diff --git a/SOURCES/0157-Do-not-configure-PKI-ajp-redirection-to-use-1.patch b/SOURCES/0157-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
new file mode 100644
index 0000000..c853ae2
--- /dev/null
+++ b/SOURCES/0157-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
@@ -0,0 +1,65 @@
+From 036d6fbf3d2af9f805f28f03679afc6ae1c25282 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Fri, 17 Feb 2017 15:59:57 +0100
+Subject: [PATCH] Do not configure PKI ajp redirection to use "::1"
+
+When ipa-server-install configures PKI, it provides a configuration file
+with the parameter pki_ajp_host set to ::1. This parameter is used to configure
+Tomcat redirection in /etc/pki/pki-tomcat/server.xml:
+    <Connector port="8009"
+        protocol="AJP/1.3"
+        redirectPort="8443"
+        address="::1" />
+ie all requests to port 8009 are redirected to port 8443 on address ::1.
+
+If the /etc/hosts config file does not define ::1 for localhost, then AJP
+redirection fails and replica install is not able to request a certificate
+for the replica.
+
+Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
+redirection with "localhost", FreeIPA does not need any more to override
+this setting.
+The code now depends on pki 10.3.5-11 which provides the fix in the template
+and the upgrade.
+
+https://fedorahosted.org/freeipa/ticket/6575
+
+Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
+---
+ freeipa.spec.in                 | 4 ++--
+ ipaserver/install/cainstance.py | 4 ----
+ 2 files changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index dba59edc2dc1c6dd12017fbc5c9a6f7bb385e7c3..d5eb76ac3c13fbbfc645bd3e42e72e3e17b4d68c 100644
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -159,8 +159,8 @@ Requires(post): systemd-units
+ Requires: selinux-policy >= %{selinux_policy_version}
+ Requires(post): selinux-policy-base >= %{selinux_policy_version}
+ Requires: slapi-nis >= %{slapi_nis_version}
+-Requires: pki-ca >= 10.3.4
+-Requires: pki-kra >= 10.3.4
++Requires: pki-ca >= 10.3.5-11
++Requires: pki-kra >= 10.3.5-11
+ Requires(preun): python systemd-units
+ Requires(postun): python systemd-units
+ Requires: zip
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index 6c57aadfcdc2864f8cdc84c16556dce7163737fc..3e0d5fb40356ccf5f8053fb1c8af11c547c4d19c 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -577,10 +577,6 @@ class CAInstance(DogtagInstance):
+             config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
+             config.set("CA", "pki_external_step_two", "True")
+ 
+-        # PKI IPv6 Configuration
+-        config.add_section("Tomcat")
+-        config.set("Tomcat", "pki_ajp_host", "::1")
+-
+         # Generate configuration file
+         with open(cfg_file, "wb") as f:
+             config.write(f)
+-- 
+2.9.3
+
diff --git a/SOURCES/0158-added-ssl-verification-using-IPA-trust-anchor.patch b/SOURCES/0158-added-ssl-verification-using-IPA-trust-anchor.patch
new file mode 100644
index 0000000..23c6c40
--- /dev/null
+++ b/SOURCES/0158-added-ssl-verification-using-IPA-trust-anchor.patch
@@ -0,0 +1,27 @@
+From c9e05427f20f79a8304a9874ae6793a0b5f54987 Mon Sep 17 00:00:00 2001
+From: Thorsten Scherf <tscherf@redhat.com>
+Date: Fri, 24 Feb 2017 11:53:46 +0100
+Subject: [PATCH] added ssl verification using IPA trust anchor
+
+https://fedorahosted.org/freeipa/ticket/6686
+
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+---
+ ipapython/secrets/client.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ipapython/secrets/client.py b/ipapython/secrets/client.py
+index d9cc7d0f5b066dfd8efba480feb5f271ed1ebe83..f2f14af694df4468b3eedaac0fc762787b62e623 100644
+--- a/ipapython/secrets/client.py
++++ b/ipapython/secrets/client.py
+@@ -94,6 +94,7 @@ class CustodiaClient(object):
+ 
+         # Perform request
+         r = requests.get(url, headers=headers,
++                         verify=paths.IPA_CA_CRT,
+                          params={'type': 'kem', 'value': request})
+         r.raise_for_status()
+         reply = r.json()
+-- 
+2.9.3
+
diff --git a/SOURCES/0159-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch b/SOURCES/0159-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
new file mode 100644
index 0000000..e8a7344
--- /dev/null
+++ b/SOURCES/0159-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
@@ -0,0 +1,46 @@
+From 61156c5157ec3f8982f4f6efdbf8dfa281cb5a11 Mon Sep 17 00:00:00 2001
+From: Fraser Tweedale <ftweedal@redhat.com>
+Date: Fri, 13 Jan 2017 20:33:45 +1000
+Subject: [PATCH] ca: correctly authorise ca-del, ca-enable and ca-disable
+
+CAs consist of a FreeIPA and a corresponding Dogtag object.  When
+executing ca-del, ca-enable and ca-disable, changes are made to the
+Dogtag object.  In the case of ca-del, the corresponding FreeIPA
+object is deleted after the Dogtag CA is deleted.
