[Pki-users] Announcing the release of Dogtag 10.0.2

Moyer, Thomas - 0558 - MITLL thomas.moyer at ll.mit.edu
Fri May 3 13:57:01 UTC 2013


Is there documentation on the REST interface that I can look at? I've
found some examples, but nothing that outlines everything.

Also, does the Python client framework support querying for certificates,
or is it just for the initial deployment?

Thanks!

-Tom

On 5/2/13 10:09 PM, "Ade Lee" <alee at redhat.com> wrote:

>The Dogtag team is proud to announce the second errata build for
>Dogtag v10.0.0. 
>
>Builds are available for Fedora 18 and Fedora 19 in the updates-testing
>repo.  Please try it out and provide karma to move them to the F18 and
>F19 stable repos.
>
>Daily developer builds for Fedora 17, 18 and 19 are available at
>http://nkinder.fedorapeople.org/dogtag-devel/fedora/
>
>== Build Versions ==
>pki-core-10.0.2-2
>pki-ra-10.0.2-2
>pki-tps-10.0.2-2
>dogtag-pki-10.0.2-1
>dogtag-pki-theme-10.0.2-1
>pki-console-10.0.2-2
>
>== Highlights since Dogtag v. 10.0.1 ==
>* A new Python client framework has been written to connect to the
>restful interface on the java subsystems.  This interface was used
>for some installation functionality and will continue to be expanded.
>
>* pkispawn and pkidestroy were modified to use the new Python client
>framework and the dependency on jython was eliminated.
>
>* The installation interfaces were changed so that most of the
>installation interactions take place over the admin interface.
>
>* New command line parameters have been added to pkidestroy to provide
>the username and password of the security domain administrator to update
>the security domain.  Formerly, no credentials were required because we
>used the subsystem certificate of the subsystem for authentication.  The
>new method provides better auditing as to exactly who is de-registering
>and removing a subsystem.  As such, use of the new options is
>recommended, and will be made mandatory in a future release.
>
>* Although it is possible to run Dogtag 9 style instances on Dogtag 10,
>these instances do not have the required configuration to expose the
>RESTful interface.  A new servlet has been added to return 501 (Not
>implemented) on these instances when the REST URLs are accessed.  This
>is only applicable on Fedora 18 (See Fedora 19 note below).
>
>* A new interactive mode has been added to pkispawn and pkidestroy.  In
>this mode, users are prompted for details in order to set up the most
>basic servers.  Any customizations would still need to be done through
>configuration files.   Interactive mode is an excellent way for users to
>set up a server and become familiar with Dogtag.
>
>* Support has been added for the random generation of serial numbers for
>certificates issued.  More details about this feature and how to enable
>it can be found here:
>http://pki.fedoraproject.org/wiki/Random_Certificate_Serial_Numbers
>
>
>* Nonces are used in Dogtag to prevent cross-site request forgery and
>replay attack, but they were stored in a global list.  To prevent
>possible collisions with other user's nonces, they are now stored in
>each user's session.
>
>* Previously, session IDs were generated using /dev/random, which may
>block under certain circumstances, making server startup slow. To avoid
>this, the server configuration has been changed to use PKCS11PRNG
>provided by JSS.
>
>* A new upgrade framework has been added to allow instances to be
>automatically upgraded when new packages are installed.  This framework
>will be used to eventually remove the need for migrations between
>releases.  The upgrade scripts are invoked by postinstall scriptlets in
>the pki-base and pki-server packages.  On completing an upgrade, users
>should check the upgrade logs in /var/log/pki/pki-upgrade-*.log
>and /var/log/pki/pki-server-upgrade-*.log for any errors.  The upgrade
>scripts (pki-upgrade and pki-server-upgrade) can also be run manually.
>Additional troubleshooting information can be found at:
>http://pki.fedoraproject.org/wiki/Upgrade
>
>* New CLI has been added to simplify client certificate management
>including importing and trusting CA certificates.
>
>* Previously, the pki CLI tool used the same parameter (-w) to specify
>both user and client certificate database passwords.  The CLI has been
>modified to use a new parameter (-c) for the database password, and -w
>for the user password.
>
>* Multiple additional fixes to pkispawn, pkidestroy, pki and their man
>pages.
>
>== Notes on Fedora 19 ==
>Fedora 19 does not provide tomcat 6.  Dogtag 9 style instances will
>therefore no longer work on Fedora 19.  These instances need to be
>migrated to Dogtag 10.
>
>To prevent inadvertently disabling Dogtag instances, code has been added
>to prevent upgrades to Fedora 19 if Dogtag 9 instances exist.  Details
