From alee at redhat.com Sun Nov 3 18:53:10 2013 From: alee at redhat.com (Ade Lee) Date: Sun, 03 Nov 2013 13:53:10 -0500 Subject: [Pki-users] Announcing the release of Dogtag 10.0.6 Message-ID: <1383504790.7216.52.camel@aleeredhat.laptop> The Dogtag team is proud to announce the sixth errata build for Dogtag 10.0. Builds are available for Fedora 18 and Fedora 19 in the updates-testing repositories. Please try them out and provide karma to move them to the F18 and F19 stable repositories. Karma can be provided at https://admin.fedoraproject.org/updates for each package. == Build Versions == pki-core-10.0.6-1 pki-ra-10.0.6-1 pki-tps-10.0.6-1 dogtag-pki-10.0.6-1 dogtag-pki-theme-10.0.6-1 pki-console-10.0.6-1 == Highlights since Dogtag 10.0.5 == * Some commands in the pki CLI have been renamed for better consistency. The old commands will continue to work, but they have no been deprecated, and will be displayed accordingly in the usage and man pages. The commands that have been renamed are: * old command -> new command * client-find-cert -> client-cert-find * client-import-cert -> client-cert-import * client-remove-cert -> client-cert-del * group-add-member -> group-member-add * group-find-member -> group-member-find * group-show-member -> group-member-show * group-remove-member -> group-member-remove * user-add-cert -> user-cert-add * user-find-cert -> user-cert-find * user-show-cert -> user-cert-show * user-remove-cert -> user-cert-del * user-add-membership -> user-membership-add * user-find-membership -> user-membership-find * user-show-membership -> user-membership-show * user-remove-membership -> user-membership-del * The upgrade scripts have been modified to backup the files used to track the upgrade process. For instance specific upgrade scripts, this is CS.cfg. * A missing jar link to apache-commons-io prevented IPA replica installs from completing successfully on RHEL 7. The required link has been added. (BZ 1024679) * Due to a bug in the configuration code, when installing a non-cloned CA, the certificate for the admin user configured during the install was signed with SHA1 by default. With the fix, the admin cert is signed with SHA256 by default. It is possible to override this setting by changing values in the caAdminCert.cfg profile prior to configuration. (BZ 1024445) * ipa-cert-remove-hold used to return a server error. The error handling code for this servlet has been modified to return the correct error message (BZ 999722) * java-abrt crashes were being generated during IPA server installs due to exceptions being thrown during tomcat shutdown. This was due to the shutdown code being called multiple times internally. This code has been fixed. (BZ 1018268) == Detailed Changes since Dogtag 10.0.5 == alee (3): #743 fix tmpfiles.d references in spec files to reference /run/lock instead of /var/lock #776 IPA CA replica installation crashes on pkispawn (bz 1024679) #781 Admin cert signed with SHA1, should be SHA256 (bz 1024445) edewata(5): #779 Renaming Dogtag 10.0 pki commands #763 Backup tracker files during upgrade #775 Fix errors during tomcat shutdown (BZ 1018628) #739 ipa-cert-remove-hold returns server error (BZ 999722) #780 Unable to get user principal in servlet From alee at redhat.com Fri Nov 22 21:37:33 2013 From: alee at redhat.com (Ade Lee) Date: Fri, 22 Nov 2013 16:37:33 -0500 Subject: [Pki-users] Announcing the release of Dogtag 10.1 Message-ID: <1385156253.4165.52.camel@aleeredhat.laptop> The Dogtag team is proud to announce the release of Dogtag v10.1.0. This release is being released in conjunction with the GA release of Fedora 20. Due to changes in the way tomcat is started in Fedora 20, and the corresponding changes in the Dogtag init scripts, Dogtag 10.1 will only be delivered from Fedora 20 upwards. Dogtag 10.0 will continue to be delivered and supported for Fedora 18 and 19. == Build Versions == pki-core-10.1.0-1.fc20 pki-ra-10.1.0-1.fc20 pki-tps-10.1.0-1.fc20 dogtag-pki-10.1.0-1.fc20 dogtag-pki-theme-10.1.0-1.fc20 pki-console-10.1.0-1.fc20 == Upgrade Notes == Upgrade from Dogtag 10.0 to Dogtag 10.1 should be seamless, with all relevant migration steps performed by upgrade scripts when the packages are installed. Simply follow the standard procedure for