+
+These operations were not correctly authorised; the FreeIPA
+permissions are not checked before the Dogtag operations are
+executed.  This allows any user to delete, enable or disable a
+lightweight CA (except the main IPA CA, for which there are
+additional check to prevent deletion or disablement).
+
+Add the proper authorisation checks to the ca-del, ca-enable and
+ca-disable commands.
+
+https://pagure.io/freeipa/issue/6713
+
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipaserver/plugins/ca.py | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
+index 966ae2b1bdb4bb0207dfa58f0e9c951bc930f766..b642a5d1d6e03b415ba562491e8a38569b116563 100644
+--- a/ipaserver/plugins/ca.py
++++ b/ipaserver/plugins/ca.py
+@@ -192,6 +192,12 @@ class ca_del(LDAPDelete):
+     def pre_callback(self, ldap, dn, *keys, **options):
+         ca_enabled_check()
+ 
++        # ensure operator has permission to delete CA
++        # before contacting Dogtag
++        if not ldap.can_delete(dn):
++            raise errors.ACIError(info=_(
++                "Insufficient privilege to delete a CA."))
++
+         if keys[0] == IPA_CA_CN:
+             raise errors.ProtectedEntryError(
+                 label=_("CA"),
+-- 
+2.9.3
+
diff --git a/SOURCES/0160-compat-fix-Any-params-in-batch-and-dnsrecord.patch b/SOURCES/0160-compat-fix-Any-params-in-batch-and-dnsrecord.patch
new file mode 100644
index 0000000..16257b5
--- /dev/null
+++ b/SOURCES/0160-compat-fix-Any-params-in-batch-and-dnsrecord.patch
@@ -0,0 +1,129 @@
+From e5311fbfd5ad83671c61473d7acf4ddaf157e994 Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Thu, 23 Feb 2017 13:04:19 +0000
+Subject: [PATCH] compat: fix `Any` params in `batch` and `dnsrecord`
+
+The `methods` argument of `batch` and `dnsrecords` attribute of `dnsrecord`
+were incorrectly defined as `Str` instead of `Any`.
+
+https://fedorahosted.org/freeipa/ticket/6647
+
+Reviewed-By: Martin Basti <mbasti@redhat.com>
+---
+ ipaclient/remote_plugins/2_114/batch.py | 2 +-
+ ipaclient/remote_plugins/2_114/dns.py   | 2 +-
+ ipaclient/remote_plugins/2_156/batch.py | 2 +-
+ ipaclient/remote_plugins/2_156/dns.py   | 2 +-
+ ipaclient/remote_plugins/2_164/batch.py | 2 +-
+ ipaclient/remote_plugins/2_164/dns.py   | 2 +-
+ ipaclient/remote_plugins/2_49/batch.py  | 2 +-
+ ipaclient/remote_plugins/2_49/dns.py    | 2 +-
+ 8 files changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/ipaclient/remote_plugins/2_114/batch.py b/ipaclient/remote_plugins/2_114/batch.py
+index 4a613b677bedda447a07d3d0bdc10d38762ccc61..2709e5907f18f254f7e605beff9a7f3c9a2ae18d 100644
+--- a/ipaclient/remote_plugins/2_114/batch.py
++++ b/ipaclient/remote_plugins/2_114/batch.py
+@@ -50,7 +50,7 @@ class batch(Command):
+     NO_CLI = True
+ 
+     takes_args = (
+-        parameters.Str(
++        parameters.Any(
+             'methods',
+             required=False,
+             multivalue=True,
+diff --git a/ipaclient/remote_plugins/2_114/dns.py b/ipaclient/remote_plugins/2_114/dns.py
+index 5d91dbcb37fcb42cb67ab76a1871fd3df6217cf8..acb8a658204fb18b088766f947f82839f053cbf3 100644
+--- a/ipaclient/remote_plugins/2_114/dns.py
++++ b/ipaclient/remote_plugins/2_114/dns.py
+@@ -326,7 +326,7 @@ class dnsrecord(Object):
+             'dnsclass',
+             required=False,
+         ),
+-        parameters.Str(
++        parameters.Any(
+             'dnsrecords',
+             required=False,
+             label=_(u'Records'),
+diff --git a/ipaclient/remote_plugins/2_156/batch.py b/ipaclient/remote_plugins/2_156/batch.py
+index 4a613b677bedda447a07d3d0bdc10d38762ccc61..2709e5907f18f254f7e605beff9a7f3c9a2ae18d 100644
+--- a/ipaclient/remote_plugins/2_156/batch.py