>on how to upgrade Dogtag 9 instances and workarounds can be found at:
>http://pki.fedoraproject.org/wiki/Migrating_Dogtag_9_Instances_to_Dogtag_1
>0
>
>== Detailed Changes since Dogtag v. 10.0.1 ==
>
>akoneru (23):
>#191 Map REST exceptions to HTTP status codes
>#217 CLI should display message on operations that complete with error
>#290 Add hints to option descriptions for cert-find cli command
>#383 Extend coverity tests to scan other subsystems (TPS, etc.)
>#452 Dogtag 10: Fix minor RA and TPS Configuration Wizard Panel issues
>#465 Verify 'pki_backup_keys=True' if 'pki_backup_password'is set
>#470 Prevent concurrent execution of pkispawn/pkidestroy
>#471 Update man pages for interactive pkispawn/pkidestroy
>#493 interpolation in pkispawn scripts should not apply to passwords
>#502 Change pkidestroy "-w" option to require a password file
>#507 Mark pki.conf as configuration file in RPM spec
>#509 man page for pkispawn should be modified to specify
>     pki_ca_signing_subject_dn when setting up subordinate CA
>#514 Clean up pkispawn output
>#521 Separate python deployment engine from python deployment
>     scriptlets source code
>#525 Incorrect info in pkispawn man page
>#536 Catch keyboard interrupt
>#542 Remove all "respawn()" logic from "pkispawn"
>#543 Incorrect user-show usage.
>#549 PKCS10Client tool throws java exception NoClassDefFoundError
>#563 Use timeout in configuration script
>#566 Mask sensitive parameters in archived config
>#592 pkispawn not reporting the error message when exceptions are thrown
>#593 Error caused by JSON Configuration result decoding when installing
>     CA clone
>
>alee (9):
>#232 add python binding for pkispawn/ pkidestroy
>#419 REST interface for cert requests
>#532 refactor pkispawn to use new python client
>#546 Upgrade script for clone installation
>#564 Rename base/deploy to base/server
>#589 dependency needed for java-atk-wrapper in f19
>#578 Rest API does not work on d9 -> d10 upgrade instances
>#590 pki-base needs to deliver /var/log/pki
>#597 Create 10.0.2 builds
>
>awnuk (7):
>#569 Port support for random certificate serial numbers to Dogtag 10
>#570 Port patch allowing to support random certificate serial numbers
>     for system certificates to Dogtag 10
>#579 Port patch allowing to clone CA with random serial number enabled.
>#580 Port patch allowing to restart CA clone during configuration
>     change to random serial numbers.
>#584 Port patch including system certificates with random serial
>     numbers in the certificate counter.
>BZ 955784 - Correct Javascript inability to handle big numbers
>BZ 951501 - Coorects key IDs miscalculated by Javascript
>
>
>cfu (6):
>BZ 929043 - serverCert.profile with SAN results in
>SubjectAltNameException
>BZ 927545 - Transport Cert signing Algorithm doesn't show ECC Signing
>Algorithm
>BZ 904289 - Add ECC Support to Certificate Profiles
>BZ 902952 - RFE: Revocation routing with TPS and multiple non-cloned CAs
>BZ 903401 - TMS: RSA token enrollment failed : public key decode error
>#362 CMC ECC 
>
>edewata (24)
>#190 REST interface for user-group membership.
>#291 Fix forma of validityUnit option in cert-find command
>#380 default install: part 2
>#472 pkispawn should test DS info
>#473 pkispawn should test security domain info
>#474 Session-based nonces
>#476 Limit username & password authentication
>#477 Annotation for authentication methods
>#491 Prompt CLI user on certificate warnings.
>#497 Date format for cert-find
>#498 [RFE] Add dates to cert-find output
>#500 validityCount option returns 500 error
>#501 Add cert status option to cert-find
>#503 Dogtag 10: Security Domain Issues
>#511 Add cert-request-show command.
>#520 CLI returns 0 on error
>#523 Add CLI option to capture HTTP data
>#524 Tomcat blocks during startup
>#535 python-requests compatibility problem
>#541 Use FQDN instead of localhost in CLI
>#544 Implement upgrade framework
>#545 Upgrade script for random number generator
>#553 pki.conf needs to be delivered by pki-base
>#598 Upgrade script for JNI_JAR_DIR
>
>jmagne (1):
>#587 ipa-server-install crashes due to sslget error
>
>mharmsen (7):
>#409 Add pkispawn option to not copy the UI pieces (gifs, templates).
>#488 Dogtag 10: Fix cli 'cert-find' clientAuth issue
>#517 Clean up theme dependencies
>#518 Remove UI dependencies from pkispawn
>#602 pkiconsole cannot find 'jss4.jar' on Fedora 19
>BZ 947524 - Clone installation does not work over NAT
>BZ 919476 - pkispawn crashes due to dangling symlink to jss4.jar
>
>
>_______________________________________________
>Pki-users mailing list
>Pki-users at redhat.com
>https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5142 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-users/attachments/20130503/ca4b8eb3/attachment.p7s>


More information about the Pki-users mailing list