnknownRealm if no authz manager is found. + */ + public String getAuthzManagerNameByRealm(String realm) + throws EAuthzUnknownRealm; } diff --git a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java index 31d5e71b4bdd672fa3eae3108824480d87eafdf3..67d12bdff2e716bcea4034726d189a23c6f50796 100644 --- a/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java +++ b/base/server/cmscore/src/com/netscape/cmscore/authorization/AuthzSubsystem.java @@ -495,10 +495,7 @@ public class AuthzSubsystem implements IAuthzSubsystem { // if record owner == requester, SUCCESS if ((owner != null) && owner.equals(authToken.getInString(IAuthToken.USER_ID))) return; - String mgrName = getAuthzManagerByRealm(realm); - if (mgrName == null) { - throw new EAuthzUnknownRealm("Realm not found"); - } + String mgrName = getAuthzManagerNameByRealm(realm); AuthzToken authzToken = authorize(mgrName, authToken, resource, operation, realm); if (authzToken == null) { @@ -506,12 +503,17 @@ public class AuthzSubsystem implements IAuthzSubsystem { } } - public String getAuthzManagerByRealm(String realm) throws EBaseException { + public String getAuthzManagerNameByRealm(String realm) throws EAuthzUnknownRealm { for (AuthzManagerProxy proxy : mAuthzMgrInsts.values()) { IAuthzManager mgr = proxy.getAuthzManager(); if (mgr != null) { IConfigStore cfg = mgr.getConfigStore(); - String mgrRealmString = cfg.getString(PROP_REALM, null); + String mgrRealmString = null; + try { + mgrRealmString = cfg.getString(PROP_REALM, null); + } catch (EBaseException e) { + // never mind + } if (mgrRealmString == null) continue; List mgrRealms = Arrays.asList(mgrRealmString.split(",")); @@ -521,7 +523,7 @@ public class AuthzSubsystem implements IAuthzSubsystem { } } } - return null; + throw new EAuthzUnknownRealm("Realm not found"); } } -- 2.7.4