++++ b/ipaclient/remote_plugins/2_156/batch.py
+@@ -50,7 +50,7 @@ class batch(Command):
+     NO_CLI = True
+ 
+     takes_args = (
+-        parameters.Str(
++        parameters.Any(
+             'methods',
+             required=False,
+             multivalue=True,
+diff --git a/ipaclient/remote_plugins/2_156/dns.py b/ipaclient/remote_plugins/2_156/dns.py
+index 39a0b269533481bcb5b193ad8a463a48146e5275..bbfaa9fd0fb2b582430a5c85761af206d53884f9 100644
+--- a/ipaclient/remote_plugins/2_156/dns.py
++++ b/ipaclient/remote_plugins/2_156/dns.py
+@@ -326,7 +326,7 @@ class dnsrecord(Object):
+             'dnsclass',
+             required=False,
+         ),
+-        parameters.Str(
++        parameters.Any(
+             'dnsrecords',
+             required=False,
+             label=_(u'Records'),
+diff --git a/ipaclient/remote_plugins/2_164/batch.py b/ipaclient/remote_plugins/2_164/batch.py
+index 4a613b677bedda447a07d3d0bdc10d38762ccc61..2709e5907f18f254f7e605beff9a7f3c9a2ae18d 100644
+--- a/ipaclient/remote_plugins/2_164/batch.py
++++ b/ipaclient/remote_plugins/2_164/batch.py
+@@ -50,7 +50,7 @@ class batch(Command):
+     NO_CLI = True
+ 
+     takes_args = (
+-        parameters.Str(
++        parameters.Any(
+             'methods',
+             required=False,
+             multivalue=True,
+diff --git a/ipaclient/remote_plugins/2_164/dns.py b/ipaclient/remote_plugins/2_164/dns.py
+index b07a94f1942e3913d6d169b61d84a3b3db268671..244be87f32db6664e5264038b97bc53b704ff166 100644
+--- a/ipaclient/remote_plugins/2_164/dns.py
++++ b/ipaclient/remote_plugins/2_164/dns.py
+@@ -326,7 +326,7 @@ class dnsrecord(Object):
+             'dnsclass',
+             required=False,
+         ),
+-        parameters.Str(
++        parameters.Any(
+             'dnsrecords',
+             required=False,
+             label=_(u'Records'),
+diff --git a/ipaclient/remote_plugins/2_49/batch.py b/ipaclient/remote_plugins/2_49/batch.py
+index a1f351d332d56c959bf8632cb218de8540f45005..67e5978e634b71735c1940086a80943d967ff1f6 100644
+--- a/ipaclient/remote_plugins/2_49/batch.py
++++ b/ipaclient/remote_plugins/2_49/batch.py
+@@ -50,7 +50,7 @@ class batch(Command):
+     NO_CLI = True
+ 
+     takes_args = (
+-        parameters.Str(
++        parameters.Any(
+             'methods',
+             required=False,
+             multivalue=True,
+diff --git a/ipaclient/remote_plugins/2_49/dns.py b/ipaclient/remote_plugins/2_49/dns.py
+index 07cef75c2a97c07a77a9ffa3997ec6fa431e3151..4b543a2c2539f7b67467b0a38ab8013a1ebe0840 100644
+--- a/ipaclient/remote_plugins/2_49/dns.py
++++ b/ipaclient/remote_plugins/2_49/dns.py
+@@ -256,7 +256,7 @@ class dnsrecord(Object):
+             label=_(u'Class'),
+             doc=_(u'DNS class'),
+         ),
+-        parameters.Str(
++        parameters.Any(
+             'dnsrecords',
+             required=False,
+             label=_(u'Records'),
+-- 
+2.9.3
+
diff --git a/SOURCES/1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch b/SOURCES/1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
deleted file mode 100644
index aed3a5a..0000000
--- a/SOURCES/1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From e4cee2aa50396b18713092ba7f4a9b4f232a3ea0 Mon Sep 17 00:00:00 2001
-From: Fraser Tweedale <ftweedal@redhat.com>
-Date: Fri, 13 Jan 2017 20:33:45 +1000
-Subject: [PATCH] ca: correctly authorise ca-del, ca-enable and ca-disable
-
-CAs consist of a FreeIPA and a corresponding Dogtag object.  When
-executing ca-del, ca-enable and ca-disable, changes are made to the
-Dogtag object.  In the case of ca-del, the corresponding FreeIPA
-object is deleted after the Dogtag CA is deleted.