upgrading from Fedora 19 to Fedora 20. http://fedoraproject.org/wiki/Upgrading == Highlights since Dogtag v. 10.0 == Infrastructure/ Version Changes: * pylint was added to the build scripts, and any pylint errors and warnings in the python code were fixed. The build now fails if any new errors or warnings are generated. * RESTEasy was updated from version 2.3.2 to 3.0.1. As part of this transition, some server code (the interceptors) was modified to implement JAX-RS 2.0. * In Fedora 20, tomcat has changed to more properly use systemd unit files to start up, rather than system V init scripts. (https://bugzilla.redhat.com/show_bug.cgi?id=842346) As a result, new Dogtag systemd unit files (based on the tomcat unit files) were required. This change is the primary reason Dogtag 10.1 cannot be deployed in Fedora versions < 20. New Testing Framework: A new test framework was added to the upstream git source tree. This framework can be used to do standalone tests or as part of a continuous integration testing framework. This framework includes: * QE tests are added to upstream git as part of this release. These tests use the beaker libraries to generate results and are run in a beaker test bed. * A mechanism for writing JUnit tests, with some sample tests. These tests can be run through eclipse on a local test environment or run along with the QE tests on a beaker machine. Customized Suite and RunNotifier classes are provided to generate the results using beaker libraries in place of the actual JUnit result. * The README file in tests/dogtag provides information on how to run the tests. REST interface enhancements: * The interface has been updated to use standard HTTP return codes under various operations. Paging support has been added to most search operations. * New REST interfaces have been added for managing certificate profiles on the CA. This includes: * Methods to list, add, remove, edit, enable/disable profiles. These methods are protected by ACLs that limit authorization to agents or administrators as appropriate. * Extensions to the pki CLI tool to perform all the above operations. * A new method to provide enrollment templates to end-entity users for specific profiles. An enrollment template is a certificate request representation that contains all the required inputs for a given profile. End entity users can list available profiles by calling GET /certrequests/profiles, and fetch an enrollment template by navigating to GET /certrequests/profiles/{id}. DRM Enhancements: * Audit logging has been added to the REST interfaces for key archival and recovery. * REST interface for asymmetric key retrieval provides ability to submit key recovery requests, approve them, and retrieve keys approved for recovery. * Transport Key rotation provides ability to gradually migrate DRM and connected CAs from a current to a new transport key. It also provides support for simultaneous use of both transport keys. New Stand-alone DRM: * It is now possible to deploy a stand-alone DRM through pkispawn. * Dogtag subsystems such as a DRMs have always required the presence of a Dogtag Certificate Authority (CA) to be part of a PKI deployment. A stand-alone DRM uses an external CA to obtain its system certificates, such that the DRM can be set up without a Dogtag CA in its PKI deployment. The DRM is not expected to communicate with any other PKI subsystems (with the exception of its clones, which will be implemented in a future release). Potential users of this feature include CA-less IPA installation and storage of secrets, and possible integration with CloudKeep. New Java-Based TPS: * We have begun an effort to re-implement the TPS subsystem (which is currently written as C/C++ Apache modules) in Java. The new tomcat-tps will run in a Tomcat server like the other Java subsystems, either within the same or in a separate Tomcat instance. There are many steps in this effort, detailed below. As of this release, steps 1,2 and the design phase of step 3 are complete. The remaining steps are slated to be delivered in the next major release. 