|
|
67803c |
From fb857eac7f74c91fda65dd9d676b28b6df2eaa78 Mon Sep 17 00:00:00 2001
|
|
|
67803c |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
67803c |
Date: Thu, 3 Jan 2019 20:08:36 -0600
|
|
|
67803c |
Subject: [PATCH 1/7] Removed validation for token state transitions
|
|
|
67803c |
|
|
|
67803c |
The TPSSubsystem has been modified to remove the validation for
|
|
|
67803c |
tokendb.allowedTransitions property. This will allow adding new
|
|
|
67803c |
transitions via PKI CLI or TPS Web UI.
|
|
|
67803c |
|
|
|
67803c |
The TPSSubsystem will continue to validate tps.operations.allowedTransitions
|
|
|
67803c |
as before so it will only allow transitions already defined in
|
|
|
67803c |
the default CS.cfg.
|
|
|
67803c |
|
|
|
67803c |
https://bugzilla.redhat.com/show_bug.cgi?id=1470433
|
|
|
67803c |
(cherry picked from commit e9079332d66f166cd89673e2160fd52dbb48728c)
|
|
|
67803c |
---
|
|
|
67803c |
.../src/org/dogtagpki/server/tps/TPSSubsystem.java | 4 +-
|
|
|
67803c |
docs/admin/TPS_Token_Lifecycle.md | 139 +++++++++++++++++++++
|
|
|
67803c |
2 files changed, 141 insertions(+), 2 deletions(-)
|
|
|
67803c |
create mode 100644 docs/admin/TPS_Token_Lifecycle.md
|
|
|
67803c |
|
|
|
67803c |
diff --git a/base/tps/src/org/dogtagpki/server/tps/TPSSubsystem.java b/base/tps/src/org/dogtagpki/server/tps/TPSSubsystem.java
|
|
|
67803c |
index 2f43ba3..0e8f318 100644
|
|
|
67803c |
--- a/base/tps/src/org/dogtagpki/server/tps/TPSSubsystem.java
|
|
|
67803c |
+++ b/base/tps/src/org/dogtagpki/server/tps/TPSSubsystem.java
|
|
|
67803c |
@@ -126,8 +126,8 @@ public class TPSSubsystem implements IAuthority, ISubsystem {
|
|
|
67803c |
|
|
|
67803c |
FileConfigStore defaultConfig = new FileConfigStore("/usr/share/pki/tps/conf/CS.cfg");
|
|
|
67803c |
|
|
|
67803c |
- uiTransitions = loadAndValidateTokenStateTransitions(
|
|
|
67803c |
- defaultConfig, cs, TPSEngine.CFG_TOKENDB_ALLOWED_TRANSITIONS);
|
|
|
67803c |
+ uiTransitions = loadTokenStateTransitions(
|
|
|
67803c |
+ cs, TPSEngine.CFG_TOKENDB_ALLOWED_TRANSITIONS);
|
|
|
67803c |
|
|
|
67803c |
operationTransitions = loadAndValidateTokenStateTransitions(
|
|
|
67803c |
defaultConfig, cs, TPSEngine.CFG_OPERATIONS_ALLOWED_TRANSITIONS);
|
|
|
67803c |
diff --git a/docs/admin/TPS_Token_Lifecycle.md b/docs/admin/TPS_Token_Lifecycle.md
|
|
|
67803c |
new file mode 100644
|
|
|
67803c |
index 0000000..194a95f
|
|
|
67803c |
--- /dev/null
|
|
|
67803c |
+++ b/docs/admin/TPS_Token_Lifecycle.md
|
|
|
67803c |
@@ -0,0 +1,139 @@
|
|
|
67803c |
+# TPS Token Lifecycle
|
|
|
67803c |
+
|
|
|
67803c |
+## Token States
|
|
|
67803c |
+
|
|
|
67803c |
+Below are the supported token states in TPS:
|
|
|
67803c |
+
|
|
|
67803c |
+| Code | Name | Label |
|
|
|
67803c |
+| ---- | ----------- | ---------------------------- |
|
|
|
67803c |
+| 0 | FORMATTED | Formatted (uninitialized) |
|
|
|
67803c |
+| 1 | DAMAGED | Physically damaged |
|
|
|
67803c |
+| 2 | PERM_LOST | Permanently lost |
|
|
|
67803c |
+| 3 | SUSPENDED | Suspended (temporarily lost) |
|
|
|
67803c |
+| 4 | ACTIVE | Active |
|
|
|
67803c |
+| 6 | TERMINATED | Terminated |
|
|
|
67803c |
+| 7 | UNFORMATTED | Unformatted |
|
|
|
67803c |
+
|
|
|
67803c |
+In the CS.cfg the token states will be displayed by their codes.
|
|
|
67803c |
+In PKI CLI the token states will be displayed by their names.
|
|
|
67803c |
+In TPS Web UI the token states will be displayed by their labels.
|
|
|
67803c |
+
|
|
|
67803c |
+## Token State Transitions via PKI CLI or TPS Web UI
|
|
|
67803c |
+
|
|
|
67803c |
+Token state can be changed via PKI CLI or TPS Web UI.
|
|
|
67803c |
+The transitions that can be done via PKI CLI or TPS Web UI are defined in the following property in
|
|
|
67803c |
+/etc/pki/<instance>/tps/CS.cfg:
|
|
|
67803c |
+
|
|
|
67803c |
+```
|
|
|
67803c |
+tokendb.allowedTransitions=0:1,0:2,0:3,0:6,3:2,3:6,4:1,4:2,4:3,4:6,6:7
|
|
|
67803c |
+```
|
|
|
67803c |
+
|
|
|
67803c |
+The property contains a comma-separated list of transitions. Each transition is written in this format:
|
|
|
67803c |
+
|
|
|
67803c |
+ <current state code>:<new state code>
|
|
|
67803c |
+
|
|
|
67803c |
+The above list represents the following transitions:
|
|
|
67803c |
+
|
|
|
67803c |
+| Transition | Current State | Next State | Label |
|
|
|
67803c |
+| ---------- | ------------- | ----------- | -------------------------------------------------------------- |
|
|
|
67803c |
+| 0:1 | FORMATTED | DAMAGED | This token has been physically damaged. |
|
|
|
67803c |
+| 0:2 | FORMATTED | PERM_LOST | This token has been permanently lost. |
|
|
|
67803c |
+| 0:3 | FORMATTED | SUSPENDED | This token has been suspended (temporarily lost). |
|
|
|
67803c |
+| 0:6 | FORMATTED | TERMINATED | This token has been terminated. |
|
|
|
67803c |
+| 3:2 | SUSPENDED | TERMINATED | This suspended (temporarily lost) token has been terminated. |
|
|
|
67803c |
+| 3:6 | SUSPENDED | PERM_LOST | This suspended (temporarily lost) has become permanently lost. |
|
|
|
67803c |
+| 4:1 | ACTIVE | DAMAGED | This token has been physically damaged. |
|
|
|
67803c |
+| 4:2 | ACTIVE | PERM_LOST | This token has been permanently lost. |
|
|
|
67803c |
+| 4:3 | ACTIVE | SUSPENDED | This token has been suspended (temporarily lost). |
|
|
|
67803c |
+| 4:6 | ACTIVE | TERMINATED | This token has been terminated. |
|
|
|
67803c |
+| 6:7 | TERMINATED | UNFORMATTED | Reuse this token. |
|
|
|
67803c |
+
|
|
|
67803c |
+The following transitions are generated automatically depending on the original state of the token.