-
-These operations were not correctly authorised; the FreeIPA
-permissions are not checked before the Dogtag operations are
-executed.  This allows any user to delete, enable or disable a
-lightweight CA (except the main IPA CA, for which there are
-additional check to prevent deletion or disablement).
-
-Add the proper authorisation checks to the ca-del, ca-enable and
-ca-disable commands.
----
- ipaserver/plugins/ca.py | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
-index 966ae2b1bdb4bb0207dfa58f0e9c951bc930f766..b642a5d1d6e03b415ba562491e8a38569b116563 100644
---- a/ipaserver/plugins/ca.py
-+++ b/ipaserver/plugins/ca.py
-@@ -192,6 +192,12 @@ class ca_del(LDAPDelete):
-     def pre_callback(self, ldap, dn, *keys, **options):
-         ca_enabled_check()
- 
-+        # ensure operator has permission to delete CA
-+        # before contacting Dogtag
-+        if not ldap.can_delete(dn):
-+            raise errors.ACIError(info=_(
-+                "Insufficient privilege to delete a CA."))
-+
-         if keys[0] == IPA_CA_CN:
-             raise errors.ProtectedEntryError(
-                 label=_("CA"),
--- 
-2.9.3
-
diff --git a/SOURCES/1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch b/SOURCES/1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
deleted file mode 100644
index 1838e70..0000000
--- a/SOURCES/1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 1de12ed5ec503708454e76227d646e4bd63802f7 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Thu, 12 Jan 2017 18:17:15 +0100
-Subject: [PATCH] Do not configure PKI ajp redirection to use "::1"
-
-When ipa-server-install configures PKI, it provides a configuration file
-with the parameter pki_ajp_host set to ::1. This parameter is used to configure
-Tomcat redirection in /etc/pki/pki-tomcat/server.xml:
-    <Connector port="8009"
-            protocol="AJP/1.3"
-            redirectPort="8443"
-            address="::1" />
-ie all requests to port 8009 are redirected to port 8443 on address ::1.
-
-If the /etc/hosts config file does not define ::1 for localhost, then AJP
-redirection fails and replica install is not able to request a certificate
-for the replica.
-
-Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
-redirection with "localhost", FreeIPA does not need any more to override
-this setting.
-
-https://fedorahosted.org/freeipa/ticket/6575
-
-Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
----
- freeipa.spec.in                 | 4 ++--
- ipaserver/install/cainstance.py | 4 ----
- 2 files changed, 2 insertions(+), 6 deletions(-)
-
-diff --git a/freeipa.spec.in b/freeipa.spec.in
-index dba59edc2dc1c6dd12017fbc5c9a6f7bb385e7c3..d5eb76ac3c13fbbfc645bd3e42e72e3e17b4d68c 100644
---- a/freeipa.spec.in
-+++ b/freeipa.spec.in
-@@ -159,8 +159,8 @@ Requires(post): systemd-units
- Requires: selinux-policy >= %{selinux_policy_version}
- Requires(post): selinux-policy-base >= %{selinux_policy_version}
- Requires: slapi-nis >= %{slapi_nis_version}
--Requires: pki-ca >= 10.3.4
--Requires: pki-kra >= 10.3.4
-+Requires: pki-ca >= 10.3.5-11
-+Requires: pki-kra >= 10.3.5-11
- Requires(preun): python systemd-units
- Requires(postun): python systemd-units
- Requires: zip
-diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
-index 6c57aadfcdc2864f8cdc84c16556dce7163737fc..3e0d5fb40356ccf5f8053fb1c8af11c547c4d19c 100644
---- a/ipaserver/install/cainstance.py
-+++ b/ipaserver/install/cainstance.py
-@@ -577,10 +577,6 @@ class CAInstance(DogtagInstance):
-             config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
-             config.set("CA", "pki_external_step_two", "True")
- 
--        # PKI IPv6 Configuration
--        config.add_section("Tomcat")
--        config.set("Tomcat", "pki_ajp_host", "::1")
--
-         # Generate configuration file
-         with open(cfg_file, "wb") as f:
-             config.write(f)
--- 
-2.9.3
-
diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch
deleted file mode 100644
index 673cd2f..0000000
--- a/SOURCES/ipa-centos-branding.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Wed, 11 Mar 2015 10:37:03 -0500
-Subject: [PATCH] update for new ntp server method
-
----
- ipaplatform/base/paths.py        | 1 +