1. Creation of installation/configuration code through pkispawn (either interactive or non-interactive). In particular, a new interface has been created to automate the generation and distribution of the symmetric key that acts as a shared secret between the TKS and TPS. Currently, this secret is generated and distributed using tkstool - which is a manual, error-prone process. 2. Creation of new REST interface and CLI for various TPS resources and services including tokens, certificates, profiles, users, groups, self tests, configurations, and logs. 3. Design and implementation of new TPS Web UI for administrators, operators and agents. 4. Porting of lower level code that interacts with tokens and other subsystems. CLI improvements: * The "pki" CLI commands have been organized according to the target of the operations: the client, the subsystems, and the security domain. The client commands provide an interface to manage client certificates. The subsystem commands provide an interface to access various services in each subsystem. The security domain commands provide an interface for managing subsystems. The old-style commands are still available for backward compatibility. == Detailed Changes since Dogtag 10.0 == akoneru (31): 406712a Updated the tests README with the CI server setup info. 9c2f772 Maintain seperate scripts for task and jobxml creation. f93635b Update the runtest.sh file with the latest code. 2442de7 Minor changes to the test scripts. c75ce3c Fixes for review comments abd6142 Provide build scripts for the Java test classes. 8025dfe README file for setting up and running the tests. 224be61 Added JUnit tests upstream. b9d125a Provide compose scripts for tests. bb20c9f Add the QE tests to upstream git. aa52cb6 Modify output file option for cert-request-review command. 6e700e5 Wrong date in %changelog in pki-core.spec f630689 Added new packages required for build in pki.core.spec. 23cce97 Adding pylint scan to the build. 25fded8 Minor issue - redundant import in pkispawn 7e1a8b7 Minor changes in Installation Summary. c1bdf93 Fixes for issues reported by pylint. 9b83091 Fix a defect in upgrade scripts. bdec940 Fixed pylint warning W0212. 109b9b6 Fixes for issues reported by pylint. 11e7d68 Fix issues reported by pylint. 73be9e5 Fixes for issues reported by pylint. edca1ee Fixes for issues reported by pylint. 219ec9c Fixes for issues reported by pylint. 8f08b83 Fixes for issues reported by pylint. 0f3cc75 Minor reference fix in selinux-setup.py c1d4741 Applied PEP8 formatting to python files. 66c34cf Code refactored for global variables and utility classes. e21bed6 Use 'with' construct for file operations. d81c8e9 Changes to the displayed installation summary. 3cad342 Do not use sys.exit() after an error. alee (53): 24727d1 Add migration scripts to fix registry file and ownership 3ce7191 Fix useradd command in pkispawn to not create avc 03944af Cleaned up spec files and update release number for release build 029bf78 fix spec typo 02dcc3b Update spec files for beta build 252848b Revert to allowing security manager 89eebe6 Added checks for CertRequest and Cert Resources 48fb4f1 Fix KeyRequest and Key Resources to return correct exit codes cbb907a Fix return values in ProfileResource 5e748a5 Modify profile resource to return correct response for create or modify a42e510 Fixed references to /var/run and /var/lock in spec files for RA and TPS. 2e54c85 Fixed logic for setting admin cert signing algorithm 21da33a Fix correct ACL for profile REST interface cdbfab4 Add upgrade file for auth.properties dfbc59a fix auth and authz for Profiles REST API 99def30 Add audit logging for new security data operations in kra 1b3f3bd typo in spec file 878a51a Additional fix to remove /var/run and /var/lock b568daf Remove run and lock files from pki-core for f20 d042f57 Added method to modify connector 3c933d1 Changes to TPSConnectorService based on review e9c373e Modify TKS self tests and execution to use new shared secret names 6eaf2c0 Add service to generate and retrieve a shared secret 4c17e82 Added interactive install for tomcat TPS fb32217 Upgrade script to fix JAVA_OPTS f37ae8f Workaround for resteasy context problem acee138 Added new link for resteasy dependency 6ba0908 fixing for new tomcat systemd files 8c437a7 Change interceptors to use jaxrs 2.0 04b71d1 Catch all exceptions when checking for status. 