|
|
|
67803c |
+If a token was originally FORMATTED then became SUSPENDED, it can only return to FORMATTED state.
|
|
|
67803c |
+If a token was originally ACTIVE then became SUSPENDED, it can only return to the ACTIVE state.
|
|
|
67803c |
+
|
|
|
67803c |
+| Transition | Current State | Next State | Label |
|
|
|
67803c |
+| ---------- | ------------- | ---------- | ------------------------------------------------------- |
|
|
|
67803c |
+| 3:2 | SUSPENDED | FORMATTED | This suspended (temporarily lost) token has been found. |
|
|
|
67803c |
+| 3:4 | SUSPENDED | ACTIVE | This suspended (temporarily lost) token has been found. |
|
|
|
67803c |
+
|
|
|
67803c |
+To customize the tokendb.allowedTransitions property, edit the property in /etc/pki/<instance>/tps/CS.cfg,
|
|
|
67803c |
+then restart the server.
|
|
|
67803c |
+
|
|
|
67803c |
+## Token State Transitions via Token Operations
|
|
|
67803c |
+
|
|
|
67803c |
+Token states can also be changed via token operations (e.g. format, enroll).
|
|
|
67803c |
+The transitions that can be done via token operations are defined in the following property in
|
|
|
67803c |
+/etc/pki/<instance>/tps/CS.cfg:
|
|
|
67803c |
+
|
|
|
67803c |
+```
|
|
|
67803c |
+tps.operations.allowedTransitions=0:0,0:4,4:4,4:0,7:0
|
|
|
67803c |
+```
|
|
|
67803c |
+
|
|
|
67803c |
+The property contains a comma-delimited list of transitions.
|
|
|
67803c |
+Each transition is written in this format:
|
|
|
67803c |
+
|
|
|
67803c |
+ <current state code>:<new state code>
|
|
|
67803c |
+
|
|
|
67803c |
+The above list represents the following transitions:
|
|
|
67803c |
+
|
|
|
67803c |
+| Transition | Current State | Next State | Description |
|
|
|
67803c |
+| ---------- | ------------- | ---------- | --------------------------------------------------------------------- |
|
|
|
67803c |
+| 0:0 | FORMATTED | FORMATTED | This allows reformatting a token or upgrading applet/key in a token. |
|
|
|
67803c |
+| 0:4 | FORMATTED | ACTIVE | This allows enrolling a token. |
|
|
|
67803c |
+| 4:4 | ACTIVE | ACTIVE | This allows re-enrolling an active token (for external registration). |
|
|
|
67803c |
+| 4:0 | ACTIVE | FORMATTED | This allows formatting an active token. |
|
|
|
67803c |
+| 7:0 | UNFORMATTED | FORMATTED | This allows formatting a blank or previously used token. |
|
|
|
67803c |
+
|
|
|
67803c |
+To customize the tps.operations.allowedTransitions property, edit the property in /etc/pki/<instance>/tps/CS.cfg,
|
|
|
67803c |
+then restart the server.
|
|
|
67803c |
+
|
|
|
67803c |
+This property can only be customized to remove transitions from the original list.
|
|
|
67803c |
+New transitions cannot be added into tps.operations.allowedTransitions unless it is already defined
|
|
|
67803c |
+in the default tps.operations.allowedTransitions in /usr/share/pki/tps/conf/CS.cfg.
|
|
|
67803c |
+
|
|
|
67803c |
+## Token State and Transition Labels for TPS Web UI
|
|
|
67803c |
+
|
|
|
67803c |
+The default token state and transition labels for TPS Web UI are defined in /usr/share/pki/tps/conf/token-states.properties:
|
|
|
67803c |
+
|
|
|
67803c |
+```
|
|
|
67803c |
+# Token states
|
|
|
67803c |
+UNFORMATTED = Unformatted
|
|
|
67803c |
+FORMATTED = Formatted (uninitialized)
|
|
|
67803c |
+ACTIVE = Active
|
|
|
67803c |
+SUSPENDED = Suspended (temporarily lost)
|
|
|
67803c |
+PERM_LOST = Permanently lost
|
|
|
67803c |
+DAMAGED = Physically damaged
|
|
|
67803c |
+TEMP_LOST_PERM_LOST = Temporarily lost then permanently lost
|
|
|
67803c |
+TERMINATED = Terminated
|
|
|
67803c |
+
|
|
|
67803c |
+# Token state transitions
|
|
|
67803c |
+FORMATTED.DAMAGED = This token has been physically damaged.
|
|
|
67803c |
+FORMATTED.PERM_LOST = This token has been permanently lost.
|
|
|
67803c |
+FORMATTED.SUSPENDED = This token has been suspended (temporarily lost).
|
|
|
67803c |
+FORMATTED.TERMINATED = This token has been terminated.
|
|
|
67803c |
+SUSPENDED.ACTIVE = This suspended (temporarily lost) token has been found.
|
|
|
67803c |
+SUSPENDED.PERM_LOST = This suspended (temporarily lost) token has become permanently lost.
|
|
|
67803c |
+SUSPENDED.TERMINATED = This suspended (temporarily lost) token has been terminated.
|
|
|
67803c |
+SUSPENDED.FORMATTED = This suspended (temporarily lost) token has been found.
|
|
|
67803c |
+ACTIVE.DAMAGED = This token has been physically damaged.
|
|
|
67803c |
+ACTIVE.PERM_LOST = This token has been permanently lost.
|
|
|
67803c |
+ACTIVE.SUSPENDED = This token has been suspended (temporarily lost).
|
|
|
67803c |
+ACTIVE.TERMINATED = This token has been terminated.
|
|
|
67803c |
+TERMINATED.UNFORMATTED = Reuse this token.