- ipaserver/install/ntpinstance.py | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index af50262..5090062 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -99,6 +99,7 @@ class BasePathNamespace(object):
-     PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/"
-     PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
-     ETC_REDHAT_RELEASE = "/etc/redhat-release"
-+    ETC_CENTOS_RELEASE = "/etc/centos-release"
-     RESOLV_CONF = "/etc/resolv.conf"
-     SAMBA_KEYTAB = "/etc/samba/samba.keytab"
-     SMB_CONF = "/etc/samba/smb.conf"
-diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py
-index c653525..4b0578b 100644
---- a/ipaserver/install/ntpinstance.py
-+++ b/ipaserver/install/ntpinstance.py
-@@ -44,6 +44,8 @@ class NTPInstance(service.Service):
-         os = ""
-         if ipautil.file_exists(paths.ETC_FEDORA_RELEASE):
-             os = "fedora"
-+        elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE):
-+            os = "centos"
-         elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
-             os = "rhel"
- 
--- 
-1.8.3.1
-
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index daaa822..162d988 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -43,7 +43,7 @@
 
 Name:           ipa
 Version:        4.4.0
-Release:        14%{?dist}.6
+Release:        14%{?dist}.7
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -51,10 +51,10 @@ License:        GPLv3+
 URL:            http://www.freeipa.org/
 Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
 # RHEL spec file only: START: Change branding to IPA and Identity-Management
-#Source1:        header-logo.png
-#Source2:        login-screen-background.jpg
-#Source3:        login-screen-logo.png
-#Source4:        product-name.png
+Source1:        header-logo.png
+Source2:        login-screen-background.jpg
+Source3:        login-screen-logo.png
+Source4:        product-name.png
 # RHEL spec file only: END: Change branding to IPA and Identity-Management
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
@@ -215,6 +215,10 @@ Patch0153:      0153-Set-up-DS-TLS-on-replica-in-CA-less-topology.patch
 Patch0154:      0154-wait_for_entry-use-only-DN-as-parameter.patch
 Patch0155:      0155-Wait-until-HTTPS-principal-entry-is-replicated-to-re.patch
 Patch0156:      0156-Use-proper-logging-for-error-messages.patch
+Patch0157:      0157-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
+Patch0158:      0158-added-ssl-verification-using-IPA-trust-anchor.patch
+Patch0159:      0159-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
+Patch0160:      0160-compat-fix-Any-params-in-batch-and-dnsrecord.patch
 
 Patch1001:      1001-Hide-pkinit-functionality-from-production-version.patch
 Patch1002:      1002-Remove-pkinit-plugin.patch
@@ -226,9 +230,6 @@ Patch1007:      1007-Do-not-build-tests.patch
 Patch1008:      1008-RCUE.patch
 Patch1009:      1009-Revert-Increased-mod_wsgi-socket-timeout.patch
 Patch1010:      1010-WebUI-add-API-browser-is-tech-preview-warning.patch
-Patch1011:      1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch
-Patch1012:      1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch
-Patch1013:      ipa-centos-branding.patch
 # RHEL spec file only: END
 
 %if ! %{ONLY_CLIENT}
@@ -808,10 +809,10 @@ for p in %patches ; do
 done
 
 # Red Hat's Identity Management branding
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE3 install/ui/images/login-screen-logo.png
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE3 install/ui/images/login-screen-logo.png
+cp %SOURCE4 install/ui/images/product-name.png
 # RHEL spec file only: END
 
 
@@ -1547,8 +1548,13 @@ fi
 
 
 %changelog
-* Thu Mar 02 2017 CentOS Sources <bugs@centos.org> - 4.4.0-14.el7.centos.6
-- Roll in CentOS Branding
+* Tue Mar 14 2017 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.7
+- Resolves: #1429872 ipa-replica-install fails promotecustodia.create_replica
+  with cert errors (untrusted)
+  - added ssl verification using IPA trust anchor
+- Resolves: #1430674 batch param compatibility is incorrect
+  - compat: fix `Any` params in `batch` and `dnsrecord`
+- Renamed patches 1011 and 1012 to 0159 and 0157, as they were merged upstream
 
 * Tue Jan 31 2017 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.6
 - Resolves: #1416488 replication race condition prevents IPA to install