8f0218b manager.ldif referenced incorrectly in CS.cfg 4afa12c Provide enrollment template per profile 9c7e89d Add audit logging to profile interface a90518e Fixed filter code for revocationReason 27ed263 Changed systemd service file so that target starts up correctly 05ff18e Move status marker from CS.cfg to a variable. 27f602d Added TPS installation to the web based install panels for Java 7f829d6 Add TPS profile ID auxilliary object to tps users 5ecf890 Add TPS self tests 4ab7fdc Added ldif files to add VLV indexes to TPS installation 1be39b1 Move security domain session classes to correct package e6b7428 Initial code to configure a TPS in tomcat 6841782 Fix link parsing code to remove broken symbolic links before replacing 5d5b40f Fixes for profile REST interface from code review. d4b0d0c Add exceptions to Profile REST service. ea1d7a7 Fix various issues with Profile Interface 9eb2c35 Add interfaces for managing profiles b5fd84a Add systemd build requirement to fix build failures in f19 5374817 Bugzilla Bug 973224 - resteasy-base must be split into subpackages 3e1d74f Modify pkispawn to handle case where no subsystemCerts are generated e02ee21 Make sure only the master keys and certs are imported. 7cf2a47 Modify java-tools startup scripts to use correct JNI path ad7cb8e Change spec versions to 10.1.0-0.1 for 10.1 development awnuk (16): 3e41320 REST interface extension 618be8b enable tomcat access log 2b9fcda DRM Transport Key Rotation bc2df10 Pre-registration of CA cross signing profile 2a58ffc CA cross signing profile b76fddf Pre-registration of UserSubjectNameConstraint plug-in 0ae2e90 UserSubjectNameConstraint plug-in 8c635c6 CRMFPopClient update b60f640 PKCS10Client update a80cb95 Added UTF8 to default encoding order. 27ea2f4 directory and pin profile e4656ce exportable key f0f6597 correcting JavaScript inability to handle big numbers b3316c8 pki-tps various flaws c90155c Option to include nextUpdate as an offset to thisUpdate a6ae98f Randomized validity cfu (3): 4db22ab Bug 1005025 - Unable to view Curve details of ECC Cert request from Agent 9d70b93 Bug 986831 - Some tools are broken for ECC with NSS token alone d6e987b Bug 952500 - CMCAuth fails with error "CMCAuth: java.security.NoSuchAlgorithm edewata (106): b5d353f Replaced auth.properties with acl.properties. b1a187e Updated requirements for RESTEasy. 10ceea1 Fixed return code on non-existent and duplicate entries. f223501 Added ACL for TPS profile mapping. 23c1fa5 Updated pki CLI man page. 94a964a Fixed client-cert-import command. 7893dac Fixed problem with key-find. 88b5bfe Added client-init command. c73890c Updated ACL and auth method mapping names. f02987b Added ACL for TPS selftests. 815cdd9 Added ACL for TPS connections. c694fde Added ACL for TPS configuration. b7716af Added ACL for TPS authenticators. 0aab0a6 Fixed CLI command parsing. 4d1ec71 Added paging on all find commands. 17a52b6 Added more null parameter checking. 014fdc8 Added null parameter checking. f74c644 Fixed find commands. 9d30903 Fixed database cleanup issues. 66eabd9 Fixed return code for user and group services. 68897c7 Renamed CLI commands. 89d8716 Added TPS profile resource. 481ee45 Removed duplicate ACL classes. f2f7f50 Renamed CLI commands. 1cbd519 Fixed problem running GroupMemberProcessor on non-CA. 812ecab Renamed Processor to CAProcessor. 5d8c611 Added mechanism to deprecate CLI commands. 86ef9b6 Backup upgrade tracker. 64a4b12 Fixed tests dependencies. 3b2b7ea Fixed errors during Tomcat shutdown. 6cadca3 Fixed error handling in DoUnrevoke servlet. bdcfb92 Added access control for TPS token. 533029c Cleaned up CertEnrollmentRequest. 2119f1b Reorganized server packages. 7ca5adf Fixed problems finding user and group sub-resources. 0042318 Renamed client commands. 4566ce7 Reorganized PKIPrincipal. 6dc062e Refactored authentication managers. dcc0f11 Reorganized PKIRealm class. 0e625c6 Moved EnableSessionInAuthenticator script to 10.0.5. 53ef3a1 Added audit resource. ae753b2 Fixed problem getting client object. 26f0ac0 Added CA certificate CLI. f9a4be1 Fixed user and group commands. 634d615 Added selftest resource. f2a85c0 Fixed pylint issue in pkiparser.py. a4a492e Fixed CLI authentication issue. 7c0fb95 Added TPS profile mapping resource. bcf463c Added TPS connection service implementation. 