|
|
|
67803c |
+```
|
|
|
67803c |
+
|
|
|
67803c |
+To customize the labels, copy the default token-states.properties into TPS configuration folder:
|
|
|
67803c |
+
|
|
|
67803c |
+```
|
|
|
67803c |
+$ cp /usr/share/pki/tps/conf/token-states.properties /var/lib/pki/pki-tomcat/tps/conf
|
|
|
67803c |
+```
|
|
|
67803c |
+Then edit the new file.
|
|
|
67803c |
+There is no need to restart the server, but the TPS Web UI will need to be reloaded.
|
|
|
67803c |
+
|
|
|
67803c |
+To remove the customized labels simply delete the customized file:
|
|
|
67803c |
+
|
|
|
67803c |
+```
|
|
|
67803c |
+$ rm /var/lib/pki/pki-tomcat/tps/conf/token-states.properties
|
|
|
67803c |
+```
|
|
|
67803c |
+Then reload the TPS Web UI.
|
|
|
67803c |
--
|
|
|
67803c |
1.8.3.1
|
|
|
67803c |
|
|
|
67803c |
|
|
|
67803c |
From 80c61529b041dca01116726535de87f18a5d16cd Mon Sep 17 00:00:00 2001
|
|
|
67803c |
From: Christina Fu <cfu@cfu-rhel7.usersys.redhat.com>
|
|
|
67803c |
Date: Thu, 15 Aug 2019 12:23:57 -0400
|
|
|
67803c |
Subject: [PATCH 2/7] Resolve (additional patch for) Bug 1470410 - TPS doesn't
|
|
|
67803c |
update revocation status when certificate already marked as
|
|
|
67803c |
unformatted/terminated/damaged
|
|
|
67803c |
|
|
|
67803c |
This is one of the previously missed patches.
|
|
|
67803c |
Submited by RHCS-maint
|
|
|
67803c |
|
|
|
67803c |
(cherry picked from commit e4b9e6ed3cf03bd8c026d2d944b615f9b306219a)
|
|
|
67803c |
---
|
|
|
67803c |
base/ca/src/com/netscape/ca/CAService.java | 8 +++++---
|
|
|
67803c |
.../src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java | 3 ++-
|
|
|
67803c |
2 files changed, 7 insertions(+), 4 deletions(-)
|
|
|
67803c |
|
|
|
67803c |
diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java
|
|
|
67803c |
index e4e4efe..4e8afac 100644
|
|
|
67803c |
--- a/base/ca/src/com/netscape/ca/CAService.java
|
|
|
67803c |
+++ b/base/ca/src/com/netscape/ca/CAService.java
|
|
|
67803c |
@@ -981,7 +981,7 @@ public class CAService implements ICAService, IService {
|
|
|
67803c |
CRLExtensions crlentryexts = crlentry.getExtensions();
|
|
|
67803c |
String msg = "";
|
|
|
67803c |
|
|
|
67803c |
- CMS.debug("CAService.revokeCert: revokeCert begins");
|
|
|
67803c |
+ CMS.debug("CAService.revokeCert: revokeCert begins: serial:" + serialno.toString());
|
|
|
67803c |
|
|
|
67803c |
// Get the revocation reason
|
|
|
67803c |
Enumeration enum1 = crlentryexts.getElements();
|
|
|
67803c |
@@ -1000,6 +1000,7 @@ public class CAService implements ICAService, IService {
|
|
|
67803c |
CMS.getUserMessage("CMS_CA_MISSING_REV_REASON",
|
|
|
67803c |
"0x" + serialno.toString(16)));
|
|
|
67803c |
}
|
|
|
67803c |
+ CMS.debug("CAService.revokeCert: revocaton request revocation reason: " + revReason.toString());
|
|
|
67803c |
|
|
|
67803c |
CertRecord certRec = (CertRecord) mCA.getCertificateRepository().readCertificateRecord(serialno);
|
|
|
67803c |
|
|
|
67803c |
@@ -1026,6 +1027,7 @@ public class CAService implements ICAService, IService {
|
|
|
67803c |
CMS.debug("CAService.revokeCert: " + msg);
|
|
|
67803c |
throw new EBaseException(msg);
|
|
|
67803c |
}
|
|
|
67803c |
+ CMS.debug("CAService.revokeCert: already revoked cert with existing revocation reason:" + recRevReason.toString());
|
|
|
67803c |
}
|
|
|
67803c |
|
|
|
67803c |
// for cert already revoked, also check whether revocation reason is changed from SUPERSEDED to KEY_COMPROMISE
|
|
|
67803c |
@@ -1044,11 +1046,11 @@ public class CAService implements ICAService, IService {
|
|
|
67803c |
try {
|
|
|
67803c |
// if cert has already revoked, update the revocation info only
|
|
|
67803c |
CMS.debug("CAService.revokeCert: about to call markAsRevoked");
|
|
|
67803c |
- if (certStatus.equals(ICertRecord.STATUS_REVOKED) && certRec.isCertOnHold()) {
|
|
|
67803c |
+ if (certStatus.equals(ICertRecord.STATUS_REVOKED)) {
|
|
|
67803c |
mCA.getCertificateRepository().markAsRevoked(serialno,
|
|
|
67803c |
new RevocationInfo(revdate, crlentryexts),
|
|
|
67803c |
true /*isAlreadyRevoked*/);
|
|
|
67803c |
- CMS.debug("CAService.revokeCert: on_hold cert marked revoked");
|
|
|
67803c |
+ CMS.debug("CAService.revokeCert: Already-revoked cert marked revoked");
|
|
|
67803c |
mCA.log(ILogger.LL_INFO,
|
|
|
67803c |
CMS.getLogMessage("CMSCORE_CA_CERT_REVO_INFO_UPDATE",
|
|
|
67803c |
recRevReason.toString(),
|
|
|
67803c |
diff --git a/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java b/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java
|
|
|
67803c |
index 39529c9..16ae5fd 100644
|
|
|
67803c |
--- a/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java
|
|
|
67803c |
+++ b/base/tps/src/org/dogtagpki/server/tps/cms/CARemoteRequestHandler.java
|
|
|
67803c |
@@ -540,10 +540,11 @@ public class CARemoteRequestHandler extends RemoteRequestHandler
|
|
|
67803c |
} else {
|
|
|
67803c |
CMS.debug("CARemoteRequestHandler: revokeCertificate(): using default ca ID:" + connid);
|
|
|
67803c |
}
|
|
|
67803c |
- CMS.debug("CARemoteRequestHandler: revokeCertificate(): begins on serial#:" + serialno);
|
|
|
67803c |
+ CMS.debug("CARemoteRequestHandler: revokeCertificate(): begins");
|
|
|
67803c |
if (serialno == null || reason == null) {
|
|
|
67803c |
throw new EBaseException("CARemoteRequestHandler: revokeCertificate(): input parameter null.");
|
|
|
67803c |
}
|
|
|
67803c |
+ CMS.debug("CARemoteRequestHandler: revokeCertificate(): revoking serial#:" + serialno + "; reason String:" + reason.toString() + "; reason code:" + reason.getCode());
|
|
|
67803c |
|
|
|
67803c |
// IConfigStore conf = CMS.getConfigStore();
|
|
|
67803c |
|
|
|
67803c |
--
|
|
|
67803c |
1.8.3.1
|
|
|
67803c |
|
|
|
67803c |
|
|
|
67803c |
From aef8f648e4651f29cec0ba7e8235185d94e8f39b Mon Sep 17 00:00:00 2001
|
|
|
67803c |
From: Christina Fu <cfu@cfu-rhel7.usersys.redhat.com>
|
|
|
67803c |
Date: Thu, 15 Aug 2019 18:21:33 -0400
|
|
|
67803c |
Subject: [PATCH 3/7] Resolve (additiona patch for) Bug 1470433 - Add supported
|
|
|
67803c |
transitions to TPS
|
|
|
67803c |
|
|
|
67803c |
per suggestion in comment#4
|
|
|
67803c |
|
|
|
67803c |
Submited by RHCS-maint.
|
|
|
67803c |
|
|
|
67803c |
(cherry picked from commit f9c10c352fc2129cd9f2cdf6baade6e445de5bd0)
|
|
|
67803c |
---
|
|
|
67803c |
base/tps/shared/conf/CS.cfg | 2 +-
|
|
|
67803c |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
67803c |
|
|
|
67803c |
diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
|
|
|
67803c |
index 8a9d828..eb5b831 100644
|
|
|
67803c |
--- a/base/tps/shared/conf/CS.cfg
|
|
|
67803c |
+++ b/base/tps/shared/conf/CS.cfg
|
|
|
67803c |
@@ -2448,7 +2448,7 @@ tokendb.addConfigTemplate=addConfig.template
|
|
|
67803c |
tokendb.addResultTemplate=addResults.template
|
|
|
67803c |
tokendb.agentSelectConfigTemplate=agentSelectConfig.template
|
|
|
67803c |
tokendb.agentViewConfigTemplate=agentViewConfig.template
|
|
|
67803c |
-tokendb.allowedTransitions=0:1,0:2,0:3,0:6,3:2,3:6,4:1,4:2,4:3,4:6,6:7
|
|
|
67803c |
+tokendb.allowedTransitions=0:1,0:2,0:3,0:6,3:2,3:6,4:1,4:2,4:3,4:6,6:7,1:2,7:1,7:2,6:1,6:2,3:1,3:4
|
|
|
67803c |
tokendb.auditAdminTemplate=auditAdmin.template
|
|
|
67803c |
tokendb.auditLog=[PKI_INSTANCE_PATH]/logs/tokendb-audit.log
|
|
|
67803c |
tokendb.baseDN=ou=Tokens,[TOKENDB_ROOT]
|
|
|
67803c |
--
|
|
|
67803c |
1.8.3.1
|
|
|
67803c |
|
|
|
67803c |
|
|
|
67803c |
From a336e4d5a27f4de9d39b4e8131e0da5889ad8dd4 Mon Sep 17 00:00:00 2001
|
|
|
67803c |
From: Christina Fu <cfu@cfu-rhel7.usersys.redhat.com>
|
|
|
67803c |
Date: Mon, 19 Aug 2019 21:26:23 -0400
|
|
|
67803c |
Subject: [PATCH 4/7] =?UTF-8?q?Resolve=20Bug=201585722=20-=20TMS=20-=20PKI?=
|
|
|
67803c |
=?UTF-8?q?SocketFactory=20=E2=80=93=20Modify=20Logging=20to=20Allow=20Ext?=
|
|
|
67803c |
=?UTF-8?q?ernal=20Use=20of=20class=20to=20work=20like=20CS8?=
|
|
|
67803c |
MIME-Version: 1.0
|
|
|
67803c |
Content-Type: text/plain; charset=UTF-8
|
|
|
67803c |
Content-Transfer-Encoding: 8bit
|
|
|
67803c |
|
|
|
67803c |
Submited by RHCS-maint.
|
|
|
67803c |
|
|
|
67803c |
(cherry picked from commit 67b3b4fa936aa60618c2084dbbc15e8f9a13a699)
|
|
|
67803c |
---
|
|
|
67803c |
.../cmscore/ldapconn/PKISocketFactory.java | 59 +++++++++++++++++-----
|
|
|
67803c |
1 file changed, 45 insertions(+), 14 deletions(-)
|
|
|
67803c |
|
|
|
67803c |
diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java
|
|
|
67803c |
index e9f28c9..00df65b 100644
|
|
|
67803c |
--- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java
|
|
|
67803c |
+++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java
|
|
|
67803c |
@@ -23,6 +23,8 @@ import java.net.Socket;
|
|
|
67803c |
import java.net.UnknownHostException;
|
|
|
67803c |
import java.util.Iterator;
|
|
|
67803c |
import java.util.Vector;
|
|
|
67803c |
+import java.util.logging.Level;
|
|
|
67803c |
+import java.util.logging.Logger;
|
|
|
67803c |
|
|
|
67803c |
import org.mozilla.jss.ssl.SSLClientCertificateSelectionCallback;
|
|
|
67803c |
import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent;
|
|
|
67803c |
@@ -48,6 +50,7 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
|
|
|
67803c |
private String mClientAuthCertNickname;
|
|
|
67803c |
private boolean mClientAuth;
|
|
|
67803c |
private boolean keepAlive;
|
|
|
67803c |
+ private static boolean external = false;
|
|
|
67803c |
PKIClientSocketListener sockListener = null;
|
|
|
67803c |
|
|
|
67803c |
public PKISocketFactory() {
|
|
|
67803c |
@@ -65,22 +68,34 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
|
|
|
67803c |
init();
|
|
|
67803c |
}
|
|
|
67803c |
|
|
|
67803c |
+ public PKISocketFactory(String certNickname, boolean external) {
|
|
|
67803c |
+ this.secure = true;
|
|
|
67803c |
+ PKISocketFactory.external = external;
|
|
|
67803c |
+ mClientAuthCertNickname = certNickname;
|
|
|
67803c |
+ init();
|
|
|
67803c |
+ }
|
|
|
67803c |
+
|
|
|
67803c |
public void init() {
|
|
|
67803c |
try {
|
|
|
67803c |
- IConfigStore cs = CMS.getConfigStore();
|
|
|
67803c |
- keepAlive = cs.getBoolean("tcp.keepAlive", true);
|
|
|
67803c |
- CMS.debug("TCP Keep-Alive: " + keepAlive);
|
|
|
67803c |
+ if(!external){
|
|
|
67803c |
+ IConfigStore cs = CMS.getConfigStore();
|
|
|
67803c |
+ keepAlive = cs.getBoolean("tcp.keepAlive", true);
|
|
|
67803c |
+ } else {
|
|
|
67803c |
+ keepAlive = true;
|
|
|
67803c |
+ }
|
|
|
67803c |
+
|
|
|
67803c |
+ log(Level.INFO, "TCP Keep-Alive: " + keepAlive, null);
|
|
|
67803c |
sockListener = new PKIClientSocketListener();
|
|
|
67803c |
|
|
|
67803c |
} catch (Exception e) {
|
|
|
67803c |
- CMS.debug(e);
|
|
|
67803c |
+ log(Level.SEVERE, null, e);
|
|
|
67803c |
throw new RuntimeException("Unable to read TCP configuration: " + e, e);
|
|
|
67803c |
}
|
|
|
67803c |
}
|
|
|
67803c |
|
|
|
67803c |
public SSLSocket makeSSLSocket(String host, int port) throws UnknownHostException, IOException {
|
|
|
67803c |
String method = "ldapconn/PKISocketFactory.makeSSLSocket: ";
|
|
|
67803c |
- CMS.debug(method + "begins");
|
|
|
67803c |
+ log(Level.INFO, method + "begins", null);
|
|
|
67803c |
|
|
|
67803c |
/*
|
|
|
67803c |
* let inherit TLS range and cipher settings
|
|
|
67803c |
@@ -115,8 +130,8 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
|
|
|
67803c |
|
|
|
67803c |
if (mClientAuthCertNickname != null) {
|
|
|
67803c |
mClientAuth = true;
|
|
|
67803c |
- CMS.debug("LdapJssSSLSocket: set client auth cert nickname " +
|
|
|
67803c |
- mClientAuthCertNickname);
|
|
|
67803c |
+ log(Level.INFO, method + " set client auth cert nickname " +
|
|
|
67803c |
+ mClientAuthCertNickname, null);
|
|
|
67803c |
|
|
|
67803c |
//We have already established the manual cert selection callback
|
|
|
67803c |
//Doing it this way will provide some debugging info on the candidate certs
|
|
|
67803c |
@@ -127,6 +142,8 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
|
|
|
67803c |
}
|
|
|
67803c |
|
|
|
67803c |
public Socket makeSocket(String host, int port) throws LDAPException {
|
|
|
67803c |
+ String method = "ldapconn/PKISocketFactory.makeSocket: ";
|
|
|
67803c |
+ log(Level.INFO, method + "begins", null);
|
|
|
67803c |
Socket s = null;
|
|
|
67803c |
|
|
|
67803c |
try {
|
|
|
67803c |
@@ -145,7 +162,7 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
|
|
|
67803c |
try {
|
|
|
67803c |
s.close();
|
|
|
67803c |
} catch (IOException e1) {
|
|
|
67803c |
- CMS.debug(e1);
|
|
|
67803c |
+ log(Level.SEVERE, null, e1);
|
|
|
67803c |
}
|
|
|
67803c |
}
|
|
|
67803c |
throw new LDAPException("Unable to create socket: " + e);
|
|
|
67803c |
@@ -165,6 +182,20 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
|
|
|
67803c |
public void log(int level, String msg) {
|
|
|
67803c |
}
|
|
|
67803c |
|
|
|
67803c |
+ private static void log(Level level, String msg, Exception e) {
|
|
|
67803c |
+ if(!external && e != null){
|
|
|
67803c |
+ CMS.debug(e);
|
|
|
67803c |
+ } else if (!external) {
|
|
|
67803c |
+ CMS.debug(msg);
|
|
|
67803c |
+ } else {
|
|
|
67803c |
+ if(e != null){
|
|
|
67803c |
+ Logger.getLogger("PKISocketFactory").log(level, e.getMessage());
|
|
|
67803c |
+ } else {
|
|
|
67803c |
+ Logger.getLogger("PKISocketFactory").log(level, msg);
|
|
|
67803c |
+ }
|
|
|
67803c |
+ }
|
|
|
67803c |
+ }
|
|
|
67803c |
+
|
|
|
67803c |
static class ClientHandshakeCB implements SSLHandshakeCompletedListener {
|
|
|
67803c |
Object sc;
|
|
|
67803c |
|
|
|
67803c |
@@ -173,7 +204,7 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
|
|
|
67803c |
}
|
|
|
67803c |
|
|
|
67803c |
public void handshakeCompleted(SSLHandshakeCompletedEvent event) {
|
|
|
67803c |
- CMS.debug("SSL handshake happened");
|
|
|
67803c |
+ log(Level.INFO, "SSL handshake happened", null);
|
|
|
67803c |
}
|
|
|
67803c |
}
|
|
|
67803c |
|
|
|
67803c |
@@ -181,14 +212,14 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
|
|
|
67803c |
String desiredCertName = null;
|
|
|
67803c |
|
|
|
67803c |
public SSLClientCertificateSelectionCB(String clientAuthCertNickname) {
|
|
|
67803c |
- CMS.debug("SSLClientCertificateSelectionCB: Setting desired cert nickname to: " + clientAuthCertNickname);
|
|
|
67803c |
+ log(Level.INFO, "SSLClientCertificateSelectionCB: Setting desired cert nickname to: " + clientAuthCertNickname, null);
|
|
|
67803c |
desiredCertName = clientAuthCertNickname;
|
|
|
67803c |
}
|
|
|
67803c |
|
|
|
67803c |
@Override
|
|
|
67803c |
public String select(Vector certs) {
|
|
|
67803c |
|
|
|
67803c |
- CMS.debug("SSLClientCertificatSelectionCB: Entering!");
|
|
|
67803c |
+ log(Level.INFO, "SSLClientCertificatSelectionCB: Entering!", null);
|
|
|
67803c |
|
|
|
67803c |
if(desiredCertName == null) {
|
|
|
67803c |
return null;
|
|
|
67803c |
@@ -200,15 +231,15 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
|
|
|
67803c |
|
|
|
67803c |
while(itr.hasNext()){
|
|
|
67803c |
String candidate = itr.next();
|
|
|
67803c |
- CMS.debug("Candidate cert: " + candidate);
|
|
|
67803c |
+ log(Level.INFO, "Candidate cert: " + candidate, null);
|
|
|
67803c |
if(desiredCertName.equalsIgnoreCase(candidate)) {
|
|
|
67803c |
selection = candidate;
|
|
|
67803c |
- CMS.debug("SSLClientCertificateSelectionCB: desired cert found in list: " + desiredCertName);
|
|
|
67803c |
+ log(Level.INFO, "SSLClientCertificateSelectionCB: desired cert found in list: " + desiredCertName, null);
|
|
|
67803c |
break;
|
|
|
67803c |
}
|
|
|
67803c |
}
|
|
|
67803c |
|
|
|
67803c |
- CMS.debug("SSLClientCertificateSelectionCB: returning: " + selection);
|
|
|
67803c |
+ log(Level.INFO, "SSLClientCertificateSelectionCB: returning: " + selection, null);
|
|
|
67803c |
return selection;
|
|
|
67803c |
|
|
|
67803c |
}
|
|
|
67803c |
--
|
|
|
67803c |
1.8.3.1
|
|
|
67803c |
|
|
|
67803c |
|
|
|
67803c |
From c92c65f52dcff03f47fc7f05efa427ee9166c2e6 Mon Sep 17 00:00:00 2001
|
|
|
67803c |
From: Christina Fu <cfu@cfu-rhel7.usersys.redhat.com>
|
|
|
67803c |
Date: Mon, 26 Aug 2019 18:47:02 -0400
|
|
|
67803c |
Subject: [PATCH 5/7] =?UTF-8?q?Resolve=20(addition=20issues=20for)=20Bug?=
|
|
|
67803c |
=?UTF-8?q?=201642577=20-=20TPS=20=E2=80=93=20Revoked=20Encryption=20Certi?=
|
|
|
67803c |
=?UTF-8?q?ficates=20Marked=20as=20Active=20in=20TPS=20Cert=20LDAP=20Durin?=
|
|
|
67803c |
=?UTF-8?q?g=20Token=20Key=20Recovery?=
|
|
|
67803c |
MIME-Version: 1.0
|
|
|
67803c |
Content-Type: text/plain; charset=UTF-8
|
|
|
67803c |
Content-Transfer-Encoding: 8bit
|
|
|
67803c |
|
|
|
67803c |
This patch addresses the following:
|
|
|
67803c |
* in TokenKeyRecoveryService.java, unwrap should be with temperatory true
|
|
|
67803c |
* in CS.cfg, auths.instance.ldap1.ldapStringAttributes and auths.instance.ldap1.externalReg.attributes are expanded to include additional elements
|
|
|
67803c |
* in CS.cfg registrationTypeAttributeName is added as original submitter suggested
|
|
|
67803c |
* TPSEnrollProcessor.java, additional error checkings
|
|
|
67803c |
* TPSProcessor.java, addresses case sensitive nature of List "contains" method
|
|
|
67803c |
|
|
|
67803c |
(cherry picked from commit 24bdc1e39a5bad6b944f6f5571bf48e7e2af52f6)
|
|
|
67803c |
---
|
|
|
67803c |
.../com/netscape/kra/TokenKeyRecoveryService.java | 2 +-
|
|
|
67803c |
base/tps/shared/conf/CS.cfg | 4 ++-
|
|
|
67803c |
.../server/tps/processor/TPSEnrollProcessor.java | 2 +-
|
|
|
67803c |
.../server/tps/processor/TPSProcessor.java | 34 ++++++++++++++++++----
|
|
|
67803c |
4 files changed, 34 insertions(+), 8 deletions(-)
|
|
|
67803c |
|
|
|
67803c |
diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
|
|
|
67803c |
index dcccc78..e95945a 100644
|
|
|
67803c |
--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
|
|
|
67803c |
+++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
|
|
|
67803c |
@@ -678,7 +678,7 @@ public class TokenKeyRecoveryService implements IService {
|
|
|
67803c |
privKey = mStorageUnit.unwrap(
|
|
|
67803c |
keyRecord.getPrivateKeyData(),
|
|
|
67803c |
pubkey,
|
|
|
67803c |
- false,
|
|
|
67803c |
+ true,
|
|
|
67803c |
keyRecord.getWrappingParams(mStorageUnit.getOldWrappingParams()));
|
|
|
67803c |
} catch (Exception e) {
|
|
|
67803c |
CMS.debug("TokenKeyRecoveryService: recoverKey() - recovery failure");
|
|
|
67803c |
diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
|
|
|
67803c |
index eb5b831..4bd4bb7 100644
|
|
|
67803c |
--- a/base/tps/shared/conf/CS.cfg
|
|
|
67803c |
+++ b/base/tps/shared/conf/CS.cfg
|
|
|
67803c |
@@ -61,10 +61,12 @@ auths.instance.ldap1.ldapStringAttributes._003=# $<attribute>$
|
|
|
67803c |
auths.instance.ldap1.ldapStringAttributes._004=# attributes example:
|
|
|
67803c |
auths.instance.ldap1.ldapStringAttributes._005=#mail,cn,uid,edipi,pcc,firstname,lastname,exec-edipi,exec-pcc,exec-mail,certsToAdd,tokenCUID,tokenType
|
|
|
67803c |
auths.instance.ldap1.ldapStringAttributes._006=#################################
|
|
|
67803c |
-auths.instance.ldap1.ldapStringAttributes=mail,cn,uid
|
|
|
67803c |
+auths.instance.ldap1.ldapStringAttributes=mail,cn,uid,enrollmenttype,certsToAdd,tokenCUID,registrationtype,tokenType,firstname,lastname,exec-edipi,exec-mail
|
|
|
67803c |
auths.instance.ldap1.ldap.basedn=[LDAP_ROOT]
|
|
|
67803c |
+auths.instance.ldap1.externalReg.attributes=certsToAdd,tokenCUID,enrollmenttype,registrationtype,tokenType
|
|
|
67803c |
auths.instance.ldap1.externalReg.certs.recoverAttributeName=certsToAdd
|
|
|
67803c |
auths.instance.ldap1.externalReg.cuidAttributeName=tokenCUID
|
|
|
67803c |
+auths.instance.ldap1.externalReg.registrationTypeAttributeName=registrationtype
|
|
|
67803c |
auths.instance.ldap1.externalReg.tokenTypeAttributeName=tokenType
|
|
|
67803c |
auths.instance.ldap1.ldap.maxConns=15
|
|
|
67803c |
auths.instance.ldap1.ldap.minConns=3
|
|
|
67803c |
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
|
|
|
67803c |
index 77b320c..f1e773a 100644
|
|
|
67803c |
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
|
|
|
67803c |
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
|
|
|
67803c |
@@ -200,7 +200,7 @@ public class TPSEnrollProcessor extends TPSProcessor {
|
|
|
67803c |
// Check if the external reg parameter registrationType matches currentTokenOperation,
|
|
|
67803c |
// otherwise stop the operation.
|
|
|
67803c |
CMS.debug(method + " checking if record registrationtype matches currentTokenOperation.");
|
|
|
67803c |
- if(erAttrs.getRegistrationType() != null) {
|
|
|
67803c |
+ if(erAttrs.getRegistrationType() != null && erAttrs.getRegistrationType().length() > 0) {
|
|
|
67803c |
if(!erAttrs.getRegistrationType().equalsIgnoreCase(currentTokenOperation)) {
|
|
|
67803c |
CMS.debug(
|
|
|
67803c |
method + " Error: registrationType " +
|
|
|
67803c |
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
|
|
|
67803c |
index ec069b1..61da1d6 100644
|
|
|
67803c |
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
|
|
|
67803c |
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
|
|
|
67803c |
@@ -1294,12 +1294,12 @@ public class TPSProcessor {
|
|
|
67803c |
throws EBaseException, TPSException {
|
|
|
67803c |
|
|
|
67803c |
String logMsg = null;
|
|
|
67803c |
- CMS.debug("TPSProcessor.authenticateUser");
|
|
|
67803c |
if (op.isEmpty() || userAuth == null || userCred == null) {
|
|
|
67803c |
logMsg = "TPSProcessor.authenticateUser: missing parameter(s): op, userAuth, or userCred";
|
|
|
67803c |
CMS.debug(logMsg);
|
|
|
67803c |
throw new EBaseException(logMsg);
|
|
|
67803c |
}
|
|
|
67803c |
+ CMS.debug("TPSProcessor.authenticateUser: op: " + op);
|
|
|
67803c |
IAuthManager auth = userAuth.getAuthManager();
|
|
|
67803c |
|
|
|
67803c |
try {
|
|
|
67803c |
@@ -1311,6 +1311,12 @@ public class TPSProcessor {
|
|
|
67803c |
while (n.hasMoreElements()) {
|
|
|
67803c |
String name = n.nextElement();
|
|
|
67803c |
CMS.debug("TPSProcessor.authenticateUser: got authToken val name:" + name);
|
|
|
67803c |
+ /* debugging authToken content vals
|
|
|
67803c |
+ String[] vals = authToken.getInStringArray(name);
|
|
|
67803c |
+ if (vals != null) {
|
|
|
67803c |
+ CMS.debug("TPSProcessor.authenticateUser: got authToken val :" + vals[0]);
|
|
|
67803c |
+ }
|
|
|
67803c |
+ */
|
|
|
67803c |
}
|
|
|
67803c |
return authToken;
|
|
|
67803c |
} else {
|
|
|
67803c |
@@ -1811,6 +1817,21 @@ public class TPSProcessor {
|
|
|
67803c |
return ret;
|
|
|
67803c |
}
|
|
|
67803c |
|
|
|
67803c |
+ /*
|
|
|
67803c |
+ * listCaseInsensitiveContains - case insensitive contain check
|
|
|
67803c |
+ * @param s the string checked if contained in list
|
|
|
67803c |
+ * @param list the list
|
|
|
67803c |
+ * @returns true if list contains s; false otherwise
|
|
|
67803c |
+ */
|
|
|
67803c |
+ public boolean listCaseInsensitiveContains(String s, List<String> list){
|
|
|
67803c |
+ for (String element : list){
|
|
|
67803c |
+ if (element.equalsIgnoreCase(s)){
|
|
|
67803c |
+ return true;
|
|
|
67803c |
+ }
|
|
|
67803c |
+ }
|
|
|
67803c |
+ return false;
|
|
|
67803c |
+ }
|
|
|
67803c |
+
|
|
|
67803c |
/*
|
|
|
67803c |
* processExternalRegAttrs :
|
|
|
67803c |
* - retrieve from authToken relevant attributes for externalReg
|
|
|
67803c |
@@ -1836,7 +1857,7 @@ public class TPSProcessor {
|
|
|
67803c |
if(attributesToProcess == null)
|
|
|
67803c |
return erAttrs;
|
|
|
67803c |
|
|
|
67803c |
- if(attributesToProcess.contains(erAttrs.ldapAttrNameTokenType)) {
|
|
|
67803c |
+ if(listCaseInsensitiveContains(erAttrs.ldapAttrNameTokenType, attributesToProcess)) {
|
|
|
67803c |
CMS.debug(method + ": getting from authToken:"
|
|
|
67803c |
+ erAttrs.ldapAttrNameTokenType);
|
|
|
67803c |
vals = authToken.getInStringArray(erAttrs.ldapAttrNameTokenType);
|
|
|
67803c |
@@ -1852,17 +1873,20 @@ public class TPSProcessor {
|
|
|
67803c |
erAttrs.setTokenType(vals[0]);
|
|
|
67803c |
}
|
|
|
67803c |
}
|
|
|
67803c |
- if(attributesToProcess.contains(erAttrs.ldapAttrNameTokenCUID)) {
|
|
|
67803c |
+ if(listCaseInsensitiveContains(erAttrs.ldapAttrNameTokenCUID, attributesToProcess)) {
|
|
|
67803c |
CMS.debug(method + ": getting from authToken:"
|
|
|
67803c |
+ erAttrs.ldapAttrNameTokenCUID);
|
|
|
67803c |
vals = authToken.getInStringArray(erAttrs.ldapAttrNameTokenCUID);
|
|
|
67803c |
if (vals != null) {
|
|
|
67803c |
CMS.debug(method + ": retrieved cuid:" + vals[0]);
|
|
|
67803c |
erAttrs.setTokenCUID(vals[0]);
|
|
|
67803c |
+ } else {
|
|
|
67803c |
+ CMS.debug(method + ": " + erAttrs.ldapAttrNameTokenCUID +
|
|
|
67803c |
+ " attribute not found");
|
|
|
67803c |
}
|
|
|
67803c |
}
|
|
|
67803c |
|
|
|
67803c |
- if(attributesToProcess.contains(erAttrs.ldapAttrNameRegistrationType)) {
|
|
|
67803c |
+ if(listCaseInsensitiveContains(erAttrs.ldapAttrNameRegistrationType, attributesToProcess)) {
|
|
|
67803c |
CMS.debug(method + ": getting from authToken:"
|
|
|
67803c |
+ erAttrs.ldapAttrNameRegistrationType);
|
|
|
67803c |
vals = authToken.getInStringArray(erAttrs.ldapAttrNameRegistrationType);
|
|
|
67803c |
@@ -1876,7 +1900,7 @@ public class TPSProcessor {
|
|
|
67803c |
|
|
|
67803c |
}
|
|
|
67803c |
|
|
|
67803c |
- if(attributesToProcess.contains(erAttrs.ldapAttrNameCertsToRecover)) {
|
|
|
67803c |
+ if(listCaseInsensitiveContains(erAttrs.ldapAttrNameCertsToRecover, attributesToProcess)) {
|
|
|
67803c |
/*
|
|
|
67803c |
* certs to be recovered for this user
|
|
|
67803c |
* - multi-valued
|
|
|
67803c |
--
|
|
|
67803c |
1.8.3.1
|
|
|
67803c |
|
|
|
67803c |
|
|
|
67803c |
From 74c7c1133fd8d2f216eb1330147e870632ded68f Mon Sep 17 00:00:00 2001
|
|
|
67803c |
From: Christina Fu <cfu@cfu-rhel7.usersys.redhat.com>
|
|
|
67803c |
Date: Wed, 28 Aug 2019 18:11:36 -0400
|
|
|
67803c |
Subject: [PATCH 6/7] simple typo fix in a debug line.
|
|
|
67803c |
|
|
|
67803c |
(cherry picked from commit 272b785d20bc807406bc1e89a52c0fc142e25e72)
|
|
|
67803c |
---
|
|
|
67803c |
base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java | 2 +-
|
|
|
67803c |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
67803c |
|
|
|
67803c |
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
|
|
|
67803c |
index 61da1d6..baf0671 100644
|
|
|
67803c |
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
|
|
|
67803c |
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
|
|
|
67803c |
@@ -4172,7 +4172,7 @@ public class TPSProcessor {
|
|
|
67803c |
|
|
|
67803c |
keyInfo = tokenRecord.getKeyInfo();
|
|
|
67803c |
|
|
|
67803c |
- CMS.debug("TPProcessor.getKeyInfioFromTokenDB: returning: " + keyInfo);
|
|
|
67803c |
+ CMS.debug("TPProcessor.getKeyInfoFromTokenDB: returning: " + keyInfo);
|
|
|
67803c |
|
|
|
67803c |
return keyInfo;
|
|
|
67803c |
|
|
|
67803c |
--
|
|
|
67803c |
1.8.3.1
|
|
|
67803c |
|
|
|
67803c |
|
|
|
67803c |
From ce90aeab54f0a33d1c59bd5a95852ea2c62541e9 Mon Sep 17 00:00:00 2001
|
|
|
67803c |
From: Christina Fu <cfu@cfu-rhel7.usersys.redhat.com>
|
|
|
67803c |
Date: Fri, 6 Sep 2019 16:49:00 -0400
|
|
|
67803c |
Subject: [PATCH 7/7] Bug 1523330 - CC: missing audit event for CS acting as
|
|
|
67803c |
TLS client
|
|
|
67803c |
|
|
|
67803c |
This patch adds failed CLIENT_ACCESS_SESSION_ESTABLISH audit event for the case
|
|
|
67803c |
when internal ldap server goes down
|
|
|
67803c |
|
|
|
67803c |
fixes https://bugzilla.redhat.com/show_bug.cgi?id=1523330
|
|
|
67803c |
|
|
|
67803c |
(cherry picked from commit 10d52dd0d6b562edc9e32c543017c67c1c0212a8)
|
|
|
67803c |
---
|
|
|
67803c |
.../netscape/cmscore/ldapconn/PKISocketFactory.java | 21 +++++++++++++++++++++
|
|
|
67803c |
1 file changed, 21 insertions(+)
|
|
|
67803c |
|
|
|
67803c |
diff --git a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java
|
|
|
67803c |
index 00df65b..dc93f5d 100644
|
|
|
67803c |
--- a/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java
|
|
|
67803c |
+++ b/base/server/cmscore/src/com/netscape/cmscore/ldapconn/PKISocketFactory.java
|
|
|
67803c |
@@ -33,6 +33,9 @@ import org.mozilla.jss.ssl.SSLSocket;
|
|
|
67803c |
|
|
|
67803c |
import com.netscape.certsrv.apps.CMS;
|
|
|
67803c |
import com.netscape.certsrv.base.IConfigStore;
|
|
|
67803c |
+import com.netscape.certsrv.logging.event.ClientAccessSessionEstablishEvent;
|
|
|
67803c |
+import com.netscape.certsrv.logging.SignedAuditEvent;
|
|
|
67803c |
+import com.netscape.cms.logging.SignedAuditLogger;
|
|
|
67803c |
|
|
|
67803c |
import netscape.ldap.LDAPException;
|
|
|
67803c |
import netscape.ldap.LDAPSSLSocketFactoryExt;
|
|
|
67803c |
@@ -46,6 +49,8 @@ import org.dogtagpki.server.PKIClientSocketListener;
|
|
|
67803c |
*/
|
|
|
67803c |
public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
|
|
|
67803c |
|
|
|
67803c |
+ private static SignedAuditLogger signedAuditLogger = SignedAuditLogger.getLogger();
|
|
|
67803c |
+
|
|
|
67803c |
private boolean secure;
|
|
|
67803c |
private String mClientAuthCertNickname;
|
|
|
67803c |
private boolean mClientAuth;
|
|
|
67803c |
@@ -157,6 +162,22 @@ public class PKISocketFactory implements LDAPSSLSocketFactoryExt {
|
|
|
67803c |
s.setKeepAlive(keepAlive);
|
|
|
67803c |
|
|
|
67803c |
} catch (Exception e) {
|
|
|
67803c |
+ // for auditing
|
|
|
67803c |
+ String localIP = "localhost";
|
|
|
67803c |
+ try {
|
|
|
67803c |
+ localIP = InetAddress.getLocalHost().getHostAddress();
|
|
|
67803c |
+ } catch (UnknownHostException e2) {
|
|
|
67803c |
+ // default to "localhost";
|
|
|
67803c |
+ }
|
|
|
67803c |
+ SignedAuditEvent auditEvent;
|
|
|
67803c |
+ auditEvent = ClientAccessSessionEstablishEvent.createFailureEvent(
|
|
|
67803c |
+ localIP,
|
|
|
67803c |
+ host,
|
|
|
67803c |
+ Integer.toString(port),
|
|
|
67803c |
+ "SYSTEM",
|
|
|
67803c |
+ "connect:" +e.toString());
|
|
|
67803c |
+ signedAuditLogger.log(auditEvent);
|
|
|
67803c |
+
|
|
|
67803c |
CMS.debug(e);
|
|
|
67803c |
if (s != null) {
|
|
|
67803c |
try {
|
|
|
67803c |
--
|
|
|
67803c |
1.8.3.1
|
|
|
67803c |
|