565741c Added TPS authenticator service implementation. e339952 Refactored TPS configuration resource. a3ac3ef Refactored CLI framework. 5874cad Added TPS config resource. 4cc8327 Connected TPS certificate database to LDAP. 036ab19 Connected TPS activity database to LDAP. 848887d Connected token database to LDAP. 3567f55 Added LDAPDatabase. b5796df Fixed dependency issue on RenewableCertificateCollection. 3446e2f Fixed dependency issue on ProfilePolicy. 13de812 Fixed duplicate TPSSubsystem instance. 3be4905 Added TPS authenticator resource. 15e029e Added TPS connection resource. a847bcb Reorganized TPS classes. 8c101dc Fixed pkispawn blocking during TPS deployment. 510ace9 Added TPS certificate resource. 99c3fc9 Added subsystem group commands. d2e98fe Added TPS user CLI. ffb49f1 Added TPS activities resource. c587da4 Reorganized CLI user commands. ccb8d71 Refactored CLI framework. 7521662 Refactored client framework. 6d99354 Added generic database. 4a2880f Reorganized interceptors. eb8fa13 Fixed TPS installation problem. 0b8e4d2 Fixed pylint false positive. 17d6be4 Moved Tomcat-based TPS to separate folder. 74f60e9 Added skeleton for token services. f999249 Enabled debug log for Tomcat-based TPS. a532695 Storing authentication info in session. 23ce40f Fixed NullPointerException with external CA. d5a63e2 Fixed token authentication problem on RHEL. f038cf0 Added man pages for upgrade tools. dbf97df Fixed dependency issue on CMSRequest. 4aa89a9 Cleaned up code to install man pages. 6f76531 Reorganized deployment tools. 4d49d7e Added option to override compose work directory. b3fad92 Reorganized server files. 55e4a3d Moved script to remove JNI_JAR_DIR to 10.0.3 folder. ed2b774 Added support to backup folders during upgrade. f5db517 Updated Java dependencies to version 1.7. 4798e98 Fixed RA and TPS dependencies on other PKI packages. 34fe36d Fixed library paths for RHEL 7. 99e5dc7 Added TPS servlet. 0812c8d Added Tomcat-based TPS instance. 2b1efa0 Fixed hard-coded server certificate nickname. f9277f5 Renamed CA_PORT into PKI_CA_PORT. 1bbcc9f Renamed CA_HOST into PKI_CA_HOSTNAME. f461a86 Replaced PKI_SUBSYSTEM_DIR with PKI_SUBSYSTEM_TYPE. 90d3f20 Renamed PKI_INSTANCE_ID into PKI_INSTANCE_NAME. d78d744 Renamed SERVER_NAME and PKI_MACHINE_NAME into PKI_HOSTNAME. 1d53a9d Renamed SERVER_ROOT into PKI_INSTANCE_PATH. 3e1b7bd Renamed PORT and UNSECURE_PORT into PKI_UNSECURE_PORT. 8c4d4ae Renamed SECURE_PORT into PKI_SECURE_PORT. 1e25d6e Reorganized CS.cfg.in in RA and TPS. ae94543 Removing JNI_JAR_DIR from /etc/pki/pki.conf. aaf6e89 Added support for backup/restore on upgrade. jmagne (2): 9c3cc5e Patch to get rid of introduced warnings. 0f7fb5d Fix Bug #963073 - rhcs81 tps crash for CN over than 64 bytes mharmsen (10): e54785c Fix tpsclient failure babc511 Stand-alone DRM 47c77a6 Stand-alone DRM 51920f9 TRAC Ticket #707 - Do not "require" the following pkispawn parameters for GUI-based configuration 1094949 TRAC Ticket #641 - Incorrect interface labels in pkidaemon output f4d5278 converted strings to lists and applied subprocess.check_call(): 443bffb By default, disable SSL3_RSA_WITH_DES_CBC_SHA. bb911f6 Bugzilla Bug #975939 - RHCS 8.1: "END CERTIFICATE" tag is not on it's ow 596808f Bugzilla Bug #971561 - DRM - server-side key generation causes NullPointer 5ae8e72 Updated man pages nkinder (2): deb3dfb Ticket 757 - Allow unescaped '%' characters in deployment file password 443159f Ticket 755 - Detect unescaped percent characters in deployment files From jfoley.tarheel at gmail.com Tue Nov 26 20:52:57 2013 From: jfoley.tarheel at gmail.com (John Foley) Date: Tue, 26 Nov 2013 15:52:57 -0500 Subject: [Pki-users] Modify Certificate Profile Message-ID: I'm using the following instructions to modify a certificate profile: http://pki.fedoraproject.org/wiki/Randomized_Validity#Editing_Certificate_Profiles The problem is these instructions show a Java GUI that's used to modify the profile after it's been disabled. My question is what command is used to start this Java GUI? I'm using Fedora 19 with Dogtag 10.0. I've looked for additional RPMs that may be missing from my system. I've also looked for commands in /sbin, /bin, etc. What's the secret to starting this GUI? Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: