Blob Blame History Raw
From 8d60caa44803915c153e1919ccaf08b166d38190 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 29 Mar 2017 03:36:39 +0200
Subject: [PATCH 01/59] Removed duplicate PROP_ROLLOVER_INTERVAL constant.

Change-Id: I66b369ec33f97dab96f6d832e2eb9ab0c6cdbe98
---
 .../src/com/netscape/cms/logging/RollingLogFile.java   | 18 +++++++++---------
 .../netscape/cms/servlet/admin/LogAdminServlet.java    |  2 +-
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
index 32568da..d84c441 100644
--- a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
+++ b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
@@ -32,6 +32,7 @@ import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.IExtendedPluginInfo;
+import com.netscape.certsrv.common.Constants;
 import com.netscape.certsrv.common.NameValuePairs;
 import com.netscape.certsrv.logging.ConsoleError;
 import com.netscape.certsrv.logging.ELogException;
@@ -49,7 +50,6 @@ import com.netscape.cmsutil.util.Utils;
  */
 public class RollingLogFile extends LogFile {
     public static final String PROP_MAX_FILE_SIZE = "maxFileSize";
-    public static final String PROP_ROLLOVER_INTERVAL = "rolloverInterval";
     public static final String PROP_EXPIRATION_TIME = "expirationTime";
 
     /**
@@ -116,7 +116,7 @@ public class RollingLogFile extends LogFile {
         super.init(config);
 
         rl_init(config.getInteger(PROP_MAX_FILE_SIZE, MAX_FILE_SIZE),
-                config.getString(PROP_ROLLOVER_INTERVAL, ROLLOVER_INTERVAL),
+                config.getString(Constants.PR_LOG_ROLLEROVER_INTERVAL, ROLLOVER_INTERVAL),
                 config.getString(PROP_EXPIRATION_TIME, EXPIRATION_TIME));
     }
 
@@ -585,7 +585,7 @@ public class RollingLogFile extends LogFile {
         Vector<String> v = super.getDefaultParams();
 
         v.addElement(PROP_MAX_FILE_SIZE + "=");
-        v.addElement(PROP_ROLLOVER_INTERVAL + "=");
+        v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=");
         //v.addElement(PROP_EXPIRATION_TIME + "=");
         return v;
     }
@@ -596,15 +596,15 @@ public class RollingLogFile extends LogFile {
         try {
             v.addElement(PROP_MAX_FILE_SIZE + "=" + mMaxFileSize / 1024);
             if (mRolloverInterval / 1000 <= 60 * 60)
-                v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Hourly");
+                v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Hourly");
             else if (mRolloverInterval / 1000 <= 60 * 60 * 24)
-                v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Daily");
+                v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Daily");
             else if (mRolloverInterval / 1000 <= 60 * 60 * 24 * 7)
-                v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Weekly");
+                v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Weekly");
             else if (mRolloverInterval / 1000 <= 60 * 60 * 24 * 30)
-                v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Monthly");
+                v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Monthly");
             else if (mRolloverInterval / 1000 <= 60 * 60 * 24 * 366)
-                v.addElement(PROP_ROLLOVER_INTERVAL + "=" + "Yearly");
+                v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Yearly");
 
             //v.addElement(PROP_EXPIRATION_TIME + "=" + mExpirationTime / 1000);
         } catch (Exception e) {
@@ -622,7 +622,7 @@ public class RollingLogFile extends LogFile {
         }
         info.addElement(PROP_MAX_FILE_SIZE
                 + ";integer;If the current log file size if bigger than this parameter in kilobytes(KB), the file will be rotated.");
-        info.addElement(PROP_ROLLOVER_INTERVAL
+        info.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL
                 + ";choice(Hourly,Daily,Weekly,Monthly,Yearly);The frequency of the log being rotated.");
         info.addElement(PROP_EXPIRATION_TIME
                 + ";integer;The amount of time before a backed up log is removed in seconds");
diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
index d665224..08c3293 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
@@ -1645,7 +1645,7 @@ public class LogAdminServlet extends AdminServlet {
 
                     }
 
-                    if (key.equals("rolloverInterval")) {
+                    if (key.equals(Constants.PR_LOG_ROLLEROVER_INTERVAL)) {
                         if (val.equals("Hourly"))
                             val = Integer.toString(60 * 60);
                         else if (val.equals("Daily"))
-- 
1.8.3.1


From 939896c06013065a7566002a2708d4598d3d7b96 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 30 Mar 2017 07:08:52 +0200
Subject: [PATCH 02/59] Removed duplicate PROP_MAX_FILE_SIZE constant.

Change-Id: Ic2aa92985e8aee9b5405ad542c640ca67a0047c6
---
 base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
index d84c441..4d29715 100644
--- a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
+++ b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
@@ -49,7 +49,6 @@ import com.netscape.cmsutil.util.Utils;
  * @version $Revision$, $Date$
  */
 public class RollingLogFile extends LogFile {
-    public static final String PROP_MAX_FILE_SIZE = "maxFileSize";
     public static final String PROP_EXPIRATION_TIME = "expirationTime";
 
     /**
@@ -115,7 +114,7 @@ public class RollingLogFile extends LogFile {
             EBaseException {
         super.init(config);
 
-        rl_init(config.getInteger(PROP_MAX_FILE_SIZE, MAX_FILE_SIZE),
+        rl_init(config.getInteger(Constants.PR_LOG_MAXFILESIZE, MAX_FILE_SIZE),
                 config.getString(Constants.PR_LOG_ROLLEROVER_INTERVAL, ROLLOVER_INTERVAL),
                 config.getString(PROP_EXPIRATION_TIME, EXPIRATION_TIME));
     }
@@ -584,7 +583,7 @@ public class RollingLogFile extends LogFile {
     public Vector<String> getDefaultParams() {
         Vector<String> v = super.getDefaultParams();
 
-        v.addElement(PROP_MAX_FILE_SIZE + "=");
+        v.addElement(Constants.PR_LOG_MAXFILESIZE + "=");
         v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=");
         //v.addElement(PROP_EXPIRATION_TIME + "=");
         return v;
@@ -594,7 +593,7 @@ public class RollingLogFile extends LogFile {
         Vector<String> v = super.getInstanceParams();
 
         try {
-            v.addElement(PROP_MAX_FILE_SIZE + "=" + mMaxFileSize / 1024);
+            v.addElement(Constants.PR_LOG_MAXFILESIZE + "=" + mMaxFileSize / 1024);
             if (mRolloverInterval / 1000 <= 60 * 60)
                 v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=" + "Hourly");
             else if (mRolloverInterval / 1000 <= 60 * 60 * 24)
@@ -620,7 +619,7 @@ public class RollingLogFile extends LogFile {
             if (!p[i].startsWith(IExtendedPluginInfo.HELP_TOKEN) && !p[i].startsWith(IExtendedPluginInfo.HELP_TEXT))
                 info.addElement(p[i]);
         }
-        info.addElement(PROP_MAX_FILE_SIZE
+        info.addElement(Constants.PR_LOG_MAXFILESIZE
                 + ";integer;If the current log file size if bigger than this parameter in kilobytes(KB), the file will be rotated.");
         info.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL
                 + ";choice(Hourly,Daily,Weekly,Monthly,Yearly);The frequency of the log being rotated.");
-- 
1.8.3.1


From 01b510f51992e04ffc84aefdd2d3e1f09b09b480 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 30 Mar 2017 22:57:19 +0200
Subject: [PATCH 03/59] Removed duplicate PROP_EXPIRATION_TIME constant.

Change-Id: Ife9108019994b385fc452da0f29dee64d0ccc5d3
---
 base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java   | 7 +++----
 .../cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java    | 6 +++---
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
index 4d29715..fb70f46 100644
--- a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
+++ b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
@@ -49,7 +49,6 @@ import com.netscape.cmsutil.util.Utils;
  * @version $Revision$, $Date$
  */
 public class RollingLogFile extends LogFile {
-    public static final String PROP_EXPIRATION_TIME = "expirationTime";
 
     /**
      * The default max file size in bytes
@@ -116,7 +115,7 @@ public class RollingLogFile extends LogFile {
 
         rl_init(config.getInteger(Constants.PR_LOG_MAXFILESIZE, MAX_FILE_SIZE),
                 config.getString(Constants.PR_LOG_ROLLEROVER_INTERVAL, ROLLOVER_INTERVAL),
-                config.getString(PROP_EXPIRATION_TIME, EXPIRATION_TIME));
+                config.getString(Constants.PR_LOG_EXPIRED_TIME, EXPIRATION_TIME));
     }
 
     /**
@@ -585,7 +584,7 @@ public class RollingLogFile extends LogFile {
 
         v.addElement(Constants.PR_LOG_MAXFILESIZE + "=");
         v.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL + "=");
-        //v.addElement(PROP_EXPIRATION_TIME + "=");
+        //v.addElement(Constants.PR_LOG_EXPIRED_TIME + "=");
         return v;
     }
 
@@ -623,7 +622,7 @@ public class RollingLogFile extends LogFile {
                 + ";integer;If the current log file size if bigger than this parameter in kilobytes(KB), the file will be rotated.");
         info.addElement(Constants.PR_LOG_ROLLEROVER_INTERVAL
                 + ";choice(Hourly,Daily,Weekly,Monthly,Yearly);The frequency of the log being rotated.");
-        info.addElement(PROP_EXPIRATION_TIME
+        info.addElement(Constants.PR_LOG_EXPIRED_TIME
                 + ";integer;The amount of time before a backed up log is removed in seconds");
         info.addElement(IExtendedPluginInfo.HELP_TOKEN +
                 //";configuration-logrules-rollinglogfile");
diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
index 08c3293..13ba52c 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
@@ -834,7 +834,7 @@ public class LogAdminServlet extends AdminServlet {
             // files is no longer supported, it is still a required parameter
             // that must be present during the creation and modification of
             // custom log plugins.
-            substore.put("expirationTime", "0");
+            substore.put(Constants.PR_LOG_EXPIRED_TIME, "0");
 
             // Instantiate an object for this implementation
             String className = plugin.getClassPath();
@@ -1591,7 +1591,7 @@ public class LogAdminServlet extends AdminServlet {
             // files is no longer supported, it is still a required parameter
             // that must be present during the creation and modification of
             // custom log plugins.
-            substore.put("expirationTime", "0");
+            substore.put(Constants.PR_LOG_EXPIRED_TIME, "0");
 
             // IMPORTANT:  save a copy of the original log file path
             origLogPath = substore.getString(Constants.PR_LOG_FILENAME);
@@ -1702,7 +1702,7 @@ public class LogAdminServlet extends AdminServlet {
                             }
                         }
                         /*
-                                                if (key.equals("expirationTime")) {
+                                                if (key.equals(Constants.PR_LOG_EXPIRED_TIME)) {
                                                     String origVal = substore.getString(key);
 
                                                     val = val.trim();
-- 
1.8.3.1


From 1d3216aece7381cbac7b812dfbb969b466b31abe Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 30 Mar 2017 22:31:30 +0200
Subject: [PATCH 04/59] Fixed default subsystems for top-level CLI commands.

The top-level CLI commands have been modified to get the subsystem
name from the parent subsystem CLI if available, otherwise they
will use a hard-coded default value.

https://pagure.io/dogtagpki/issue/2626

Change-Id: Ieef45abfdfb4a6fc63fd06a6ccda4e70366de4a0
---
 base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java    | 10 ++++++++--
 base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java  | 10 ++++++++--
 base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java      |  9 +++++++--
 .../src/com/netscape/cmstools/system/SecurityDomainCLI.java    | 10 ++++++++--
 base/java-tools/src/com/netscape/cmstools/user/UserCLI.java    | 10 ++++++++--
 5 files changed, 39 insertions(+), 10 deletions(-)

diff --git a/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java b/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java
index 9687084..af117a6 100644
--- a/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cert/CertCLI.java
@@ -32,6 +32,7 @@ import com.netscape.certsrv.cert.CertReviewResponse;
 import com.netscape.certsrv.client.PKIClient;
 import com.netscape.cmstools.cli.CLI;
 import com.netscape.cmstools.cli.MainCLI;
+import com.netscape.cmstools.cli.SubsystemCLI;
 
 /**
  * @author Endi S. Dewata
@@ -81,8 +82,13 @@ public class CertCLI extends CLI {
         PKIClient client = getClient();
 
         // determine the subsystem
-        String subsystem = client.getSubsystem();
-        if (subsystem == null) subsystem = "ca";
+        String subsystem;
+        if (parent instanceof SubsystemCLI) {
+            SubsystemCLI subsystemCLI = (SubsystemCLI)parent;
+            subsystem = subsystemCLI.getName();
+        } else {
+            subsystem = "ca";
+        }
 
         // create new cert client
         certClient = new CertClient(client, subsystem);
diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java
index bd4651d..5ccf70d 100644
--- a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java
@@ -26,6 +26,7 @@ import com.netscape.certsrv.group.GroupClient;
 import com.netscape.certsrv.group.GroupData;
 import com.netscape.cmstools.cli.CLI;
 import com.netscape.cmstools.cli.MainCLI;
+import com.netscape.cmstools.cli.SubsystemCLI;
 
 /**
  * @author Endi S. Dewata
@@ -67,8 +68,13 @@ public class GroupCLI extends CLI {
         PKIClient client = getClient();
 
         // determine the subsystem
-        String subsystem = client.getSubsystem();
-        if (subsystem == null) subsystem = "ca";
+        String subsystem;
+        if (parent instanceof SubsystemCLI) {
+            SubsystemCLI subsystemCLI = (SubsystemCLI)parent;
+            subsystem = subsystemCLI.getName();
+        } else {
+            subsystem = "ca";
+        }
 
         // create new group client
         groupClient = new GroupClient(client, subsystem);
diff --git a/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java b/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java
index b9b27d1..d7c087f 100644
--- a/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/key/KeyCLI.java
@@ -27,6 +27,7 @@ import com.netscape.certsrv.system.SystemCertClient;
 import com.netscape.certsrv.util.NSSCryptoProvider;
 import com.netscape.cmstools.cli.CLI;
 import com.netscape.cmstools.cli.MainCLI;
+import com.netscape.cmstools.cli.SubsystemCLI;
 import com.netscape.cmsutil.util.Utils;
 
 /**
@@ -78,9 +79,13 @@ public class KeyCLI extends CLI {
         PKIClient client = getClient();
 
         // determine the subsystem
-        String subsystem = client.getSubsystem();
-        if (subsystem == null)
+        String subsystem;
+        if (parent instanceof SubsystemCLI) {
+            SubsystemCLI subsystemCLI = (SubsystemCLI)parent;
+            subsystem = subsystemCLI.getName();
+        } else {
             subsystem = "kra";
+        }
 
         // create new key client
         keyClient = new KeyClient(client, subsystem);
diff --git a/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java b/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java
index d9db91e..ea6cd29 100644
--- a/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/system/SecurityDomainCLI.java
@@ -25,6 +25,7 @@ import com.netscape.certsrv.system.SecurityDomainHost;
 import com.netscape.certsrv.system.SecurityDomainSubsystem;
 import com.netscape.cmstools.cli.CLI;
 import com.netscape.cmstools.cli.MainCLI;
+import com.netscape.cmstools.cli.SubsystemCLI;
 
 /**
  * @author Endi S. Dewata
@@ -60,8 +61,13 @@ public class SecurityDomainCLI extends CLI {
         PKIClient client = getClient();
 
         // determine the subsystem
-        String subsystem = client.getSubsystem();
-        if (subsystem == null) subsystem = "ca";
+        String subsystem;
+        if (parent instanceof SubsystemCLI) {
+            SubsystemCLI subsystemCLI = (SubsystemCLI)parent;
+            subsystem = subsystemCLI.getName();
+        } else {
+            subsystem = "ca";
+        }
 
         // create new security domain client
         securityDomainClient = new SecurityDomainClient(client, subsystem);
diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java
index 57a132c..1acbf0b 100644
--- a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java
@@ -27,6 +27,7 @@ import com.netscape.certsrv.user.UserData;
 import com.netscape.certsrv.user.UserResource;
 import com.netscape.cmstools.cli.CLI;
 import com.netscape.cmstools.cli.MainCLI;
+import com.netscape.cmstools.cli.SubsystemCLI;
 
 /**
  * @author Endi S. Dewata
@@ -70,8 +71,13 @@ public class UserCLI extends CLI {
         PKIClient client = getClient();
 
         // determine the subsystem
-        String subsystem = client.getSubsystem();
-        if (subsystem == null) subsystem = "ca";
+        String subsystem;
+        if (parent instanceof SubsystemCLI) {
+            SubsystemCLI subsystemCLI = (SubsystemCLI)parent;
+            subsystem = subsystemCLI.getName();
+        } else {
+            subsystem = "ca";
+        }
 
         // create new user client
         userClient = new UserClient(client, subsystem);
-- 
1.8.3.1


From 269f7d62ab3c8d13f7746fccb69cb0b305c46fb9 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 31 Mar 2017 04:48:24 +0200
Subject: [PATCH 05/59] Fixed pylint errors in pki.server.cli.subsystem.

https://pagure.io/dogtagpki/issue/2627

Change-Id: Icd47be636c78224328438a8091c7c3bdd07c06bd
---
 base/server/python/pki/server/cli/subsystem.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/base/server/python/pki/server/cli/subsystem.py b/base/server/python/pki/server/cli/subsystem.py
index 04461f2..ee5d2d2 100644
--- a/base/server/python/pki/server/cli/subsystem.py
+++ b/base/server/python/pki/server/cli/subsystem.py
@@ -24,7 +24,6 @@ from __future__ import print_function
 import getopt
 import getpass
 import os
-import string
 import subprocess
 import sys
 from tempfile import mkstemp
@@ -789,7 +788,7 @@ class SubsystemCertUpdateCLI(pki.cli.CLI):
 
         # format cert data for LDAP database
         lines = [data[i:i + 64] for i in range(0, len(data), 64)]
-        data = string.join(lines, '\r\n') + '\r\n'
+        data = '\r\n'.join(lines) + '\r\n'
 
         if self.verbose:
             print('Retrieving certificate request from CA database')
@@ -812,7 +811,7 @@ class SubsystemCertUpdateCLI(pki.cli.CLI):
                 lines = lines[1:]
             if lines[-1] == '-----END CERTIFICATE REQUEST-----':
                 lines = lines[:-1]
-            request = string.join(lines, '')
+            request = ''.join(lines)
             subsystem_cert['request'] = request
 
         else:
-- 
1.8.3.1


From 671157f430eb6fa46ad2132758e3d06f602724f4 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 31 Mar 2017 05:05:37 +0200
Subject: [PATCH 06/59] Fixed pylint error in pki.authority.

https://pagure.io/dogtagpki/issue/2627

Change-Id: I3111e78fc0afb63799e7bd707274ec7a9e8624ac
---
 base/common/python/pki/authority.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/base/common/python/pki/authority.py b/base/common/python/pki/authority.py
index 00c6fd9..f6880b5 100644
--- a/base/common/python/pki/authority.py
+++ b/base/common/python/pki/authority.py
@@ -362,7 +362,7 @@ def main():
     try:
         subca = ca_client.create_ca(data)
     except ValueError as e:
-        print(e.message)
+        print(e)
 
     # Get the host CA
     print("Getting the host CA")
-- 
1.8.3.1


From 3e80b04c1de37568d304b2d76f324c026830fd11 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Fri, 31 Mar 2017 09:48:07 -0600
Subject: [PATCH 08/59] Misc pylint, flake8 and tox fixes

---
 base/common/python/pki/__init__.py                 |  5 ++---
 base/common/python/pki/authority.py                |  2 ++
 base/common/python/pki/client.py                   |  1 +
 base/common/python/pki/feature.py                  |  1 +
 base/kra/functional/drmclient_deprecated.py        |  3 ++-
 base/kra/functional/drmtest.py                     |  2 +-
 base/server/python/pki/server/__init__.py          |  2 +-
 base/server/python/pki/server/cli/kra.py           |  2 +-
 .../python/pki/server/deployment/pkiparser.py      |  2 +-
 base/server/python/pki/server/upgrade.py           |  4 ++--
 pylint-build-scan.py                               |  1 +
 tox.ini                                            | 26 +++++++++++++---------
 12 files changed, 31 insertions(+), 20 deletions(-)

diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py
index 5d2a143..c015126 100644
--- a/base/common/python/pki/__init__.py
+++ b/base/common/python/pki/__init__.py
@@ -269,9 +269,8 @@ class RequestNotFoundException(ResourceNotFoundException):
 class UserNotFoundException(ResourceNotFoundException):
     """ User Not Found Exception: return code = 404 """
 
-"""
-Mapping from Java Server exception classes to python exception classes
-"""
+
+# Mapping from Java Server exception classes to python exception classes
 EXCEPTION_MAPPINGS = {
     "com.netscape.certsrv.base.BadRequestException": BadRequestException,
     "com.netscape.certsrv.base.ConflictingOperationException":
diff --git a/base/common/python/pki/authority.py b/base/common/python/pki/authority.py
index f6880b5..9fa459c 100644
--- a/base/common/python/pki/authority.py
+++ b/base/common/python/pki/authority.py
@@ -289,6 +289,7 @@ class AuthorityClient(object):
 
         self.connection.delete(url, headers)
 
+
 encoder.NOTYPES['AuthorityData'] = AuthorityData
 
 
@@ -499,5 +500,6 @@ def main():
     print("-----------------------------------")
     issue_cert_using_authority(cert_client, sub_subca.aid)
 
+
 if __name__ == "__main__":
     main()
diff --git a/base/common/python/pki/client.py b/base/common/python/pki/client.py
index 3e819cf..90ca4fe 100644
--- a/base/common/python/pki/client.py
+++ b/base/common/python/pki/client.py
@@ -224,5 +224,6 @@ def main():
     conn.set_authentication_cert('/root/temp4.pem')
     print(conn.get("", headers).json())
 
+
 if __name__ == "__main__":
     main()
diff --git a/base/common/python/pki/feature.py b/base/common/python/pki/feature.py
index 0e5171d..1a2d402 100644
--- a/base/common/python/pki/feature.py
+++ b/base/common/python/pki/feature.py
@@ -133,6 +133,7 @@ class FeatureClient(object):
             headers=self.headers)
         return FeatureCollection.from_json(response.json())
 
+
 encoder.NOTYPES['Feature'] = Feature
 
 
diff --git a/base/kra/functional/drmclient_deprecated.py b/base/kra/functional/drmclient_deprecated.py
index e333913..fe0f100 100644
--- a/base/kra/functional/drmclient_deprecated.py
+++ b/base/kra/functional/drmclient_deprecated.py
@@ -1008,7 +1008,8 @@ class KRA:
         self.debug('%s.recover_security_data()', self.fullname)
         pass
 
-""" Sample Test execution starts here """
+
+# Sample Test execution starts here
 parser = argparse.ArgumentParser(description="Sample Test execution")
 parser.add_argument(
     '-d',
diff --git a/base/kra/functional/drmtest.py b/base/kra/functional/drmtest.py
index 6853987..7e236ef 100755
--- a/base/kra/functional/drmtest.py
+++ b/base/kra/functional/drmtest.py
@@ -302,7 +302,7 @@ def usage():
     print('  -P <protocol>                  KRA server protocol (default: https).')
     print('  -h <hostname>                  KRA server hostname (default: localhost).')
     print('  -p <port>                      KRA server port (default: 8443).')
-    print('  -n <path>                      KRA agent certificate and private key (default: kraagent.pem).')  # nopep8
+    print('  -n <path>                      KRA agent certificate and private key (default: kraagent.pem).')  # noqa: E501
     print()
     print('  --help                         Show this help message.')
 
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 70734c3..357bad3 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -469,7 +469,7 @@ class ExternalCert(object):
 @functools.total_ordering
 class PKIInstance(object):
 
-    def __init__(self, name, instanceType=10):  # nopep8
+    def __init__(self, name, instanceType=10):  # noqa: N803
 
         self.name = name
         self.type = instanceType
diff --git a/base/server/python/pki/server/cli/kra.py b/base/server/python/pki/server/cli/kra.py
index 5c9111d..5558d6a 100644
--- a/base/server/python/pki/server/cli/kra.py
+++ b/base/server/python/pki/server/cli/kra.py
@@ -378,7 +378,7 @@ class KRADBVLVAddCLI(pki.cli.CLI):
             print('KRA VLVs added to the database for ' + instance_name)
 
         except ldap.LDAPError as e:
-            print("ERROR: " + e.message['desc'])
+            print("ERROR: {}".format(e))
             sys.exit(1)
 
     def add_vlv(self, subsystem, bind_dn, bind_password):
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index 15e48ba..e05e0be 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -308,7 +308,7 @@ class PKIConfigParser:
 
         return value
 
-    def read_password(self, message, section=None, key=None,  # nopep8
+    def read_password(self, message, section=None, key=None,  # noqa: N803
                       verifyMessage=None):
         message = ' ' * self.indent + message + ': '
         if verifyMessage is not None:  # nopep8
diff --git a/base/server/python/pki/server/upgrade.py b/base/server/python/pki/server/upgrade.py
index 116ef3d..2c72e48 100644
--- a/base/server/python/pki/server/upgrade.py
+++ b/base/server/python/pki/server/upgrade.py
@@ -155,8 +155,8 @@ class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet):
 
 class PKIServerUpgrader(pki.upgrade.PKIUpgrader):
 
-    def __init__(self, instanceName=None, instanceType=None,  # nopep8
-                 subsystemName=None, upgrade_dir=UPGRADE_DIR,  # nopep8
+    def __init__(self, instanceName=None, instanceType=None,  # noqa: N803
+                 subsystemName=None, upgrade_dir=UPGRADE_DIR,  # noqa: N803
                  version=None, index=None, silent=False):
         super(PKIServerUpgrader, self).__init__(
             upgrade_dir, version, index, silent)
diff --git a/pylint-build-scan.py b/pylint-build-scan.py
index 3a7b473..a25bab7 100755
--- a/pylint-build-scan.py
+++ b/pylint-build-scan.py
@@ -131,5 +131,6 @@ def main():
 
     return subprocess.call(pylint, cwd=env['sitepackages'])
 
+
 if __name__ == '__main__':
     sys.exit(main())
diff --git a/tox.ini b/tox.ini
index f73818d..7b3d1fd 100644
--- a/tox.ini
+++ b/tox.ini
@@ -19,14 +19,23 @@
 #
 
 [tox]
-envlist = py27,py35,pep8,pep8py3,lint,lint3k,docs
+envlist = py27,py35,py36,,pep8,pep8py3,lint,lint3,docs
 skip_missing_interpreters = true
 
+[testenv:deps]
+deps =
+    lxml
+    pyldap
+    python-nss
+    requests
+    six
+
 [testenv]
 # force installation of sphinx and lint in virtual env, otherwise
 # the command pick up the `pki` package from the system's site packages.
 install_command = pip install {opts} --force-reinstall --upgrade {packages}
 deps =
+    {[testenv:deps]deps}
     pytest
 sitepackages = True
 commands =
@@ -40,28 +49,24 @@ commands =
 [testenv:lint]
 basepython = python2.7
 deps =
+    {[testenv:deps]deps}
     pylint
 commands =
-    {envpython} {toxinidir}/scripts/pylint-build-scan.py tox
-
-[testenv:lint3k]
-basepython = python2.7
-deps =
-    pylint
-commands =
-    {envpython} {toxinidir}/scripts/pylint-build-scan.py tox -- --py3k
+    {envpython} {toxinidir}/pylint-build-scan.py tox
 
 [testenv:lint3]
 basepython = python3
 deps =
+    {[testenv:deps]deps}
     pylint
 commands =
-    {envpython} {toxinidir}/scripts/pylint-build-scan.py tox
+    {envpython} {toxinidir}/pylint-build-scan.py tox
 
 [testenv:pep8]
 basepython = python2.7
 sitepackages = False
 deps =
+    {[testenv:deps]deps}
     flake8
     # flake8-import-order
     pep8-naming
@@ -72,6 +77,7 @@ commands =
 basepython = python3
 sitepackages = False
 deps =
+    {[testenv:deps]deps}
     flake8
     # flake8-import-order
     pep8-naming
-- 
1.8.3.1


From 34fe01c204711f0ef02a43a9aba1bf5141465af9 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Fri, 31 Mar 2017 10:57:06 -0600
Subject: [PATCH 10/59] Fix for pylint when using Python 3.6

Added 'pylint: disable=no-member' whenever module 're'
attempts to reference its 'MULTILINE' member.
---
 base/server/python/pki/server/__init__.py             | 6 +++++-
 base/server/python/pki/server/deployment/pkihelper.py | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 357bad3..5032274 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -858,7 +858,11 @@ class Tomcat(object):
         output = output.decode('utf-8')
 
         # find "Server version: Apache Tomcat/<major version>.<minor version>"
-        match = re.search(r'^Server version:[^/]*/(\d+).*$', output, re.MULTILINE)
+        match = re.search(
+            r'^Server version:[^/]*/(\d+).*$',
+            output,
+            re.MULTILINE  # pylint: disable=no-member
+        )
 
         if not match:
             raise Exception('Unable to determine Tomcat version')
diff --git a/base/server/python/pki/server/deployment/pkihelper.py b/base/server/python/pki/server/deployment/pkihelper.py
index 2e276f5..051778d 100644
--- a/base/server/python/pki/server/deployment/pkihelper.py
+++ b/base/server/python/pki/server/deployment/pkihelper.py
@@ -2721,7 +2721,11 @@ class Modutil:
         output = output.decode('utf-8')
 
         # find modules from lines such as '1. NSS Internal PKCS #11 Module'
-        modules = re.findall(r'^ +\d+\. +(.*)$', output, re.MULTILINE)
+        modules = re.findall(
+            r'^ +\d+\. +(.*)$',
+            output,
+            re.MULTILINE  # pylint: disable=no-member
+        )
 
         if modulename not in modules:
             config.pki_log.info(
-- 
1.8.3.1


From 7fc7d3e8844d4992db60a637370b8599bff5a282 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 31 Mar 2017 19:23:43 +0200
Subject: [PATCH 11/59] Removed redundant Context attributes.

All subclasses of PKIService have been modified to remove the
Context attribute since they have been declared in the base class.

Change-Id: Icdbe97efa2b910a579264099f817930c2cc2ed1a
---
 .../org/dogtagpki/server/ca/rest/AuthorityService.java  | 17 -----------------
 .../dogtagpki/server/ca/rest/CertRequestService.java    | 17 -----------------
 .../src/org/dogtagpki/server/ca/rest/CertService.java   | 17 -----------------
 .../dogtagpki/server/ca/rest/KRAConnectorService.java   | 17 -----------------
 .../org/dogtagpki/server/ca/rest/ProfileService.java    | 16 ----------------
 .../dogtagpki/server/kra/rest/KeyRequestService.java    | 17 -----------------
 .../src/org/dogtagpki/server/kra/rest/KeyService.java   | 17 -----------------
 .../cms/src/org/dogtagpki/server/rest/AuditService.java | 17 -----------------
 .../cms/src/org/dogtagpki/server/rest/GroupService.java | 17 -----------------
 .../dogtagpki/server/rest/SecurityDomainService.java    | 17 -----------------
 .../src/org/dogtagpki/server/rest/SelfTestService.java  | 17 -----------------
 .../org/dogtagpki/server/rest/SystemConfigService.java  | 11 -----------
 .../cms/src/org/dogtagpki/server/rest/UserService.java  | 17 -----------------
 .../dogtagpki/server/tks/rest/TPSConnectorService.java  |  9 ---------
 .../org/dogtagpki/server/tps/config/ConfigService.java  | 17 -----------------
 .../org/dogtagpki/server/tps/rest/ActivityService.java  | 17 -----------------
 .../dogtagpki/server/tps/rest/AuthenticatorService.java | 17 -----------------
 .../org/dogtagpki/server/tps/rest/ConnectorService.java | 17 -----------------
 .../server/tps/rest/ProfileMappingService.java          | 17 -----------------
 .../org/dogtagpki/server/tps/rest/ProfileService.java   | 17 -----------------
 .../org/dogtagpki/server/tps/rest/TPSCertService.java   | 17 -----------------
 .../src/org/dogtagpki/server/tps/rest/TokenService.java | 17 -----------------
 22 files changed, 359 deletions(-)

diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
index c734fbf..215d0fa 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
@@ -27,13 +27,8 @@ import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.Context;
 import javax.ws.rs.core.GenericEntity;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authentication.IAuthToken;
@@ -75,18 +70,6 @@ public class AuthorityService extends SubsystemService implements AuthorityResou
         hostCA = (ICertificateAuthority) CMS.getSubsystem("ca");
     }
 
-    @Context
-    private UriInfo uriInfo;
-
-    @Context
-    private HttpHeaders headers;
-
-    @Context
-    private Request request;
-
-    @Context
-    private HttpServletRequest servletRequest;
-
     private final static String LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG =
             "LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3";
 
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
index a0d36b9..a0f3d46 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertRequestService.java
@@ -24,13 +24,8 @@ import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.List;
 
-import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.PathParam;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
 
 import org.jboss.resteasy.plugins.providers.atom.Link;
 
@@ -81,18 +76,6 @@ import netscape.security.x509.X500Name;
  */
 public class CertRequestService extends PKIService implements CertRequestResource {
 
-    @Context
-    private UriInfo uriInfo;
-
-    @Context
-    private HttpHeaders headers;
-
-    @Context
-    private Request request;
-
-    @Context
-    private HttpServletRequest servletRequest;
-
     public static final int DEFAULT_START = 0;
     public static final int DEFAULT_PAGESIZE = 20;
     public static final int DEFAULT_MAXRESULTS = 100;
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
index ebbab25..d5fe02f 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CertService.java
@@ -34,12 +34,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Random;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
 
 import org.apache.catalina.realm.GenericPrincipal;
 import org.jboss.resteasy.plugins.providers.atom.Link;
@@ -94,18 +89,6 @@ import netscape.security.x509.X509Key;
  */
 public class CertService extends PKIService implements CertResource {
 
-    @Context
-    private UriInfo uriInfo;
-
-    @Context
-    private HttpHeaders headers;
-
-    @Context
-    private Request request;
-
-    @Context
-    private HttpServletRequest servletRequest;
-
     ICertificateAuthority authority;
     ICertificateRepository repo;
     Random random;
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/KRAConnectorService.java b/base/ca/src/org/dogtagpki/server/ca/rest/KRAConnectorService.java
index 4ef1b7e..24c33fa 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/KRAConnectorService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/KRAConnectorService.java
@@ -17,12 +17,7 @@
 // --- END COPYRIGHT BLOCK ---
 package org.dogtagpki.server.ca.rest;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.BadRequestException;
@@ -38,18 +33,6 @@ import com.netscape.cms.servlet.base.PKIService;
  */
 public class KRAConnectorService extends PKIService implements KRAConnectorResource {
 
-    @Context
-    private UriInfo uriInfo;
-
-    @Context
-    private HttpHeaders headers;
-
-    @Context
-    private Request request;
-
-    @Context
-    private HttpServletRequest servletRequest;
-
     @Override
     public Response addConnector(KRAConnectorInfo info) {
 
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
index ba648a4..694fb92 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
@@ -32,11 +32,7 @@ import java.util.Map;
 import java.util.Properties;
 import java.util.Vector;
 
-import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.PathParam;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriBuilder;
 import javax.ws.rs.core.UriInfo;
@@ -90,18 +86,6 @@ import com.netscape.cmscore.base.SimpleProperties;
  */
 public class ProfileService extends SubsystemService implements ProfileResource {
 
-    @Context
-    private UriInfo uriInfo;
-
-    @Context
-    private HttpHeaders headers;
-
-    @Context
-    private Request request;
-
-    @Context
-    private HttpServletRequest servletRequest;
-
     private IProfileSubsystem ps = (IProfileSubsystem) CMS.getSubsystem(IProfileSubsystem.ID);
     private IPluginRegistry registry = (IPluginRegistry) CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY);
 
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
index 4138b38..e0c4ca9 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
@@ -25,13 +25,8 @@ import java.security.Principal;
 import java.util.HashMap;
 import java.util.Map;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MultivaluedMap;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
 
 import org.mozilla.jss.crypto.SymmetricKey;
 
@@ -67,18 +62,6 @@ import com.netscape.cmsutil.ldap.LDAPUtil;
  */
 public class KeyRequestService extends SubsystemService implements KeyRequestResource {
 
-    @Context
-    private UriInfo uriInfo;
-
-    @Context
-    private HttpHeaders headers;
-
-    @Context
-    private Request request;
-
-    @Context
-    private HttpServletRequest servletRequest;
-
     private static final String LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST =
             "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_4";
 
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
index e8cb6e9..e15b263 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
@@ -29,15 +29,10 @@ import java.util.Hashtable;
 import java.util.Iterator;
 import java.util.List;
 
-import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.Path;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
 import javax.ws.rs.core.MultivaluedMap;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriBuilder;
-import javax.ws.rs.core.UriInfo;
 
 import org.jboss.resteasy.plugins.providers.atom.Link;
 
@@ -82,18 +77,6 @@ import com.netscape.cmsutil.util.Utils;
  */
 public class KeyService extends SubsystemService implements KeyResource {
 
-    @Context
-    private UriInfo uriInfo;
-
-    @Context
-    private HttpHeaders headers;
-
-    @Context
-    private Request request;
-
-    @Context
-    private HttpServletRequest servletRequest;
-
     private final static String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY =
             "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY_5";
     private final static String LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE =
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
index 76a5396..9af95d9 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
@@ -26,12 +26,7 @@ import java.util.Map;
 import java.util.TreeMap;
 import java.util.TreeSet;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
 
 import org.apache.commons.lang.StringUtils;
 import org.jboss.resteasy.plugins.providers.atom.Link;
@@ -51,18 +46,6 @@ import com.netscape.cms.servlet.base.SubsystemService;
  */
 public class AuditService extends SubsystemService implements AuditResource {
 
-    @Context
-    private UriInfo uriInfo;
-
-    @Context
-    private HttpHeaders headers;
-
-    @Context
-    private Request request;
-
-    @Context
-    private HttpServletRequest servletRequest;
-
     public AuditService() {
         CMS.debug("AuditService.<init>()");
     }
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java b/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java
index 9d127c8..4ee2810 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java
@@ -23,12 +23,7 @@ import java.net.URLEncoder;
 import java.util.Enumeration;
 import java.util.Map;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
 
 import org.apache.commons.lang.StringUtils;
 import org.jboss.resteasy.plugins.providers.atom.Link;
@@ -58,18 +53,6 @@ import com.netscape.cms.servlet.base.SubsystemService;
  */
 public class GroupService extends SubsystemService implements GroupResource {
 
-    @Context
-    private UriInfo uriInfo;
-
-    @Context
-    private HttpHeaders headers;
-
-    @Context
-    private Request request;
-
-    @Context
-    private HttpServletRequest servletRequest;
-
     public IUGSubsystem userGroupManager = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
 
     public GroupData createGroupData(IGroup group) throws Exception {
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SecurityDomainService.java b/base/server/cms/src/org/dogtagpki/server/rest/SecurityDomainService.java
index 3d708eb..3dccea1 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SecurityDomainService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SecurityDomainService.java
@@ -17,12 +17,7 @@
 // --- END COPYRIGHT BLOCK ---
 package org.dogtagpki.server.rest;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.PKIException;
@@ -37,18 +32,6 @@ import com.netscape.cms.servlet.csadmin.SecurityDomainProcessor;
  */
 public class SecurityDomainService extends PKIService implements SecurityDomainResource {
 
-    @Context
-    private UriInfo uriInfo;
-
-    @Context
-    private HttpHeaders headers;
-
-    @Context
-    private Request request;
-
-    @Context
-    private HttpServletRequest servletRequest;
-
     @Override
     public Response getInstallToken(String hostname, String subsystem) {
         CMS.debug("SecurityDomainService.getInstallToken(" + hostname + ", " + subsystem + ")");
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java b/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java
index 9108a45..7cfe85f 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SelfTestService.java
@@ -27,12 +27,7 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Iterator;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
 
 import org.jboss.resteasy.plugins.providers.atom.Link;
 
@@ -53,18 +48,6 @@ import com.netscape.cms.servlet.base.PKIService;
  */
 public class SelfTestService extends PKIService implements SelfTestResource {
 
-    @Context
-    private UriInfo uriInfo;
-
-    @Context
-    private HttpHeaders headers;
-
-    @Context
-    private Request request;
-
-    @Context
-    private HttpServletRequest servletRequest;
-
     public SelfTestService() {
         CMS.debug("SelfTestService.<init>()");
     }
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
index 18263f7..27a6817 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/SystemConfigService.java
@@ -73,17 +67,6 @@ import netscape.security.x509.X509CertImpl;
  *
  */
 public class SystemConfigService extends PKIService implements SystemConfigResource {
-    @Context
-    public UriInfo uriInfo;
-
-    @Context
-    public HttpHeaders headers;
-
-    @Context
-    public Request request;
-
-    @Context
-    public HttpServletRequest servletRequest;
 
     public IConfigStore cs;
     public String csType;
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
index 529c472..eeadba5 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
@@ -32,12 +32,7 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
 
 import org.apache.commons.lang.StringUtils;
 import org.jboss.resteasy.plugins.providers.atom.Link;
@@ -84,18 +79,6 @@ import netscape.security.x509.X509CertImpl;
  */
 public class UserService extends SubsystemService implements UserResource {
 
-    @Context
-    private UriInfo uriInfo;
-
-    @Context
-    private HttpHeaders headers;
-
-    @Context
-    private Request request;
-
-    @Context
-    private HttpServletRequest servletRequest;
-
     public final static String BACK_SLASH = "\\";
     public final static String SYSTEM_USER = "$System$";
 
diff --git a/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java b/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java
index 9119d77..77aba1a 100644
--- a/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java
+++ b/base/tks/src/org/dogtagpki/server/tks/rest/TPSConnectorService.java
@@ -12,10 +12,7 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.TreeSet;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.Context;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
 
 import org.apache.commons.lang.ArrayUtils;
 import org.apache.commons.lang.StringUtils;
@@ -52,12 +49,6 @@ public class TPSConnectorService extends PKIService implements TPSConnectorResou
 
     IConfigStore cs = CMS.getConfigStore();
 
-    @Context
-    private UriInfo uriInfo;
-
-    @Context
-    private HttpServletRequest servletRequest;
-
     public IUGSubsystem userGroupManager = (IUGSubsystem) CMS.getSubsystem(CMS.SUBSYSTEM_UG);
 
     @Override
diff --git a/base/tps/src/org/dogtagpki/server/tps/config/ConfigService.java b/base/tps/src/org/dogtagpki/server/tps/config/ConfigService.java
index 8309a2f..e9590e6 100644
--- a/base/tps/src/org/dogtagpki/server/tps/config/ConfigService.java
+++ b/base/tps/src/org/dogtagpki/server/tps/config/ConfigService.java
@@ -23,12 +23,7 @@ import java.net.URI;
 import java.util.HashMap;
 import java.util.Map;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
 
 import org.jboss.resteasy.plugins.providers.atom.Link;
 
@@ -45,18 +40,6 @@ import com.netscape.cms.servlet.base.SubsystemService;
  */
 public class ConfigService extends SubsystemService implements ConfigResource {
 
-    @Context
-    private UriInfo uriInfo;
-
-    @Context
-    private HttpHeaders headers;
-
-    @Context
-    private Request request;
-
-    @Context
-    private HttpServletRequest servletRequest;
-
     public ConfigService() {
         CMS.debug("ConfigService.<init>()");
     }
diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ActivityService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ActivityService.java
index 90029ea..37a3083 100644
--- a/base/tps/src/org/dogtagpki/server/tps/rest/ActivityService.java
+++ b/base/tps/src/org/dogtagpki/server/tps/rest/ActivityService.java
@@ -23,12 +23,7 @@ import java.net.URI;
 import java.net.URLEncoder;
 import java.util.Iterator;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
 
 import org.dogtagpki.server.tps.TPSSubsystem;
 import org.dogtagpki.server.tps.dbs.ActivityDatabase;
@@ -49,18 +44,6 @@ import com.netscape.cms.servlet.base.PKIService;
  */
 public class ActivityService extends PKIService implements ActivityResource {
 
-    @Context
-    private UriInfo uriInfo;
-
-    @Context
-    private HttpHeaders headers;
-
-    @Context
-    private Request request;
-
-    @Context
-    private HttpServletRequest servletRequest;
-
     public ActivityService() {
         CMS.debug("ActivityService.<init>()");
     }
diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java b/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java
index 424cd14..50453ee 100644
--- a/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java
+++ b/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java
@@ -26,12 +26,7 @@ import java.util.HashMap;
 import java.util.Iterator;
 import java.util.Map;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
 
 import org.apache.commons.lang.StringUtils;
 import org.dogtagpki.server.tps.TPSSubsystem;
@@ -55,18 +50,6 @@ import com.netscape.cms.servlet.base.SubsystemService;
  */
 public class AuthenticatorService extends SubsystemService implements AuthenticatorResource {
 
-    @Context
-    private UriInfo uriInfo;
-
-    @Context
-    private HttpHeaders headers;
-
-    @Context
-    private Request request;
-
-    @Context
-    private HttpServletRequest servletRequest;
-
     public AuthenticatorService() {
         CMS.debug("AuthenticatorService.<init>()");
     }
diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java
index c789f14..01bc132 100644
--- a/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java
+++ b/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java
@@ -26,12 +26,7 @@ import java.util.HashMap;
 import java.util.Iterator;
 import java.util.Map;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
 
 import org.apache.commons.lang.StringUtils;
 import org.dogtagpki.server.tps.TPSSubsystem;
@@ -55,18 +50,6 @@ import com.netscape.cms.servlet.base.SubsystemService;
  */
 public class ConnectorService extends SubsystemService implements ConnectorResource {
 
-    @Context
-    private UriInfo uriInfo;
-
-    @Context
-    private HttpHeaders headers;
-
-    @Context
-    private Request request;
-
-    @Context
-    private HttpServletRequest servletRequest;
-
     public ConnectorService() {
         CMS.debug("ConnectorService.<init>()");
     }
diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java
index eca1803..2c070c0 100644
--- a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java
+++ b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java
@@ -26,12 +26,7 @@ import java.util.HashMap;
 import java.util.Iterator;
 import java.util.Map;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
 
 import org.apache.commons.lang.StringUtils;
 import org.dogtagpki.server.tps.TPSSubsystem;
@@ -55,18 +50,6 @@ import com.netscape.cms.servlet.base.SubsystemService;
  */
 public class ProfileMappingService extends SubsystemService implements ProfileMappingResource {
 
-    @Context
-    private UriInfo uriInfo;
-
-    @Context
-    private HttpHeaders headers;
-
-    @Context
-    private Request request;
-
-    @Context
-    private HttpServletRequest servletRequest;
-
     public ProfileMappingService() {
         CMS.debug("ProfileMappingService.<init>()");
     }
diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java
index b769134..8058caf 100644
--- a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java
+++ b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java
@@ -26,12 +26,7 @@ import java.util.HashMap;
 import java.util.Iterator;
 import java.util.Map;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
 
 import org.apache.commons.lang.StringUtils;
 import org.dogtagpki.server.tps.TPSSubsystem;
@@ -55,18 +50,6 @@ import com.netscape.cms.servlet.base.SubsystemService;
  */
 public class ProfileService extends SubsystemService implements ProfileResource {
 
-    @Context
-    private UriInfo uriInfo;
-
-    @Context
-    private HttpHeaders headers;
-
-    @Context
-    private Request request;
-
-    @Context
-    private HttpServletRequest servletRequest;
-
     public ProfileService() {
         CMS.debug("ProfileService.<init>()");
     }
diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TPSCertService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TPSCertService.java
index 074d3d0..9b62752 100644
--- a/base/tps/src/org/dogtagpki/server/tps/rest/TPSCertService.java
+++ b/base/tps/src/org/dogtagpki/server/tps/rest/TPSCertService.java
@@ -25,12 +25,7 @@ import java.util.HashMap;
 import java.util.Iterator;
 import java.util.Map;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
 
 import org.dogtagpki.server.tps.TPSSubsystem;
 import org.dogtagpki.server.tps.dbs.TPSCertDatabase;
@@ -50,18 +45,6 @@ import com.netscape.cms.servlet.base.PKIService;
  */
 public class TPSCertService extends PKIService implements TPSCertResource {
 
-    @Context
-    private UriInfo uriInfo;
-
-    @Context
-    private HttpHeaders headers;
-
-    @Context
-    private Request request;
-
-    @Context
-    private HttpServletRequest servletRequest;
-
     public TPSCertService() {
         CMS.debug("TPSCertService.<init>()");
     }
diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
index a624e2a..f3d0d80 100644
--- a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
+++ b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
@@ -29,12 +29,7 @@ import java.util.Map;
 import java.util.MissingResourceException;
 import java.util.ResourceBundle;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.ws.rs.core.Context;
-import javax.ws.rs.core.HttpHeaders;
-import javax.ws.rs.core.Request;
 import javax.ws.rs.core.Response;
-import javax.ws.rs.core.UriInfo;
 
 import org.apache.commons.lang.StringUtils;
 import org.dogtagpki.server.tps.TPSSubsystem;
@@ -64,18 +59,6 @@ import netscape.ldap.LDAPException;
  */
 public class TokenService extends SubsystemService implements TokenResource {
 
-    @Context
-    private UriInfo uriInfo;
-
-    @Context
-    private HttpHeaders headers;
-
-    @Context
-    private Request request;
-
-    @Context
-    private HttpServletRequest servletRequest;
-
     public TokenService() throws Exception {
         CMS.debug("TokenService.<init>()");
     }
-- 
1.8.3.1


From 6749f6bffe92743373d4b86bbd05e5a957e74d96 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 31 Mar 2017 18:42:56 +0200
Subject: [PATCH 12/59] Refactored AuditCLI.

The AuditCLI has been modified to create the AuditClient with lazy
initialization.

Change-Id: I61b08e92a2f2de983fc77513dde89e1d5e1254b9
---
 base/common/src/com/netscape/certsrv/tps/TPSClient.java        |  2 --
 .../java-tools/src/com/netscape/cmstools/logging/AuditCLI.java | 10 +++++++---
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/tps/TPSClient.java b/base/common/src/com/netscape/certsrv/tps/TPSClient.java
index da00225..19273f7 100644
--- a/base/common/src/com/netscape/certsrv/tps/TPSClient.java
+++ b/base/common/src/com/netscape/certsrv/tps/TPSClient.java
@@ -23,7 +23,6 @@ import com.netscape.certsrv.client.PKIClient;
 import com.netscape.certsrv.client.SubsystemClient;
 import com.netscape.certsrv.group.GroupClient;
 import com.netscape.certsrv.logging.ActivityClient;
-import com.netscape.certsrv.logging.AuditClient;
 import com.netscape.certsrv.selftests.SelfTestClient;
 import com.netscape.certsrv.tps.authenticator.AuthenticatorClient;
 import com.netscape.certsrv.tps.cert.TPSCertClient;
@@ -46,7 +45,6 @@ public class TPSClient extends SubsystemClient {
 
     public void init() throws URISyntaxException {
         addClient(new ActivityClient(client, name));
-        addClient(new AuditClient(client, name));
         addClient(new AuthenticatorClient(client, name));
         addClient(new TPSCertClient(client, name));
         addClient(new ConfigClient(client, name));
diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java
index 1e2273e..ff489dc 100644
--- a/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java
@@ -27,16 +27,20 @@ import com.netscape.certsrv.client.PKIClient;
 import com.netscape.certsrv.logging.AuditClient;
 import com.netscape.certsrv.logging.AuditConfig;
 import com.netscape.cmstools.cli.CLI;
+import com.netscape.cmstools.cli.SubsystemCLI;
 
 /**
  * @author Endi S. Dewata
  */
 public class AuditCLI extends CLI {
 
+    public SubsystemCLI subsystemCLI;
     public AuditClient auditClient;
 
-    public AuditCLI(CLI parent) {
-        super("audit", "Audit management commands", parent);
+    public AuditCLI(SubsystemCLI subsystemCLI) {
+        super("audit", "Audit management commands", subsystemCLI);
+
+        this.subsystemCLI = subsystemCLI;
 
         addModule(new AuditModifyCLI(this));
         addModule(new AuditShowCLI(this));
@@ -52,7 +56,7 @@ public class AuditCLI extends CLI {
         if (auditClient != null) return auditClient;
 
         PKIClient client = getClient();
-        auditClient = (AuditClient)parent.getClient("audit");
+        auditClient = new AuditClient(client, subsystemCLI.getName());
 
         return auditClient;
     }
-- 
1.8.3.1


From 136d22953d05c459986a98465e4266bac37b44dc Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Wed, 29 Mar 2017 10:46:22 -0400
Subject: [PATCH 14/59] Fix generation of CRMF request for ECC keys

Old CRMFPopClients add the OID for ECC public keys in the encryption
algorithm OID for no obvious reason (considering the OID was never
read on the server side to begin with).

Now that we do read and use that field, we need to set it properly,
and also special case on the server side to handle old clients.

Change-Id: I0d753e572206e9062746c879ce683978e5e657bd
---
 .../src/com/netscape/cmstools/CRMFPopClient.java         | 16 +---------------
 base/util/src/netscape/security/util/WrappingParams.java | 11 ++++++++++-
 2 files changed, 11 insertions(+), 16 deletions(-)

diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
index 901528c..9d81a72 100644
--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
@@ -562,7 +562,7 @@ public class CRMFPopClient {
         }
 
         byte[] iv = CryptoUtil.getNonceData(encryptAlg.getIVLength());
-        AlgorithmIdentifier aid = getAlgorithmId(algorithm, encryptAlg, iv);
+        AlgorithmIdentifier aid = new AlgorithmIdentifier(encryptAlg.toOID(), new OCTET_STRING(iv));
         WrappingParams params = getWrappingParams(encryptAlg, iv);
 
         PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions(
@@ -600,20 +600,6 @@ public class CRMFPopClient {
         }
     }
 
-    private AlgorithmIdentifier getAlgorithmId(String algorithm, EncryptionAlgorithm encryptAlg, byte[] iv)
-            throws Exception {
-        AlgorithmIdentifier aid;
-        if (algorithm.equals("rsa")) {
-            aid = new AlgorithmIdentifier(encryptAlg.toOID(), new OCTET_STRING(iv));
-        } else if (algorithm.equals("ec")) {
-            // TODO(alee) figure out what this should be for ECC
-            aid = new AlgorithmIdentifier(new OBJECT_IDENTIFIER("1.2.840.10045.2.1"), new OCTET_STRING(iv));
-        } else {
-            throw new Exception("Unknown algorithm: " + algorithm);
-        }
-        return aid;
-    }
-
     public OCTET_STRING createIDPOPLinkWitness() throws Exception {
 
         String secretValue = "testing";
diff --git a/base/util/src/netscape/security/util/WrappingParams.java b/base/util/src/netscape/security/util/WrappingParams.java
index b2814a3..8fe5df6 100644
--- a/base/util/src/netscape/security/util/WrappingParams.java
+++ b/base/util/src/netscape/security/util/WrappingParams.java
@@ -58,7 +58,16 @@ public class WrappingParams {
 
     public WrappingParams(String encryptOID, String wrapName, String priKeyAlgo, IVParameterSpec encryptIV, IVParameterSpec wrapIV)
             throws NumberFormatException, NoSuchAlgorithmException {
-        EncryptionAlgorithm encrypt = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(encryptOID));
+        EncryptionAlgorithm encrypt = null;
+        OBJECT_IDENTIFIER eccOID = new OBJECT_IDENTIFIER("1.2.840.10045.2.1");
+        if (encryptOID.equals(eccOID.toString())) {
+            // old CRMFPopClients send this OID for ECC Keys for no apparent reason.
+            // New clients set this correctly.
+            // We'll assume the old DES3 wrapping here.
+            encrypt = EncryptionAlgorithm.DES_CBC_PAD;
+        } else {
+            encrypt = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(encryptOID));
+        }
 
         KeyWrapAlgorithm wrap = null;
         if (wrapName != null) {
-- 
1.8.3.1


From 2d77ca150ee17238f4b137e3987a69e888141d51 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Wed, 29 Mar 2017 12:27:46 -0400
Subject: [PATCH 15/59] Change default key size for KRA storage unit to 128

Most of the research out there seems to indicate that AES-128 is
more than sufficient for security.  Use this as default.

Change-Id: Ie333282eacc5ce628c90296561e4cd6a76dcbd8e
---
 base/kra/shared/conf/CS.cfg | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
index 045a823..bd49a8d 100644
--- a/base/kra/shared/conf/CS.cfg
+++ b/base/kra/shared/conf/CS.cfg
@@ -279,7 +279,7 @@ kra.storageUnit.wrapping.0.payloadEncryptionIV=AQEBAQEBAQE=
 kra.storageUnit.wrapping.0.payloadWrapAlgorithm=DES3/CBC/Pad
 kra.storageUnit.wrapping.0.payloadWrapIV=AQEBAQEBAQE=
 kra.storageUnit.wrapping.0.sessionKeyType=DESede
-kra.storageUnit.wrapping.1.sessionKeyLength=256
+kra.storageUnit.wrapping.1.sessionKeyLength=128
 kra.storageUnit.wrapping.1.sessionKeyWrapAlgorithm=RSA
 kra.storageUnit.wrapping.1.payloadEncryptionPadding=PKCS5Padding
 kra.storageUnit.wrapping.1.sessionKeyKeyGenAlgorithm=AES
-- 
1.8.3.1


From 5dfd6e1c3cc38b5fbfdc4e96476934219f53e13f Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Mon, 3 Apr 2017 12:43:05 -0400
Subject: [PATCH 16/59] Added python info client

Add python client code to read from the InfoResource class and get
the server version.  As the PKIConnection in the python client
currently requires a subsystem, it is difficult to add an infoclient
to an existing KRAClient (or any other client).

To get around this, I modified the PKIConnection to allow using the
rootURI.

Change-Id: Ided75f45f741e2ba3fc86acec715d24b829c8a97
---
 base/common/python/pki/client.py | 51 ++++++++++++++++-----
 base/common/python/pki/info.py   | 98 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 138 insertions(+), 11 deletions(-)
 create mode 100644 base/common/python/pki/info.py

diff --git a/base/common/python/pki/client.py b/base/common/python/pki/client.py
index 90ca4fe..805d0fa 100644
--- a/base/common/python/pki/client.py
+++ b/base/common/python/pki/client.py
@@ -78,9 +78,8 @@ class PKIConnection:
         self.port = port
         self.subsystem = subsystem
 
-        self.serverURI = self.protocol + '://' + \
-            self.hostname + ':' + self.port + '/' + \
-            self.subsystem
+        self.rootURI = self.protocol + '://' + self.hostname + ':' + self.port
+        self.serverURI = self.rootURI + '/' + self.subsystem
 
         self.session = requests.Session()
         self.session.trust_env = trust_env
@@ -125,7 +124,8 @@ class PKIConnection:
             self.session.cert = pem_cert_path
 
     @catch_insecure_warning
-    def get(self, path, headers=None, params=None, payload=None):
+    def get(self, path, headers=None, params=None, payload=None,
+            use_root_uri=False):
         """
         Uses python-requests to issue a GET request to the server.
 
@@ -137,12 +137,19 @@ class PKIConnection:
         :type params: dict or bytes
         :param payload: data to be sent in the body of the request
         :type payload: dict, bytes, file-like object
+        :param use_root_uri: use root URI instead of subsystem URI as base
+        :type use_root_uri: boolean
         :returns: request.response -- response from the server
         :raises: Exception from python-requests in case the GET was not
             successful, or returns an error code.
         """
+        if use_root_uri:
+            target_path = self.rootURI + path
+        else:
+            target_path = self.serverURI + path
+
         r = self.session.get(
-            self.serverURI + path,
+            target_path,
             verify=False,
             headers=headers,
             params=params,
@@ -151,7 +158,8 @@ class PKIConnection:
         return r
 
     @catch_insecure_warning
-    def post(self, path, payload, headers=None, params=None):
+    def post(self, path, payload, headers=None, params=None,
+             use_root_uri=False):
         """
         Uses python-requests to issue a POST request to the server.
 
@@ -163,12 +171,19 @@ class PKIConnection:
         :type headers: dict
         :param params: Query parameters for the POST request
         :type params: dict or bytes
+        :param use_root_uri: use root URI instead of subsystem URI as base
+        :type use_root_uri: boolean
         :returns: request.response -- response from the server
         :raises: Exception from python-requests in case the POST was not
             successful, or returns an error code.
         """
+        if use_root_uri:
+            target_path = self.rootURI + path
+        else:
+            target_path = self.serverURI + path
+
         r = self.session.post(
-            self.serverURI + path,
+            target_path,
             verify=False,
             data=payload,
             headers=headers,
@@ -177,7 +192,7 @@ class PKIConnection:
         return r
 
     @catch_insecure_warning
-    def put(self, path, payload, headers=None):
+    def put(self, path, payload, headers=None, use_root_uri=False):
         """
         Uses python-requests to issue a PUT request to the server.
 
@@ -187,16 +202,23 @@ class PKIConnection:
         :type payload: dict, bytes, file-like object
         :param headers: headers for the PUT request
         :type headers: dict
+        :param use_root_uri: use root URI instead of subsystem URI as base
+        :type use_root_uri: boolean
         :returns: request.response -- response from the server
         :raises: Exception from python-requests in case the PUT was not
             successful, or returns an error code.
         """
-        r = self.session.put(self.serverURI + path, payload, headers=headers)
+        if use_root_uri:
+            target_path = self.rootURI + path
+        else:
+            target_path = self.serverURI + path
+
+        r = self.session.put(target_path, payload, headers=headers)
         r.raise_for_status()
         return r
 
     @catch_insecure_warning
-    def delete(self, path, headers=None):
+    def delete(self, path, headers=None, use_root_uri=False):
         """
         Uses python-requests to issue a DEL request to the server.
 
@@ -204,11 +226,18 @@ class PKIConnection:
         :type path: str
         :param headers: headers for the DEL request
         :type headers: dict
+        :param use_root_uri: use root URI instead of subsystem URI as base
+        :type use_root_uri: boolean
         :returns: request.response -- response from the server
         :raises: Exception from python-requests in case the DEL was not
             successful, or returns an error code.
         """
-        r = self.session.delete(self.serverURI + path, headers=headers)
+        if use_root_uri:
+            target_path = self.rootURI + path
+        else:
+            target_path = self.serverURI + path
+
+        r = self.session.delete(target_path, headers=headers)
         r.raise_for_status()
         return r
 
diff --git a/base/common/python/pki/info.py b/base/common/python/pki/info.py
new file mode 100644
index 0000000..65d4825
--- /dev/null
+++ b/base/common/python/pki/info.py
@@ -0,0 +1,98 @@
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the Lesser GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+#  along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2013 Red Hat, Inc.
+# All rights reserved.
+#
+# Author:
+#     Ade Lee <alee@redhat.com>
+#
+"""
+Module containing the Python client classes for the InfoClient
+"""
+from six import iteritems
+
+import pki
+
+
+class Info(object):
+    """
+    This class encapsulates the parameters returned by the server's
+    InfoService.
+    """
+
+    json_attribute_names = {
+        'Version': 'version',
+        'Banner': 'banner'
+    }
+
+    def __init__(self, version=None, banner=None):
+        """ Constructor """
+        self.version = version
+        self.banner = banner
+
+    @classmethod
+    def from_json(cls, attr_list):
+        """ Return Info from JSON dict """
+        info = cls()
+        for k, v in iteritems(attr_list):
+            if k in Info.json_attribute_names:
+                setattr(info, Info.json_attribute_names[k], v)
+            else:
+                setattr(info, k, v)
+        return info
+
+
+class Version(object):
+    """
+    This class encapsulates a version object as returned from
+    a Dogtag server and decomposes it into major, minor, etc.
+    """
+
+    def __init__(self, version_string):
+        for idx, val in enumerate(version_string.split('.')):
+            if idx == 0:
+                self.major = val
+            if idx == 1:
+                self.minor = val
+            if idx == 2:
+                self.patch = val
+
+
+class InfoClient(object):
+    """
+    Class encapsulating and mirroring the functionality in the
+    InfoResource Java interface class defining the REST API for
+    server Info resources.
+    """
+
+    def __init__(self, connection):
+        """ Constructor """
+        self.connection = connection
+
+    @pki.handle_exceptions()
+    def get_info(self):
+        """ Return an Info object form a PKI server """
+
+        url = '/pki/rest/info'
+        headers = {'Content-type': 'application/json',
+                   'Accept': 'application/json'}
+        r = self.connection.get(url, headers, use_root_uri=True)
+        return Info.from_json(r.json())
+
+    @pki.handle_exceptions()
+    def get_version(self):
+        """ return Version object from server """
+        version_string = self.get_info().version
+        return Version(version_string)
-- 
1.8.3.1


From a76ac1ca0472afb6931b9e3be156f1c057fcb161 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Mon, 3 Apr 2017 12:53:26 -0400
Subject: [PATCH 17/59] Add util code to source environment files

This is needed to set the same environment as the pki CLI
and pick up any client specific changes.

Change-Id: I92b4df75f2e3ee5112499a1d138e7e649a1214fc
---
 base/common/python/pki/util.py | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py
index 68118f4..02ecde8 100644
--- a/base/common/python/pki/util.py
+++ b/base/common/python/pki/util.py
@@ -32,6 +32,11 @@ try:
 except ImportError:
     WindowsError = None
 
+import subprocess
+
+DEFAULT_PKI_ENV_LIST = ['/usr/share/pki/etc/pki.conf',
+                        '/etc/pki/pki.conf']
+
 
 def copy(source, dest):
     """
@@ -245,3 +250,26 @@ def copytree(src, dst, symlinks=False, ignore=None):
             errors.extend((src, dst, str(why)))
     if errors:
         raise Error(errors)
+
+
+def read_environment_files(env_file_list=None):
+    if env_file_list is None:
+        env_file_list = DEFAULT_PKI_ENV_LIST
+
+    file_command = ''
+    for env_file in env_file_list:
+        file_command += "source " + env_file + " && "
+    file_command += "env"
+
+    command = [
+        'bash',
+        '-c',
+        file_command
+    ]
+
+    env_vals = subprocess.check_output(command).split('\n')
+
+    for env_val in env_vals:
+        (key, _, value) = env_val.partition("=")
+        os.environ[key] = value
+
-- 
1.8.3.1


From 8e7653987bf592ae6a5968fc0c5ef6696f13d348 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 28 Mar 2017 00:15:28 +0200
Subject: [PATCH 19/59] Added audit service and CLI to all subsystems.

Previously the audit service and CLI were only available on TPS.
Now they have been added to all subsystems.

Change-Id: I3b472254641eb887289c5122df390c46ccd97d47
---
 base/ca/shared/conf/acl.properties                          |  5 +++++
 base/ca/shared/conf/auth-method.properties                  |  1 +
 base/ca/shared/webapps/ca/WEB-INF/web.xml                   | 13 +++++++++++++
 base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java |  4 ++++
 base/java-tools/src/com/netscape/cmstools/cli/CACLI.java    |  2 ++
 base/java-tools/src/com/netscape/cmstools/cli/KRACLI.java   |  2 ++
 base/java-tools/src/com/netscape/cmstools/cli/OCSPCLI.java  |  2 ++
 base/java-tools/src/com/netscape/cmstools/cli/TKSCLI.java   |  2 ++
 base/kra/shared/conf/acl.properties                         |  5 +++++
 base/kra/shared/conf/auth-method.properties                 |  1 +
 base/kra/shared/webapps/kra/WEB-INF/web.xml                 | 13 +++++++++++++
 .../src/org/dogtagpki/server/kra/rest/KRAApplication.java   |  4 ++++
 base/ocsp/shared/conf/acl.properties                        |  5 +++++
 base/ocsp/shared/conf/auth-method.properties                |  1 +
 base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml               | 13 +++++++++++++
 .../src/org/dogtagpki/server/ocsp/rest/OCSPApplication.java |  4 ++++
 base/tks/shared/conf/acl.properties                         |  5 +++++
 base/tks/shared/conf/auth-method.properties                 |  1 +
 base/tks/shared/webapps/tks/WEB-INF/web.xml                 | 13 +++++++++++++
 .../src/org/dogtagpki/server/tks/rest/TKSApplication.java   |  4 ++++
 base/tps/shared/conf/acl.properties                         |  7 +++++--
 21 files changed, 105 insertions(+), 2 deletions(-)

diff --git a/base/ca/shared/conf/acl.properties b/base/ca/shared/conf/acl.properties
index 8b3e9d0..c487e48 100644
--- a/base/ca/shared/conf/acl.properties
+++ b/base/ca/shared/conf/acl.properties
@@ -7,6 +7,11 @@
 
 account.login = certServer.ca.account,login
 account.logout = certServer.ca.account,logout
+
+# audit configuration
+audit.read = certServer.log.configuration,read
+audit.modify = certServer.log.configuration,modify
+
 certs = certServer.ca.certs,execute
 certrequests = certServer.ca.certrequests,execute
 groups = certServer.ca.groups,execute
diff --git a/base/ca/shared/conf/auth-method.properties b/base/ca/shared/conf/auth-method.properties
index 8d67690..f7b203d 100644
--- a/base/ca/shared/conf/auth-method.properties
+++ b/base/ca/shared/conf/auth-method.properties
@@ -8,6 +8,7 @@
 
 default = *
 account = certUserDBAuthMgr,passwdUserDBAuthMgr
+audit = certUserDBAuthMgr
 authorities = certUserDBAuthMgr
 certs = certUserDBAuthMgr
 certrequests = certUserDBAuthMgr
diff --git a/base/ca/shared/webapps/ca/WEB-INF/web.xml b/base/ca/shared/webapps/ca/WEB-INF/web.xml
index d887db4..bf8aed4 100644
--- a/base/ca/shared/webapps/ca/WEB-INF/web.xml
+++ b/base/ca/shared/webapps/ca/WEB-INF/web.xml
@@ -2417,6 +2417,19 @@
 
     <security-constraint>
         <web-resource-collection>
+            <web-resource-name>Audit</web-resource-name>
+            <url-pattern>/rest/audit/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>*</role-name>
+        </auth-constraint>
+        <user-data-constraint>
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
+    <security-constraint>
+        <web-resource-collection>
             <web-resource-name>Authority Services</web-resource-name>
             <url-pattern>/rest/authorities/*</url-pattern>
         </web-resource-collection>
diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java b/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java
index b0fc73c..ae18e02 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java
@@ -7,6 +7,7 @@ import javax.ws.rs.core.Application;
 
 import org.dogtagpki.server.rest.ACLInterceptor;
 import org.dogtagpki.server.rest.AccountService;
+import org.dogtagpki.server.rest.AuditService;
 import org.dogtagpki.server.rest.AuthMethodInterceptor;
 import org.dogtagpki.server.rest.FeatureService;
 import org.dogtagpki.server.rest.GroupService;
@@ -32,6 +33,9 @@ public class CAApplication extends Application {
         // account
         classes.add(AccountService.class);
 
+        // audit
+        classes.add(AuditService.class);
+
         // installer
         classes.add(CAInstallerService.class);
 
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/CACLI.java b/base/java-tools/src/com/netscape/cmstools/cli/CACLI.java
index 2ec20dc..8e72405 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/CACLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/CACLI.java
@@ -25,6 +25,7 @@ import com.netscape.cmstools.authority.AuthorityCLI;
 import com.netscape.cmstools.cert.CertCLI;
 import com.netscape.cmstools.feature.FeatureCLI;
 import com.netscape.cmstools.group.GroupCLI;
+import com.netscape.cmstools.logging.AuditCLI;
 import com.netscape.cmstools.profile.ProfileCLI;
 import com.netscape.cmstools.selftests.SelfTestCLI;
 import com.netscape.cmstools.system.KRAConnectorCLI;
@@ -41,6 +42,7 @@ public class CACLI extends SubsystemCLI {
         super("ca", "CA management commands", parent);
 
         addModule(new AuthorityCLI(this));
+        addModule(new AuditCLI(this));
         addModule(new CertCLI(this));
         addModule(new FeatureCLI(this));
         addModule(new GroupCLI(this));
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/KRACLI.java b/base/java-tools/src/com/netscape/cmstools/cli/KRACLI.java
index 2db85aa..190be11 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/KRACLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/KRACLI.java
@@ -23,6 +23,7 @@ import com.netscape.certsrv.client.SubsystemClient;
 import com.netscape.certsrv.kra.KRAClient;
 import com.netscape.cmstools.group.GroupCLI;
 import com.netscape.cmstools.key.KeyCLI;
+import com.netscape.cmstools.logging.AuditCLI;
 import com.netscape.cmstools.selftests.SelfTestCLI;
 import com.netscape.cmstools.user.UserCLI;
 
@@ -36,6 +37,7 @@ public class KRACLI extends SubsystemCLI {
     public KRACLI(CLI parent) {
         super("kra", "KRA management commands", parent);
 
+        addModule(new AuditCLI(this));
         addModule(new GroupCLI(this));
         addModule(new KeyCLI(this));
         addModule(new SelfTestCLI(this));
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/OCSPCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/OCSPCLI.java
index 6348359..15ec5e3 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/OCSPCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/OCSPCLI.java
@@ -22,6 +22,7 @@ import com.netscape.certsrv.client.PKIClient;
 import com.netscape.certsrv.client.SubsystemClient;
 import com.netscape.certsrv.ocsp.OCSPClient;
 import com.netscape.cmstools.group.GroupCLI;
+import com.netscape.cmstools.logging.AuditCLI;
 import com.netscape.cmstools.selftests.SelfTestCLI;
 import com.netscape.cmstools.user.UserCLI;
 
@@ -35,6 +36,7 @@ public class OCSPCLI extends SubsystemCLI {
     public OCSPCLI(CLI parent) {
         super("ocsp", "OCSP management commands", parent);
 
+        addModule(new AuditCLI(this));
         addModule(new GroupCLI(this));
         addModule(new SelfTestCLI(this));
         addModule(new UserCLI(this));
diff --git a/base/java-tools/src/com/netscape/cmstools/cli/TKSCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/TKSCLI.java
index 1afdf64..1e2db2c 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/TKSCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/TKSCLI.java
@@ -22,6 +22,7 @@ import com.netscape.certsrv.client.PKIClient;
 import com.netscape.certsrv.client.SubsystemClient;
 import com.netscape.certsrv.tks.TKSClient;
 import com.netscape.cmstools.group.GroupCLI;
+import com.netscape.cmstools.logging.AuditCLI;
 import com.netscape.cmstools.selftests.SelfTestCLI;
 import com.netscape.cmstools.system.TPSConnectorCLI;
 import com.netscape.cmstools.user.UserCLI;
@@ -36,6 +37,7 @@ public class TKSCLI extends SubsystemCLI {
     public TKSCLI(CLI parent) {
         super("tks", "TKS management commands", parent);
 
+        addModule(new AuditCLI(this));
         addModule(new GroupCLI(this));
         addModule(new SelfTestCLI(this));
         addModule(new TPSConnectorCLI(this));
diff --git a/base/kra/shared/conf/acl.properties b/base/kra/shared/conf/acl.properties
index 3fde904..8cac3ee 100644
--- a/base/kra/shared/conf/acl.properties
+++ b/base/kra/shared/conf/acl.properties
@@ -7,6 +7,11 @@
 
 account.login = certServer.kra.account,login
 account.logout = certServer.kra.account,logout
+
+# audit configuration
+audit.read = certServer.log.configuration,read
+audit.modify = certServer.log.configuration,modify
+
 groups = certServer.kra.groups,execute
 keys = certServer.kra.keys,execute
 keyrequests = certServer.kra.keyrequests,execute
diff --git a/base/kra/shared/conf/auth-method.properties b/base/kra/shared/conf/auth-method.properties
index 108448c..2944e49 100644
--- a/base/kra/shared/conf/auth-method.properties
+++ b/base/kra/shared/conf/auth-method.properties
@@ -8,6 +8,7 @@
 
 default = *
 account = certUserDBAuthMgr,passwdUserDBAuthMgr
+audit = certUserDBAuthMgr
 groups = certUserDBAuthMgr
 keys = certUserDBAuthMgr
 keyrequests = certUserDBAuthMgr
diff --git a/base/kra/shared/webapps/kra/WEB-INF/web.xml b/base/kra/shared/webapps/kra/WEB-INF/web.xml
index ce0a51e..5b7031a 100644
--- a/base/kra/shared/webapps/kra/WEB-INF/web.xml
+++ b/base/kra/shared/webapps/kra/WEB-INF/web.xml
@@ -1104,6 +1104,19 @@
         </user-data-constraint>
     </security-constraint>
 
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Audit</web-resource-name>
+            <url-pattern>/rest/audit/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>*</role-name>
+        </auth-constraint>
+        <user-data-constraint>
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
    [PKI_OPEN_STANDALONE_COMMENT]
     <security-constraint>
         <web-resource-collection>
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java b/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java
index 773d8dd..6244270 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java
@@ -7,6 +7,7 @@ import javax.ws.rs.core.Application;
 
 import org.dogtagpki.server.rest.ACLInterceptor;
 import org.dogtagpki.server.rest.AccountService;
+import org.dogtagpki.server.rest.AuditService;
 import org.dogtagpki.server.rest.AuthMethodInterceptor;
 import org.dogtagpki.server.rest.GroupService;
 import org.dogtagpki.server.rest.MessageFormatInterceptor;
@@ -31,6 +32,9 @@ public class KRAApplication extends Application {
         // account
         classes.add(AccountService.class);
 
+        // audit
+        classes.add(AuditService.class);
+
         // installer
         classes.add(KRAInstallerService.class);
 
diff --git a/base/ocsp/shared/conf/acl.properties b/base/ocsp/shared/conf/acl.properties
index 9528f11..26b212d 100644
--- a/base/ocsp/shared/conf/acl.properties
+++ b/base/ocsp/shared/conf/acl.properties
@@ -7,6 +7,11 @@
 
 account.login = certServer.ocsp.account,login
 account.logout = certServer.ocsp.account,logout
+
+# audit configuration
+audit.read = certServer.log.configuration,read
+audit.modify = certServer.log.configuration,modify
+
 groups = certServer.ocsp.groups,execute
 selftests.read = certServer.ocsp.selftests,read
 selftests.execute = certServer.ocsp.selftests,execute
diff --git a/base/ocsp/shared/conf/auth-method.properties b/base/ocsp/shared/conf/auth-method.properties
index 9f5a7a1..98aee66 100644
--- a/base/ocsp/shared/conf/auth-method.properties
+++ b/base/ocsp/shared/conf/auth-method.properties
@@ -8,6 +8,7 @@
 
 default = *
 account = certUserDBAuthMgr,passwdUserDBAuthMgr
+audit = certUserDBAuthMgr
 groups = certUserDBAuthMgr
 selftests = certUserDBAuthMgr
 users = certUserDBAuthMgr
diff --git a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
index b8eccf1..e610800 100644
--- a/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
+++ b/base/ocsp/shared/webapps/ocsp/WEB-INF/web.xml
@@ -726,6 +726,19 @@
         </user-data-constraint>
     </security-constraint>
 
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Audit</web-resource-name>
+            <url-pattern>/rest/audit/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>*</role-name>
+        </auth-constraint>
+        <user-data-constraint>
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
    [PKI_OPEN_STANDALONE_COMMENT]
     <security-constraint>
         <web-resource-collection>
diff --git a/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPApplication.java b/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPApplication.java
index 99fefae..8d6e4a9 100644
--- a/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPApplication.java
+++ b/base/ocsp/src/org/dogtagpki/server/ocsp/rest/OCSPApplication.java
@@ -7,6 +7,7 @@ import javax.ws.rs.core.Application;
 
 import org.dogtagpki.server.rest.ACLInterceptor;
 import org.dogtagpki.server.rest.AccountService;
+import org.dogtagpki.server.rest.AuditService;
 import org.dogtagpki.server.rest.AuthMethodInterceptor;
 import org.dogtagpki.server.rest.GroupService;
 import org.dogtagpki.server.rest.MessageFormatInterceptor;
@@ -31,6 +32,9 @@ public class OCSPApplication extends Application {
         // account
         classes.add(AccountService.class);
 
+        // audit
+        classes.add(AuditService.class);
+
         // installer
         classes.add(OCSPInstallerService.class);
 
diff --git a/base/tks/shared/conf/acl.properties b/base/tks/shared/conf/acl.properties
index d2c2372..7146d38 100644
--- a/base/tks/shared/conf/acl.properties
+++ b/base/tks/shared/conf/acl.properties
@@ -7,6 +7,11 @@
 
 account.login = certServer.tks.account,login
 account.logout = certServer.tks.account,logout
+
+# audit configuration
+audit.read = certServer.log.configuration,read
+audit.modify = certServer.log.configuration,modify
+
 groups = certServer.tks.groups,execute
 selftests.read = certServer.tks.selftests,read
 selftests.execute = certServer.tks.selftests,execute
diff --git a/base/tks/shared/conf/auth-method.properties b/base/tks/shared/conf/auth-method.properties
index fe91b90..cc80825 100644
--- a/base/tks/shared/conf/auth-method.properties
+++ b/base/tks/shared/conf/auth-method.properties
@@ -8,6 +8,7 @@
 
 default = *
 account = certUserDBAuthMgr,passwdUserDBAuthMgr
+audit = certUserDBAuthMgr
 groups = certUserDBAuthMgr
 selftests = certUserDBAuthMgr
 tpsconnectors = certUserDBAuthMgr
diff --git a/base/tks/shared/webapps/tks/WEB-INF/web.xml b/base/tks/shared/webapps/tks/WEB-INF/web.xml
index 2d4c029..18c85a3 100644
--- a/base/tks/shared/webapps/tks/WEB-INF/web.xml
+++ b/base/tks/shared/webapps/tks/WEB-INF/web.xml
@@ -406,6 +406,19 @@
 
     <security-constraint>
         <web-resource-collection>
+            <web-resource-name>Audit</web-resource-name>
+            <url-pattern>/rest/audit/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>*</role-name>
+        </auth-constraint>
+        <user-data-constraint>
+            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
+        </user-data-constraint>
+    </security-constraint>
+
+    <security-constraint>
+        <web-resource-collection>
             <web-resource-name>Self Tests</web-resource-name>
             <url-pattern>/rest/selftests/*</url-pattern>
         </web-resource-collection>
diff --git a/base/tks/src/org/dogtagpki/server/tks/rest/TKSApplication.java b/base/tks/src/org/dogtagpki/server/tks/rest/TKSApplication.java
index 278076d..ca19e38 100644
--- a/base/tks/src/org/dogtagpki/server/tks/rest/TKSApplication.java
+++ b/base/tks/src/org/dogtagpki/server/tks/rest/TKSApplication.java
@@ -7,6 +7,7 @@ import javax.ws.rs.core.Application;
 
 import org.dogtagpki.server.rest.ACLInterceptor;
 import org.dogtagpki.server.rest.AccountService;
+import org.dogtagpki.server.rest.AuditService;
 import org.dogtagpki.server.rest.AuthMethodInterceptor;
 import org.dogtagpki.server.rest.GroupService;
 import org.dogtagpki.server.rest.MessageFormatInterceptor;
@@ -26,6 +27,9 @@ public class TKSApplication extends Application {
         // account
         classes.add(AccountService.class);
 
+        // audit
+        classes.add(AuditService.class);
+
         // installer
         classes.add(TKSInstallerService.class);
 
diff --git a/base/tps/shared/conf/acl.properties b/base/tps/shared/conf/acl.properties
index 2d2dc71..1c581b3 100644
--- a/base/tps/shared/conf/acl.properties
+++ b/base/tps/shared/conf/acl.properties
@@ -8,8 +8,11 @@
 
 account.login = certServer.tps.account,login
 account.logout = certServer.tps.account,logout
-audit.read = certServer.tps.audit,read
-audit.modify = certServer.tps.audit,modify
+
+# audit configuration
+audit.read = certServer.log.configuration,read
+audit.modify = certServer.log.configuration,modify
+
 authenticators.read = certServer.tps.authenticators,read
 authenticators.add = certServer.tps.authenticators,add
 authenticators.modify = certServer.tps.authenticators,modify
-- 
1.8.3.1


From 0b91066c5c5cb20e63d79d58a12a46e2069a11af Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 30 Mar 2017 17:12:02 +0200
Subject: [PATCH 20/59] Added PKIRESTProvider.

A new PKIRESTProvider has been added to send and receive
StreamingOutput object through REST API.

Change-Id: Iefc513aacb9fc26bc7c8c5cbfb4550a4a98da52e
---
 base/CMakeLists.txt                                |   7 ++
 base/ca/src/CMakeLists.txt                         |   7 --
 base/common/src/CMakeLists.txt                     |   2 +-
 .../com/netscape/certsrv/client/PKIConnection.java |   4 +-
 .../netscape/certsrv/client/PKIRESTProvider.java   | 118 +++++++++++++++++++++
 base/java-tools/src/CMakeLists.txt                 |   7 --
 base/server/cms/src/CMakeLists.txt                 |   7 --
 7 files changed, 128 insertions(+), 24 deletions(-)
 create mode 100644 base/common/src/com/netscape/certsrv/client/PKIRESTProvider.java

diff --git a/base/CMakeLists.txt b/base/CMakeLists.txt
index d2ea9a5..4140adb 100644
--- a/base/CMakeLists.txt
+++ b/base/CMakeLists.txt
@@ -30,6 +30,13 @@ find_file(SLF4J_JDK14_JAR
         /usr/share/java/slf4j
 )
 
+find_file(COMMONS_IO_JAR
+    NAMES
+        commons-io.jar
+    PATHS
+        /usr/share/java
+)
+
 find_file(JACKSON_CORE_JAR
     NAMES
         jackson-core-asl.jar
diff --git a/base/ca/src/CMakeLists.txt b/base/ca/src/CMakeLists.txt
index 4982ef8..b23782d 100644
--- a/base/ca/src/CMakeLists.txt
+++ b/base/ca/src/CMakeLists.txt
@@ -24,13 +24,6 @@ find_file(COMMONS_CODEC_JAR
         /usr/share/java
 )
 
-find_file(COMMONS_IO_JAR
-    NAMES
-        commons-io.jar
-    PATHS
-        /usr/share/java
-)
-
 find_file(COMMONS_LANG_JAR
     NAMES
         commons-lang.jar
diff --git a/base/common/src/CMakeLists.txt b/base/common/src/CMakeLists.txt
index c08d1b7..705d62c 100644
--- a/base/common/src/CMakeLists.txt
+++ b/base/common/src/CMakeLists.txt
@@ -103,7 +103,7 @@ javac(pki-certsrv-classes
     CLASSPATH
         ${SLF4J_API_JAR}
         ${LDAPJDK_JAR} ${SERVLET_JAR} ${VELOCITY_JAR} ${XALAN_JAR} ${XERCES_JAR}
-        ${JSS_JAR} ${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR}
+        ${JSS_JAR} ${COMMONS_CODEC_JAR} ${COMMONS_HTTPCLIENT_JAR} ${COMMONS_IO_JAR}
         ${APACHE_COMMONS_LANG_JAR}
         ${TOMCAT_CATALINA_JAR} ${TOMCAT_UTIL_JAR} ${SYMKEY_JAR}
         ${JAXRS_API_JAR} ${RESTEASY_JAXRS_JAR} ${RESTEASY_ATOM_PROVIDER_JAR} ${RESTEASY_CLIENT_JAR}
diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
index b75e332..c2ffd09 100644
--- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java
+++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
@@ -76,7 +76,6 @@ import org.jboss.resteasy.client.jaxrs.ResteasyClient;
 import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder;
 import org.jboss.resteasy.client.jaxrs.ResteasyWebTarget;
 import org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine;
-import org.jboss.resteasy.spi.ResteasyProviderFactory;
 import org.mozilla.jss.CryptoManager;
 import org.mozilla.jss.CryptoManager.NotInitializedException;
 import org.mozilla.jss.ssl.SSLCertificateApprovalCallback;
@@ -95,7 +94,6 @@ public class PKIConnection {
 
     ApacheHttpClient4Engine engine;
     ResteasyClient resteasyClient;
-    ResteasyProviderFactory providerFactory;
 
     int requestCounter;
     int responseCounter;
@@ -204,7 +202,9 @@ public class PKIConnection {
         });
 
         engine = new ApacheHttpClient4Engine(httpClient);
+
         resteasyClient = new ResteasyClientBuilder().httpEngine(engine).build();
+        resteasyClient.register(PKIRESTProvider.class);
     }
 
     public boolean isVerbose() {
diff --git a/base/common/src/com/netscape/certsrv/client/PKIRESTProvider.java b/base/common/src/com/netscape/certsrv/client/PKIRESTProvider.java
new file mode 100644
index 0000000..4018da3
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/client/PKIRESTProvider.java
@@ -0,0 +1,118 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.client;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.lang.annotation.Annotation;
+import java.lang.reflect.Type;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.Produces;
+import javax.ws.rs.WebApplicationException;
+import javax.ws.rs.core.MediaType;
+import javax.ws.rs.core.MultivaluedMap;
+import javax.ws.rs.core.StreamingOutput;
+import javax.ws.rs.ext.MessageBodyReader;
+import javax.ws.rs.ext.MessageBodyWriter;
+import javax.ws.rs.ext.Provider;
+
+import org.apache.commons.io.IOUtils;
+
+@Provider
+@Consumes(MediaType.APPLICATION_OCTET_STREAM)
+@Produces(MediaType.APPLICATION_OCTET_STREAM)
+public class PKIRESTProvider implements MessageBodyReader<StreamingOutput>, MessageBodyWriter<StreamingOutput> {
+
+    @Override
+    public boolean isReadable(
+            Class<?> type,
+            Type genericType,
+            Annotation[] annotations,
+            MediaType mediaType) {
+
+        return true;
+    }
+
+    @Override
+    public StreamingOutput readFrom(
+            Class<StreamingOutput> type,
+            Type genericType,
+            Annotation[] annotations,
+            MediaType mediaType,
+            MultivaluedMap<String, String> httpHeaders,
+            InputStream entityStream) throws IOException, WebApplicationException {
+
+        final File file = File.createTempFile("PKIRESTProvider-", ".tmp");
+        file.deleteOnExit();
+
+        FileOutputStream out = new FileOutputStream(file);
+        IOUtils.copy(entityStream, out);
+
+        return new StreamingOutput() {
+
+            @Override
+            public void write(OutputStream out) throws IOException, WebApplicationException {
+                FileInputStream in = new FileInputStream(file);
+                IOUtils.copy(in, out);
+            }
+
+            public void finalize() {
+                file.delete();
+            }
+        };
+    }
+
+    @Override
+    public long getSize(
+            StreamingOutput out,
+            Class<?> type,
+            Type genericType,
+            Annotation[] annotations,
+            MediaType mediaType) {
+
+        return -1;
+    }
+
+    @Override
+    public boolean isWriteable(
+            Class<?> type,
+            Type genericType,
+            Annotation[] annotations,
+            MediaType mediaType) {
+
+        return true;
+    }
+
+    @Override
+    public void writeTo(
+            StreamingOutput so,
+            Class<?> type,
+            Type genericType,
+            Annotation[] annotations,
+            MediaType mediaType,
+            MultivaluedMap<String, Object> httpHeaders,
+            OutputStream entityStream) throws IOException, WebApplicationException {
+
+        so.write(entityStream);
+    }
+}
diff --git a/base/java-tools/src/CMakeLists.txt b/base/java-tools/src/CMakeLists.txt
index c2f54d4..7c57eaa 100644
--- a/base/java-tools/src/CMakeLists.txt
+++ b/base/java-tools/src/CMakeLists.txt
@@ -37,13 +37,6 @@ find_file(COMMONS_CODEC_JAR
         /usr/share/java
 )
 
-find_file(COMMONS_IO_JAR
-    NAMES
-        commons-io.jar
-    PATHS
-        /usr/share/java
-)
-
 find_file(XALAN_JAR
     NAMES
         xalan-j2.jar
diff --git a/base/server/cms/src/CMakeLists.txt b/base/server/cms/src/CMakeLists.txt
index c66227c..e72a821 100644
--- a/base/server/cms/src/CMakeLists.txt
+++ b/base/server/cms/src/CMakeLists.txt
@@ -30,13 +30,6 @@ find_file(COMMONS_HTTPCLIENT_JAR
         /usr/share/java
 )
 
-find_file(COMMONS_IO_JAR
-    NAMES
-        commons-io.jar
-    PATHS
-        /usr/share/java
-)
-
 find_file(COMMONS_LANG_JAR
     NAMES
         commons-lang.jar
-- 
1.8.3.1


From 6a682f8e56c982ed0e0810326e71f9de23347590 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Tue, 4 Apr 2017 14:52:37 -0400
Subject: [PATCH 24/59] Fix pylint errors

---
 base/common/python/pki/info.py | 2 ++
 base/common/python/pki/util.py | 1 -
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/base/common/python/pki/info.py b/base/common/python/pki/info.py
index 65d4825..b4da8b0 100644
--- a/base/common/python/pki/info.py
+++ b/base/common/python/pki/info.py
@@ -21,6 +21,8 @@
 """
 Module containing the Python client classes for the InfoClient
 """
+from __future__ import absolute_import
+from __future__ import print_function
 from six import iteritems
 
 import pki
diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py
index 02ecde8..0765bcf 100644
--- a/base/common/python/pki/util.py
+++ b/base/common/python/pki/util.py
@@ -272,4 +272,3 @@ def read_environment_files(env_file_list=None):
     for env_val in env_vals:
         (key, _, value) = env_val.partition("=")
         os.environ[key] = value
-
-- 
1.8.3.1


From 88cd07655268831e14e7cd4f6f6a65e331f86583 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 28 Mar 2017 21:02:22 +0200
Subject: [PATCH 25/59] Added CLIs to access audit log files.

New pki audit commands have been added to list and retrieve audit
log files.

Change-Id: I785fa6f55d9b143f513d9210ebf82d04e06eaed5
---
 base/ca/shared/conf/acl.properties                 |   3 +
 .../com/netscape/certsrv/logging/AuditClient.java  |  11 ++
 .../com/netscape/certsrv/logging/AuditFile.java    | 123 +++++++++++++++++++++
 .../certsrv/logging/AuditFileCollection.java       |  38 +++++++
 .../netscape/certsrv/logging/AuditResource.java    |  19 +++-
 .../com/netscape/cmstools/logging/AuditCLI.java    |  11 ++
 .../cmstools/logging/AuditFileFindCLI.java         |  90 +++++++++++++++
 .../cmstools/logging/AuditFileRetrieveCLI.java     |  87 +++++++++++++++
 base/kra/shared/conf/acl.properties                |   3 +
 base/ocsp/shared/conf/acl.properties               |   3 +
 .../com/netscape/cms/servlet/base/PKIService.java  |   1 +
 .../org/dogtagpki/server/rest/AuditService.java    | 107 ++++++++++++++++++
 base/tks/shared/conf/acl.properties                |   3 +
 base/tps/shared/conf/acl.properties                |   3 +
 14 files changed, 501 insertions(+), 1 deletion(-)
 create mode 100644 base/common/src/com/netscape/certsrv/logging/AuditFile.java
 create mode 100644 base/common/src/com/netscape/certsrv/logging/AuditFileCollection.java
 create mode 100644 base/java-tools/src/com/netscape/cmstools/logging/AuditFileFindCLI.java
 create mode 100644 base/java-tools/src/com/netscape/cmstools/logging/AuditFileRetrieveCLI.java

diff --git a/base/ca/shared/conf/acl.properties b/base/ca/shared/conf/acl.properties
index c487e48..a8fe65c 100644
--- a/base/ca/shared/conf/acl.properties
+++ b/base/ca/shared/conf/acl.properties
@@ -12,6 +12,9 @@ account.logout = certServer.ca.account,logout
 audit.read = certServer.log.configuration,read
 audit.modify = certServer.log.configuration,modify
 
+# audit logs
+audit-log.read = certServer.log.content.signedAudit,read
+
 certs = certServer.ca.certs,execute
 certrequests = certServer.ca.certrequests,execute
 groups = certServer.ca.groups,execute
diff --git a/base/common/src/com/netscape/certsrv/logging/AuditClient.java b/base/common/src/com/netscape/certsrv/logging/AuditClient.java
index 018850c..9451e83 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditClient.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditClient.java
@@ -20,6 +20,7 @@ package com.netscape.certsrv.logging;
 import java.net.URISyntaxException;
 
 import javax.ws.rs.core.Response;
+import javax.ws.rs.core.StreamingOutput;
 
 import com.netscape.certsrv.client.Client;
 import com.netscape.certsrv.client.PKIClient;
@@ -54,4 +55,14 @@ public class AuditClient extends Client {
         Response response = resource.changeAuditStatus(action);
         return client.getEntity(response, AuditConfig.class);
     }
+
+    public AuditFileCollection findAuditFiles() {
+        Response response = resource.findAuditFiles();
+        return client.getEntity(response, AuditFileCollection.class);
+    }
+
+    public StreamingOutput getAuditFile(String filename) throws Exception {
+        Response response = resource.getAuditFile(filename);
+        return client.getEntity(response, StreamingOutput.class);
+    }
 }
diff --git a/base/common/src/com/netscape/certsrv/logging/AuditFile.java b/base/common/src/com/netscape/certsrv/logging/AuditFile.java
new file mode 100644
index 0000000..0edfc3a
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/AuditFile.java
@@ -0,0 +1,123 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.certsrv.logging;
+
+import java.io.StringReader;
+import java.io.StringWriter;
+
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.Marshaller;
+import javax.xml.bind.Unmarshaller;
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+
+/**
+ * @author Endi S. Dewata
+ */
+@XmlRootElement(name="AuditFile")
+@XmlAccessorType(XmlAccessType.NONE)
+public class AuditFile {
+
+    String name;
+    Long size;
+
+    @XmlAttribute(name="name")
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    @XmlElement(name="Size")
+    public Long getSize() {
+        return size;
+    }
+
+    public void setSize(Long size) {
+        this.size = size;
+    }
+
+    @Override
+    public int hashCode() {
+        final int prime = 31;
+        int result = 1;
+        result = prime * result + ((name == null) ? 0 : name.hashCode());
+        result = prime * result + ((size == null) ? 0 : size.hashCode());
+        return result;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj)
+            return true;
+        if (obj == null)
+            return false;
+        if (getClass() != obj.getClass())
+            return false;
+        AuditFile other = (AuditFile) obj;
+        if (name == null) {
+            if (other.name != null)
+                return false;
+        } else if (!name.equals(other.name))
+            return false;
+        if (size == null) {
+            if (other.size != null)
+                return false;
+        } else if (!size.equals(other.size))
+            return false;
+        return true;
+    }
+
+    public String toString() {
+        try {
+            Marshaller marshaller = JAXBContext.newInstance(AuditFile.class).createMarshaller();
+            marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
+
+            StringWriter sw = new StringWriter();
+            marshaller.marshal(this, sw);
+            return sw.toString();
+
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    public static AuditFile valueOf(String string) throws Exception {
+        Unmarshaller unmarshaller = JAXBContext.newInstance(AuditFile.class).createUnmarshaller();
+        return (AuditFile)unmarshaller.unmarshal(new StringReader(string));
+    }
+
+    public static void main(String args[]) throws Exception {
+
+        AuditFile before = new AuditFile();
+        before.setName("audit.log");
+        before.setSize(1024l);
+
+        String string = before.toString();
+        System.out.println(string);
+
+        AuditFile after = AuditFile.valueOf(string);
+        System.out.println(before.equals(after));
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/AuditFileCollection.java b/base/common/src/com/netscape/certsrv/logging/AuditFileCollection.java
new file mode 100644
index 0000000..e5c4e20
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/AuditFileCollection.java
@@ -0,0 +1,38 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.certsrv.logging;
+
+import java.util.Collection;
+
+import javax.xml.bind.annotation.XmlElementRef;
+import javax.xml.bind.annotation.XmlRootElement;
+
+import com.netscape.certsrv.base.DataCollection;
+
+/**
+ * @author Endi S. Dewata
+ */
+@XmlRootElement(name="AuditFiles")
+public class AuditFileCollection extends DataCollection<AuditFile> {
+
+    @XmlElementRef
+    public Collection<AuditFile> getEntries() {
+        return super.getEntries();
+    }
+}
diff --git a/base/common/src/com/netscape/certsrv/logging/AuditResource.java b/base/common/src/com/netscape/certsrv/logging/AuditResource.java
index 9b14986..4d33735 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditResource.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditResource.java
@@ -20,8 +20,12 @@ package com.netscape.certsrv.logging;
 import javax.ws.rs.GET;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
+import javax.ws.rs.PathParam;
+import javax.ws.rs.Produces;
 import javax.ws.rs.QueryParam;
+import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
+import javax.ws.rs.core.StreamingOutput;
 
 import org.jboss.resteasy.annotations.ClientResponseType;
 
@@ -35,11 +39,11 @@ import com.netscape.certsrv.base.PATCH;
  */
 @Path("audit")
 @AuthMethodMapping("audit")
-@ACLMapping("audit.read")
 public interface AuditResource {
 
     @GET
     @ClientResponseType(entityType=AuditConfig.class)
+    @ACLMapping("audit.read")
     public Response getAuditConfig();
 
     @PATCH
@@ -52,4 +56,17 @@ public interface AuditResource {
     @ACLMapping("audit.modify")
     public Response changeAuditStatus(
             @QueryParam("action") String action);
+
+    @GET
+    @Path("files")
+    @ClientResponseType(entityType=AuditFileCollection.class)
+    @ACLMapping("audit-log.read")
+    public Response findAuditFiles();
+
+    @GET
+    @Path("files/{filename}")
+    @Produces(MediaType.APPLICATION_OCTET_STREAM)
+    @ClientResponseType(entityType=StreamingOutput.class)
+    @ACLMapping("audit-log.read")
+    public Response getAuditFile(@PathParam("filename") String filename);
 }
diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java
index ff489dc..06ba040 100644
--- a/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditCLI.java
@@ -26,6 +26,7 @@ import org.jboss.resteasy.plugins.providers.atom.Link;
 import com.netscape.certsrv.client.PKIClient;
 import com.netscape.certsrv.logging.AuditClient;
 import com.netscape.certsrv.logging.AuditConfig;
+import com.netscape.certsrv.logging.AuditFile;
 import com.netscape.cmstools.cli.CLI;
 import com.netscape.cmstools.cli.SubsystemCLI;
 
@@ -42,8 +43,13 @@ public class AuditCLI extends CLI {
 
         this.subsystemCLI = subsystemCLI;
 
+        // audit configuration
         addModule(new AuditModifyCLI(this));
         addModule(new AuditShowCLI(this));
+
+        // audit files
+        addModule(new AuditFileFindCLI(this));
+        addModule(new AuditFileRetrieveCLI(this));
     }
 
     @Override
@@ -83,4 +89,9 @@ public class AuditCLI extends CLI {
             System.out.println("  Link: " + link.getHref());
         }
     }
+
+    public static void printAuditFile(AuditFile auditFile) {
+        System.out.println("  File name: " + auditFile.getName());
+        System.out.println("  Size: " + auditFile.getSize());
+    }
 }
diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditFileFindCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileFindCLI.java
new file mode 100644
index 0000000..5ae9ce7
--- /dev/null
+++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileFindCLI.java
@@ -0,0 +1,90 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cmstools.logging;
+
+import java.util.Collection;
+
+import org.apache.commons.cli.CommandLine;
+
+import com.netscape.certsrv.logging.AuditClient;
+import com.netscape.certsrv.logging.AuditFile;
+import com.netscape.certsrv.logging.AuditFileCollection;
+import com.netscape.cmstools.cli.CLI;
+import com.netscape.cmstools.cli.MainCLI;
+
+/**
+ * @author Endi S. Dewata
+ */
+public class AuditFileFindCLI extends CLI {
+
+    public AuditCLI auditCLI;
+
+    public AuditFileFindCLI(AuditCLI auditCLI) {
+        super("file-find", "Find audit files", auditCLI);
+        this.auditCLI = auditCLI;
+
+        createOptions();
+    }
+
+    public void printHelp() {
+        formatter.printHelp(getFullName() + " [OPTIONS...]", options);
+    }
+
+    public void createOptions() {
+        options.addOption(null, "help", false, "Show help message.");
+    }
+
+    public void execute(String[] args) throws Exception {
+
+        CommandLine cmd = parser.parse(options, args);
+
+        if (cmd.hasOption("help")) {
+            printHelp();
+            return;
+        }
+
+        String[] cmdArgs = cmd.getArgs();
+
+        if (cmdArgs.length > 0) {
+            throw new Exception("Too many arguments specified.");
+        }
+
+        AuditClient auditClient = auditCLI.getAuditClient();
+        AuditFileCollection response = auditClient.findAuditFiles();
+
+        MainCLI.printMessage(response.getTotal() + " entries matched");
+        if (response.getTotal() == 0) return;
+
+        Collection<AuditFile> entries = response.getEntries();
+        boolean first = true;
+
+        for (AuditFile auditFile : entries) {
+
+            if (first) {
+                first = false;
+            } else {
+                System.out.println();
+            }
+
+            AuditCLI.printAuditFile(auditFile);
+        }
+
+        MainCLI.printMessage("Number of entries returned " + entries.size());
+    }
+}
diff --git a/base/java-tools/src/com/netscape/cmstools/logging/AuditFileRetrieveCLI.java b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileRetrieveCLI.java
new file mode 100644
index 0000000..07af3a4
--- /dev/null
+++ b/base/java-tools/src/com/netscape/cmstools/logging/AuditFileRetrieveCLI.java
@@ -0,0 +1,87 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package com.netscape.cmstools.logging;
+
+import java.io.FileOutputStream;
+import java.io.OutputStream;
+
+import javax.ws.rs.core.StreamingOutput;
+
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.Option;
+
+import com.netscape.certsrv.logging.AuditClient;
+import com.netscape.cmstools.cli.CLI;
+
+/**
+ * @author Endi S. Dewata
+ */
+public class AuditFileRetrieveCLI extends CLI {
+
+    public AuditCLI auditCLI;
+
+    public AuditFileRetrieveCLI(AuditCLI auditCLI) {
+        super("file-retrieve", "Retrieve audit file", auditCLI);
+        this.auditCLI = auditCLI;
+
+        createOptions();
+    }
+
+    public void printHelp() {
+        formatter.printHelp(getFullName() + " <filename> [OPTIONS...]", options);
+    }
+
+    public void createOptions() {
+        Option option = new Option(null, "output", true, "Output file.");
+        option.setArgName("path");
+        options.addOption(option);
+
+        options.addOption(null, "help", false, "Show help message.");
+    }
+
+    public void execute(String[] args) throws Exception {
+
+        CommandLine cmd = parser.parse(options, args);
+
+        if (cmd.hasOption("help")) {
+            printHelp();
+            return;
+        }
+
+        String[] cmdArgs = cmd.getArgs();
+
+        if (cmdArgs.length < 1) {
+            throw new Exception("Missing audit file name.");
+
+        } if (cmdArgs.length > 1) {
+            throw new Exception("Too many arguments specified.");
+        }
+
+        String filename = cmdArgs[0];
+        String output = cmd.getOptionValue("output");
+        if (output == null) output = filename;
+
+        AuditClient auditClient = auditCLI.getAuditClient();
+        StreamingOutput so = auditClient.getAuditFile(filename);
+
+        try (OutputStream out = new FileOutputStream(output)) {
+            so.write(out);
+        }
+    }
+}
diff --git a/base/kra/shared/conf/acl.properties b/base/kra/shared/conf/acl.properties
index 8cac3ee..bcb1456 100644
--- a/base/kra/shared/conf/acl.properties
+++ b/base/kra/shared/conf/acl.properties
@@ -12,6 +12,9 @@ account.logout = certServer.kra.account,logout
 audit.read = certServer.log.configuration,read
 audit.modify = certServer.log.configuration,modify
 
+# audit logs
+audit-log.read = certServer.log.content.signedAudit,read
+
 groups = certServer.kra.groups,execute
 keys = certServer.kra.keys,execute
 keyrequests = certServer.kra.keyrequests,execute
diff --git a/base/ocsp/shared/conf/acl.properties b/base/ocsp/shared/conf/acl.properties
index 26b212d..e8188b8 100644
--- a/base/ocsp/shared/conf/acl.properties
+++ b/base/ocsp/shared/conf/acl.properties
@@ -12,6 +12,9 @@ account.logout = certServer.ocsp.account,logout
 audit.read = certServer.log.configuration,read
 audit.modify = certServer.log.configuration,modify
 
+# audit logs
+audit-log.read = certServer.log.content.signedAudit,read
+
 groups = certServer.ocsp.groups,execute
 selftests.read = certServer.ocsp.selftests,read
 selftests.execute = certServer.ocsp.selftests,execute
diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
index 8dfbef1..e023aa6 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/base/PKIService.java
@@ -59,6 +59,7 @@ public class PKIService {
             MediaType.APPLICATION_XML_TYPE,
             MediaType.APPLICATION_JSON_TYPE,
             MediaType.APPLICATION_FORM_URLENCODED_TYPE,
+            MediaType.APPLICATION_OCTET_STREAM_TYPE,
             MediaType.valueOf("application/pkix-cert"),
             MediaType.valueOf("application/pkcs7-mime"),
             MediaType.valueOf("application/x-pem-file")
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
index 9af95d9..7bb048f 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
@@ -18,16 +18,27 @@
 
 package org.dogtagpki.server.rest;
 
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
 import java.io.UnsupportedEncodingException;
 import java.net.URI;
+import java.util.ArrayList;
 import java.util.Collection;
+import java.util.Collections;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.TreeMap;
 import java.util.TreeSet;
 
+import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Response;
+import javax.ws.rs.core.StreamingOutput;
 
+import org.apache.commons.io.IOUtils;
 import org.apache.commons.lang.StringUtils;
 import org.jboss.resteasy.plugins.providers.atom.Link;
 
@@ -36,7 +47,10 @@ import com.netscape.certsrv.base.BadRequestException;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.PKIException;
+import com.netscape.certsrv.base.ResourceNotFoundException;
 import com.netscape.certsrv.logging.AuditConfig;
+import com.netscape.certsrv.logging.AuditFile;
+import com.netscape.certsrv.logging.AuditFileCollection;
 import com.netscape.certsrv.logging.AuditResource;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.cms.servlet.base.SubsystemService;
@@ -299,6 +313,99 @@ public class AuditService extends SubsystemService implements AuditResource {
         }
     }
 
+    public File getCurrentLogFile() {
+        IConfigStore cs = CMS.getConfigStore();
+        String filename = cs.get("log.instance.SignedAudit.fileName");
+        return new File(filename);
+    }
+
+    public File getLogDirectory() {
+        File file = getCurrentLogFile();
+        return file.getParentFile();
+    }
+
+    public List<File> getLogFiles() {
+
+        List<String> filenames = new ArrayList<>();
+
+        File currentFile = getCurrentLogFile();
+        String currentFilename = currentFile.getName();
+        File logDir = currentFile.getParentFile();
+
+        // add all log files except the current one
+        for (String filename : logDir.list()) {
+            if (filename.equals(currentFilename)) continue;
+            filenames.add(filename);
+        }
+
+        // sort log files in ascending order
+        Collections.sort(filenames);
+
+        // add the current log file last (i.e. newest)
+        filenames.add(currentFilename);
+
+        List<File> files = new ArrayList<>();
+        for (String filename : filenames) {
+            files.add(new File(logDir, filename));
+        }
+
+        return files;
+    }
+
+    @Override
+    public Response findAuditFiles() {
+
+        AuditFileCollection response = new AuditFileCollection();
+
+        List<File> files = getLogFiles();
+
+        CMS.debug("Audit files:");
+        for (File file : files) {
+            String name = file.getName();
+            CMS.debug(" - " + name);
+
+            AuditFile auditFile = new AuditFile();
+            auditFile.setName(name);
+            auditFile.setSize(file.length());
+
+            response.addEntry(auditFile);
+        }
+
+        response.setTotal(files.size());
+
+        return createOKResponse(response);
+    }
+
+    @Override
+    public Response getAuditFile(String filename) {
+
+        // make sure filename does not contain path
+        if (!new File(filename).getName().equals(filename)) {
+            CMS.debug("Invalid file name: " + filename);
+            throw new BadRequestException("Invalid file name: " + filename);
+        }
+
+        File logDir = getLogDirectory();
+        File file = new File(logDir, filename);
+
+        if (!file.exists()) {
+            throw new ResourceNotFoundException("File not found: " + filename);
+        }
+
+        StreamingOutput so = new StreamingOutput() {
+
+            @Override
+            public void write(OutputStream out) throws IOException, WebApplicationException {
+
+                try (InputStream is = new FileInputStream(file)) {
+                    IOUtils.copy(is, out);
+                }
+            }
+        };
+
+        return createOKResponse(so);
+    }
+
     /*
      * in case of failure, "info" should be in the params
      */
diff --git a/base/tks/shared/conf/acl.properties b/base/tks/shared/conf/acl.properties
index 7146d38..5c072c7 100644
--- a/base/tks/shared/conf/acl.properties
+++ b/base/tks/shared/conf/acl.properties
@@ -12,6 +12,9 @@ account.logout = certServer.tks.account,logout
 audit.read = certServer.log.configuration,read
 audit.modify = certServer.log.configuration,modify
 
+# audit logs
+audit-log.read = certServer.log.content.signedAudit,read
+
 groups = certServer.tks.groups,execute
 selftests.read = certServer.tks.selftests,read
 selftests.execute = certServer.tks.selftests,execute
diff --git a/base/tps/shared/conf/acl.properties b/base/tps/shared/conf/acl.properties
index 1c581b3..6b51485 100644
--- a/base/tps/shared/conf/acl.properties
+++ b/base/tps/shared/conf/acl.properties
@@ -13,6 +13,9 @@ account.logout = certServer.tps.account,logout
 audit.read = certServer.log.configuration,read
 audit.modify = certServer.log.configuration,modify
 
+# audit logs
+audit-log.read = certServer.log.content.signedAudit,read
+
 authenticators.read = certServer.tps.authenticators,read
 authenticators.add = certServer.tps.authenticators,add
 authenticators.modify = certServer.tps.authenticators,modify
-- 
1.8.3.1


From 4ab0608cbda0c9336c5eb9ea40a7d3ca769ab17b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 4 Apr 2017 17:53:53 +0200
Subject: [PATCH 26/59] Fixed PKIServerSocketListener.

The PKIServerSocketListener.alertReceived() has been fixed to
generate audit log when the SSL socket is closed by the client.

The log message has been modified to include the reason for the
termination.

https://pagure.io/dogtagpki/issue/2602

Change-Id: Ief2817f2b2b31cf6f60fae0ee4c55c17024f7988
---
 .../dogtagpki/server/PKIServerSocketListener.java  | 39 +++++++++++++++++++++-
 base/server/cmsbundle/src/LogMessages.properties   |  2 +-
 2 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
index f147c77..adba676 100644
--- a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
+++ b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
@@ -41,6 +41,42 @@ public class PKIServerSocketListener implements SSLSocketListener {
 
     @Override
     public void alertReceived(SSLAlertEvent event) {
+        try {
+            SSLSocket socket = event.getSocket();
+
+            SocketAddress remoteSocketAddress = socket.getRemoteSocketAddress();
+            InetAddress clientAddress = remoteSocketAddress == null ? null : ((InetSocketAddress)remoteSocketAddress).getAddress();
+            InetAddress serverAddress = socket.getLocalAddress();
+            String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress();
+            String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress();
+
+            SSLSecurityStatus status = socket.getStatus();
+            X509Certificate peerCertificate = status.getPeerCertificate();
+            Principal subjectDN = peerCertificate == null ? null : peerCertificate.getSubjectDN();
+            String subjectID = subjectDN == null ? "" : subjectDN.toString();
+
+            int description = event.getDescription();
+            String reason = SSLAlertDescription.valueOf(description).toString();
+
+            logger.debug("SSL alert received:");
+            logger.debug(" - client: " + clientAddress);
+            logger.debug(" - server: " + serverAddress);
+            logger.debug(" - reason: " + reason);
+
+            IAuditor auditor = CMS.getAuditor();
+
+            String auditMessage = CMS.getLogMessage(
+                    "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED",
+                    clientIP,
+                    serverIP,
+                    subjectID,
+                    reason);
+
+            auditor.log(auditMessage);
+
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
     }
 
     @Override
@@ -75,7 +111,8 @@ public class PKIServerSocketListener implements SSLSocketListener {
                         "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED",
                         clientIP,
                         serverIP,
-                        subjectID);
+                        subjectID,
+                        reason);
 
                 auditor.log(auditMessage);
 
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
index dde53ba..7572db4 100644
--- a/base/server/cmsbundle/src/LogMessages.properties
+++ b/base/server/cmsbundle/src/LogMessages.properties
@@ -2737,7 +2737,7 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
 #    separated by + (if more than one name;;value pair) of config params changed
 #
 LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\
-<type=ACCESS_SESSION_TERMINATED>:[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP={0}][ServerIP={1}][SubjectID={2}][Outcome=Success] access session terminated
+<type=ACCESS_SESSION_TERMINATED>:[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP={0}][ServerIP={1}][SubjectID={2}][Outcome=Success][Info={3}] access session terminated
 
 
 ###########################
-- 
1.8.3.1


From 8463f5f791ced714d64ff891dc015666a971454b Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Mon, 3 Apr 2017 12:56:48 -0400
Subject: [PATCH 27/59] Add python-cryptography crypto provider

The python-cryptography provider is added.  It will use AES
mechanisms by default.  The eventual goal is to use this
provider by default, and to obsolete the NSS CryptoProvider.

Added some methods to determine which crypto keyset levels are
supported by the crypto provider.

Change-Id: Ifd47f0de765a9f0d157e8be678d5d06437bda819
---
 base/common/python/pki/crypto.py | 206 ++++++++++++++++++++++++++++++++++++---
 base/common/python/pki/util.py   |   6 +-
 2 files changed, 196 insertions(+), 16 deletions(-)

diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py
index 86fa16e..b767abd 100644
--- a/base/common/python/pki/crypto.py
+++ b/base/common/python/pki/crypto.py
@@ -23,13 +23,21 @@ Module containing crypto classes.
 """
 from __future__ import absolute_import
 import abc
-import nss.nss as nss
 import os
-import six
 import shutil
 import subprocess
 import tempfile
 
+import nss.nss as nss
+import six
+from cryptography.hazmat.backends import default_backend
+from cryptography.hazmat.primitives.ciphers import (
+    Cipher, algorithms, modes
+)
+from cryptography.hazmat.primitives import padding
+from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
+import cryptography.x509
+
 
 class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)):
     """
@@ -43,30 +51,32 @@ class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)):
     @abc.abstractmethod
     def initialize(self):
         """ Initialization code """
-        pass
 
-    @staticmethod
     @abc.abstractmethod
-    def generate_nonce_iv(mechanism):
+    def get_supported_algorithm_keyset(self):
+        """ returns highest supported algorithm keyset """
+
+    @abc.abstractmethod
+    def set_algorithm_keyset(self, level):
+        """ sets required keyset """
+
+    @abc.abstractmethod
+    def generate_nonce_iv(self, mechanism):
         """ Create a random initialization vector """
-        pass
 
     @abc.abstractmethod
     def generate_symmetric_key(self, mechanism=None, size=0):
         """ Generate and return a symmetric key """
-        pass
 
     @abc.abstractmethod
     def generate_session_key(self):
         """ Generate a session key to be used for wrapping data to the DRM
         This must return a 3DES 168 bit key """
-        pass
 
     @abc.abstractmethod
     def symmetric_wrap(self, data, wrapping_key, mechanism=None,
                        nonce_iv=None):
         """ encrypt data using a symmetric key (wrapping key)"""
-        pass
 
     @abc.abstractmethod
     def symmetric_unwrap(self, data, wrapping_key, mechanism=None,
@@ -77,7 +87,6 @@ class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)):
         The mechanism is the type of key used to do the wrapping.  It defaults
         to a 56 bit DES3 key.
         """
-        pass
 
     @abc.abstractmethod
     def asymmetric_wrap(self, data, wrapping_cert, mechanism=None):
@@ -86,12 +95,10 @@ class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)):
         The mechanism is the type of symmetric key, which defaults to a 56 bit
         DES3 key.
         """
-        pass
 
     # abc.abstractmethod
     def get_cert(self, cert_nick):
         """ Get the certificate for the specified cert_nick. """
-        pass
 
 
 class NSSCryptoProvider(CryptoProvider):
@@ -152,6 +159,18 @@ class NSSCryptoProvider(CryptoProvider):
         """
         nss.nss_init(self.certdb_dir)
 
+    def get_supported_algorithm_keyset(self):
+        """ returns highest supported algorithm keyset """
+        return 0
+
+    def set_algorithm_keyset(self, level):
+        """ sets required keyset """
+        if level > 0:
+            raise Exception("Invalid keyset")
+
+        # basically, do what we have always done, no need to set anything
+        # special here.
+
     def import_cert(self, cert_nick, cert, trust=',,'):
         """ Import a certificate into the nss database
         """
@@ -170,8 +189,7 @@ class NSSCryptoProvider(CryptoProvider):
                        '-i', cert_file.name]
             subprocess.check_call(command)
 
-    @staticmethod
-    def generate_nonce_iv(mechanism=nss.CKM_DES3_CBC_PAD):
+    def generate_nonce_iv(self, mechanism=nss.CKM_DES3_CBC_PAD):
         """ Create a random initialization vector """
         iv_length = nss.get_iv_length(mechanism)
         if iv_length > 0:
@@ -237,6 +255,8 @@ class NSSCryptoProvider(CryptoProvider):
         """
         :param data            Data to be wrapped
         :param wrapping_key    Symmetric key to wrap data
+        :param mechanism       Mechanism to user when wrapping
+        :param nonce_iv        Nonce to use when wrapping
 
         Wrap (encrypt) data using the supplied symmetric key
         """
@@ -255,6 +275,7 @@ class NSSCryptoProvider(CryptoProvider):
         """
         :param data            Data to be unwrapped
         :param wrapping_key    Symmetric key to unwrap data
+        :param mechanism       Mechanism to use when wrapping
         :param nonce_iv        iv data
 
         Unwrap (decrypt) data using the supplied symmetric key
@@ -288,3 +309,160 @@ class NSSCryptoProvider(CryptoProvider):
         Searches NSS database and returns SecItem object for this certificate.
         """
         return nss.find_cert_from_nickname(cert_nick)
+
+
+class CryptographyCryptoProvider(CryptoProvider):
+    """
+    Class that defines python-cryptography implementation of CryptoProvider.
+    Requires a PEM file containing the agent cert to be initialized.
+
+    Note that all inputs and outputs are unencoded.
+    """
+
+    def __init__(self, transport_cert_nick, transport_cert,
+                 backend=default_backend()):
+        """ Initialize python-cryptography
+        """
+        super(CryptographyCryptoProvider, self).__init__()
+        self.certs = {}
+
+        if not isinstance(transport_cert, cryptography.x509.Certificate):
+            # it's a file name
+            with open(transport_cert, 'r') as f:
+                transport_pem = f.read()
+            transport_cert = cryptography.x509.load_pem_x509_certificate(
+                transport_pem,
+                backend)
+
+        self.certs[transport_cert_nick] = transport_cert
+
+        # default to AES
+        self.encrypt_alg = algorithms.AES
+        self.encrypt_mode = modes.CBC
+        self.encrypt_size = 128
+        self.backend = backend
+
+    def initialize(self):
+        """
+        Any operations here that need to be performed before crypto
+        operations.
+        """
+        pass
+
+    def get_supported_algorithm_keyset(self):
+        """ returns highest supported algorithm keyset """
+        return 1
+
+    def set_algorithm_keyset(self, level):
+        """ sets required keyset """
+        if level > 1:
+            raise ValueError("Invalid keyset")
+        elif level == 1:
+            self.encrypt_alg = algorithms.AES
+            self.encrypt_mode = modes.CBC
+            self.encrypt_size = 128
+        elif level == 0:
+            self.encrypt_alg = algorithms.TripleDES
+            self.encrypt_mode = modes.CBC
+            self.encrypt_size = 168
+
+    def generate_nonce_iv(self, mechanism='AES'):
+        """ Create a random initialization vector """
+        return os.urandom(self.encrypt_alg.block_size // 8)
+
+    def generate_symmetric_key(self, mechanism=None, size=0):
+        """ Returns a symmetric key.
+        """
+        if mechanism is None:
+            size = self.encrypt_size // 8
+        return os.urandom(size)
+
+    def generate_session_key(self):
+        """ Returns a session key to be used when wrapping secrets for the DRM.
+        """
+        return self.generate_symmetric_key()
+
+    def symmetric_wrap(self, data, wrapping_key, mechanism=None,
+                       nonce_iv=None):
+        """
+        :param data            Data to be wrapped
+        :param wrapping_key    Symmetric key to wrap data
+        :param mechanism       Mechanism to use for wrapping key
+        :param nonce_iv        Nonce for initialization vector
+
+        Wrap (encrypt) data using the supplied symmetric key
+        """
+        # TODO(alee)  Not sure yet how to handle non-default mechanisms
+        # For now, lets just ignore them
+
+        if wrapping_key is None:
+            raise ValueError("Wrapping key must be provided")
+
+        if self.encrypt_mode.name == "CBC":
+            padder = padding.PKCS7(self.encrypt_alg.block_size).padder()
+            padded_data = padder.update(data) + padder.finalize()
+            data = padded_data
+        else:
+            raise ValueError('Only CBC mode is currently supported')
+
+        cipher = Cipher(self.encrypt_alg(wrapping_key),
+                        self.encrypt_mode(nonce_iv),
+                        backend=self.backend)
+
+        encryptor = cipher.encryptor()
+        ct = encryptor.update(data) + encryptor.finalize()
+        return ct
+
+    def symmetric_unwrap(self, data, wrapping_key,
+                         mechanism=None, nonce_iv=None):
+        """
+        :param data            Data to be unwrapped
+        :param wrapping_key    Symmetric key to unwrap data
+        :param mechanism       Mechanism to use when unwrapping
+        :param nonce_iv        iv data
+
+        Unwrap (decrypt) data using the supplied symmetric key
+        """
+
+        # TODO(alee) As above, no idea what to do with mechanism
+        # ignoring for now.
+
+        if wrapping_key is None:
+            raise ValueError("Wrapping key must be provided")
+
+        cipher = Cipher(self.encrypt_alg(wrapping_key),
+                        self.encrypt_mode(nonce_iv),
+                        backend=self.backend)
+
+        decryptor = cipher.decryptor()
+        unwrapped = decryptor.update(data) + decryptor.finalize()
+
+        if self.encrypt_mode.name == 'CBC':
+            unpadder = padding.PKCS7(self.encrypt_alg.block_size).unpadder()
+            unpadded = unpadder.update(unwrapped) + unpadder.finalize()
+            unwrapped = unpadded
+        else:
+            raise ValueError('Only CBC mode is currently supported')
+
+        return unwrapped
+
+    def asymmetric_wrap(self, data, wrapping_cert,
+                        mechanism=None):
+        """
+        :param data             Data to be wrapped
+        :param wrapping_cert    Public key to wrap data
+        :param mechanism        algorithm of symmetric key to be wrapped
+
+        Wrap (encrypt) data using the supplied asymmetric key
+        """
+        public_key = wrapping_cert.public_key()
+        return public_key.encrypt(
+            data,
+            PKCS1v15()
+        )
+
+    def get_cert(self, cert_nick):
+        """
+        :param cert_nick  Nickname for the certificate to be returned.
+        """
+        return self.certs[cert_nick]
diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py
index 0765bcf..0de13fd 100644
--- a/base/common/python/pki/util.py
+++ b/base/common/python/pki/util.py
@@ -34,8 +34,10 @@ except ImportError:
 
 import subprocess
 
-DEFAULT_PKI_ENV_LIST = ['/usr/share/pki/etc/pki.conf',
-                        '/etc/pki/pki.conf']
+DEFAULT_PKI_ENV_LIST = [
+    '/usr/share/pki/etc/pki.conf',
+    '/etc/pki/pki.conf',
+]
 
 
 def copy(source, dest):
-- 
1.8.3.1


From a1e30184b675c69fa858eb4fb85a6d358deb9bf1 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Mon, 3 Apr 2017 13:00:03 -0400
Subject: [PATCH 28/59] Add code in KRA python client to support multiple
 crypto algorithms

Added code to:
* Add an InfoClient to the KRAClient
* Check the server, client and crypto provider keyset levels and
  select the highest possible level accordingly.
* Added new fields as returned by the server for retrieval.
* Added new fields to KeyRecoveryRequest as added in AES changes.

Changes to decode keywrapped symmetirc and asymmetric keys will
be added in subsequent patches.  Right now, encrypt/decrypt works.

Change-Id: Ifa7748d822c6b6f9a7c4afb395fb1388c587174d
---
 base/common/python/pki/info.py |  52 +++++++++++++++-----
 base/common/python/pki/key.py  | 105 ++++++++++++++++++++++++++++++++++-------
 base/common/python/pki/kra.py  |  23 ++++++---
 3 files changed, 144 insertions(+), 36 deletions(-)

diff --git a/base/common/python/pki/info.py b/base/common/python/pki/info.py
index b4da8b0..f4ab68c 100644
--- a/base/common/python/pki/info.py
+++ b/base/common/python/pki/info.py
@@ -56,20 +56,38 @@ class Info(object):
         return info
 
 
-class Version(object):
-    """
-    This class encapsulates a version object as returned from
-    a Dogtag server and decomposes it into major, minor, etc.
-    """
+class Version(tuple):
+    __slots__ = ()
+
+    def __new__(cls, version):
+        parts = [int(p) for p in version.split('.')]
+        if len(parts) < 3:
+            parts.extend([0] * (3 - len(parts)))
+        if len(parts) > 3:
+            raise ValueError(version)
+        return tuple.__new__(cls, tuple(parts))
+
+    def __str__(self):
+        return '{}.{}.{}'.format(*self)
+
+    def __repr__(self):
+        return "<Version('{}.{}.{}')>".format(*self)
 
-    def __init__(self, version_string):
-        for idx, val in enumerate(version_string.split('.')):
-            if idx == 0:
-                self.major = val
-            if idx == 1:
-                self.minor = val
-            if idx == 2:
-                self.patch = val
+    def __getnewargs__(self):
+        # pickle support
+        return str(self)
+
+    @property
+    def major(self):
+        return self[0]
+
+    @property
+    def minor(self):
+        return self[1]
+
+    @property
+    def patchlevel(self):
+        return self[2]
 
 
 class InfoClient(object):
@@ -98,3 +116,11 @@ class InfoClient(object):
         """ return Version object from server """
         version_string = self.get_info().version
         return Version(version_string)
+
+
+if __name__ == '__main__':
+    print(Version('10'))
+    print(Version('10.1'))
+    print(Version('10.1.1'))
+    print(tuple(Version('10.1.1')))
+    print(Version('10.1.1.1'))
diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py
index da4efd6..6c5641a 100644
--- a/base/common/python/pki/key.py
+++ b/base/common/python/pki/key.py
@@ -27,12 +27,15 @@ from __future__ import absolute_import
 from __future__ import print_function
 import base64
 import json
+import os
 
 from six import iteritems
 from six.moves.urllib.parse import quote  # pylint: disable=F0401,E0611
 
 import pki
 import pki.encoder as encoder
+from pki.info import Version
+import pki.util
 
 
 # should be moved to request.py
@@ -58,7 +61,10 @@ class KeyData(object):
     json_attribute_names = {
         'nonceData': 'nonce_data',
         'wrappedPrivateData': 'wrapped_private_data',
-        'requestID': 'request_id'
+        'requestID': 'request_id',
+        'encryptAlgorithmOID': 'encrypt_algorithm_oid',
+        'wrapAlgorithm': 'wrap_algorithm',
+        'publicKey': 'public_key'
     }
 
     # pylint: disable=C0103
@@ -69,6 +75,10 @@ class KeyData(object):
         self.request_id = None
         self.size = None
         self.wrapped_private_data = None
+        self.encrypt_algorithm_oid = None
+        self.wrap_algorithm = None
+        self.public_key = None
+        self.type = None
 
     @classmethod
     def from_json(cls, attr_list):
@@ -102,6 +112,11 @@ class Key(object):
         self.algorithm = key_data.algorithm
         self.size = key_data.size
 
+        self.encrypt_algorithm_oid = getattr(
+            key_data, "encrypt_algorithm_oid", None)
+        self.wrap_algorithm = getattr(key_data, "wrap_algorithm", None)
+        self.public_key = getattr(key_data, "public_key", None)
+
         # To store the unwrapped key information.
         # The decryption takes place on the client side.
         self.data = None
@@ -341,7 +356,8 @@ class KeyRecoveryRequest(pki.ResourceMessage):
                  trans_wrapped_session_key=None,
                  session_wrapped_passphrase=None,
                  nonce_data=None, certificate=None,
-                 passphrase=None):
+                 passphrase=None, payload_wrapping_name=None,
+                 payload_encryption_oid=None):
         """ Constructor """
         pki.ResourceMessage.__init__(
             self,
@@ -354,6 +370,8 @@ class KeyRecoveryRequest(pki.ResourceMessage):
         self.add_attribute("certificate", certificate)
         self.add_attribute("passphrase", passphrase)
         self.add_attribute("keyId", key_id)
+        self.add_attribute("payloadWrappingName", payload_wrapping_name)
+        self.add_attribute("payloadEncryptionOID", payload_encryption_oid)
 
 
 class SymKeyGenerationRequest(pki.ResourceMessage):
@@ -443,8 +461,10 @@ class KeyClient(object):
 
     # default session key wrapping algorithm
     DES_EDE3_CBC_OID = "{1 2 840 113549 3 7}"
+    AES_128_CBC_OID = "{2 16 840 1 101 3 4 1 2}"
 
-    def __init__(self, connection, crypto, transport_cert_nick=None):
+    def __init__(self, connection, crypto, transport_cert_nick=None,
+                 info_client=None):
         """ Constructor """
         self.connection = connection
         self.headers = {'Content-type': 'application/json',
@@ -459,6 +479,10 @@ class KeyClient(object):
         else:
             self.transport_cert = None
 
+        self.info_client = info_client
+        self.encrypt_alg_oid = None
+        self.set_crypto_algorithms()
+
     def set_transport_cert(self, transport_cert_nick):
         """ Set the transport certificate for crypto operations """
         if transport_cert_nick is None:
@@ -467,6 +491,44 @@ class KeyClient(object):
         self.transport_cert = self.crypto.get_cert(transport_cert_nick)
 
     @pki.handle_exceptions()
+    def set_crypto_algorithms(self):
+        server_keyset = self.get_server_keyset()
+        client_keyset = self.get_client_keyset()
+        crypto_keyset = self.crypto.get_supported_algorithm_keyset()
+        keyset_id = min([server_keyset, client_keyset, crypto_keyset])
+
+        # set keyset in crypto provider
+        self.crypto.set_algorithm_keyset(keyset_id)
+
+        # set keyset related constants needed in KeyClient
+        if keyset_id == 0:
+            self.encrypt_alg_oid = self.DES_EDE3_CBC_OID
+        else:
+            self.encrypt_alg_oid = self.AES_128_CBC_OID
+
+    def get_client_keyset(self):
+        # get client keyset
+        pki.util.read_environment_files()
+        client_keyset = os.getenv('KEY_WRAP_PARAMETER_SET')
+        if client_keyset is not None:
+            return client_keyset
+        return 0
+
+    def get_server_keyset(self):
+        # get server keyset id
+        server_version = Version("0.0.0")
+        try:
+            server_version = self.info_client.get_version()
+        except Exception:    # pylint: disable=W0703
+            # TODO(alee) tighten up the exception here
+            pass
+
+        if server_version >= (10, 4):
+            return 1
+
+        return 0
+
+    @pki.handle_exceptions()
     def list_keys(self, client_key_id=None, status=None, max_results=None,
                   max_time=None, start=None, size=None, realm=None):
         """ List/Search archived secrets in the DRM.
@@ -785,7 +847,8 @@ class KeyClient(object):
             raise TypeError('Missing wrapped session key')
 
         if not algorithm_oid:
-            algorithm_oid = KeyClient.DES_EDE3_CBC_OID
+            algorithm_oid = KeyClient.AES_128_CBC_OID
+            # algorithm_oid = KeyClient.DES_EDE3_CBC_OID
 
         if not nonce_iv:
             raise TypeError('Missing nonce IV')
@@ -910,7 +973,7 @@ class KeyClient(object):
            approval is required, then the KeyData will include the secret.
 
         *  If the key cannot be retrieved synchronously - ie. if more than one
-           approval is needed, then the KeyData obect will include the request
+           approval is needed, then the KeyData object will include the request
            ID for a recovery request that was created on the server.  When that
            request is approved, callers can retrieve the key using
            retrieve_key() and setting the request_id.
@@ -951,7 +1014,9 @@ class KeyClient(object):
             key_id=key_id,
             request_id=request_id,
             trans_wrapped_session_key=base64.b64encode(
-                trans_wrapped_session_key))
+                trans_wrapped_session_key),
+            payload_encryption_oid=self.encrypt_alg_oid
+        )
 
         key = self.retrieve_key_data(request)
         if not key_provided and key.encrypted_data is not None:
@@ -982,12 +1047,13 @@ class KeyClient(object):
 
         1) A passphrase is provided by the caller.
 
-           In this case, CryptoProvider methods will be called to create the data
-           to securely send the passphrase to the DRM.  Basically, three pieces of
-           data will be sent:
+           In this case, CryptoProvider methods will be called to create the
+           data to securely send the passphrase to the DRM.  Basically, three
+           pieces of data will be sent:
 
-           - the passphrase wrapped by a 168 bit 3DES symmetric key (the session
-             key).  This is referred to as the parameter session_wrapped_passphrase.
+           - the passphrase wrapped by a 168 bit 3DES symmetric key (the
+             session key).  This is referred to as the parameter
+             session_wrapped_passphrase.
 
            - the session key wrapped with the public key in the DRM transport
              certificate.  This is referred to as the trans_wrapped_session_key.
@@ -999,9 +1065,10 @@ class KeyClient(object):
         2) The caller provides the trans_wrapped_session_key,
            session_wrapped_passphrase and nonce_data.
 
-           In this case, the data will simply be passed to the DRM.  The function
-           will return the secret encrypted by the passphrase using PBE Encryption.
-           The secret will still need to be decrypted by the caller.
+           In this case, the data will simply be passed to the DRM.
+           The function will return the secret encrypted by the passphrase
+           using PBE Encryption.  The secret will still need to be decrypted
+           by the caller.
 
            The function will return the tuple (KeyData, None)
         """
@@ -1053,12 +1120,18 @@ def main():
     usages = [SymKeyGenerationRequest.DECRYPT_USAGE,
               SymKeyGenerationRequest.ENCRYPT_USAGE]
     gen_request = SymKeyGenerationRequest(client_key_id, 128, "AES", usages)
-    print(json.dumps(gen_request, cls=encoder.CustomTypeEncoder, sort_keys=True))
+    print(json.dumps(gen_request,
+                     cls=encoder.CustomTypeEncoder,
+                     sort_keys=True))
 
     print("printing key recovery request")
     key_request = KeyRecoveryRequest("25", "MX12345BBBAAA", None,
                                      "1234ABC", None, None)
-    print(json.dumps(key_request, cls=encoder.CustomTypeEncoder, sort_keys=True))
+    print(json.dumps(
+        key_request,
+        cls=encoder.CustomTypeEncoder,
+        sort_keys=True)
+    )
 
     print("printing key archival request")
     archival_request = KeyArchivalRequest(client_key_id, "symmetricKey",
diff --git a/base/common/python/pki/kra.py b/base/common/python/pki/kra.py
index b98f856..6b2de63 100644
--- a/base/common/python/pki/kra.py
+++ b/base/common/python/pki/kra.py
@@ -26,6 +26,7 @@ KeyRequestResource REST APIs.
 """
 
 from __future__ import absolute_import
+from pki.info import InfoClient
 import pki.key as key
 
 from pki.systemcert import SystemCertClient
@@ -41,18 +42,26 @@ class KRAClient(object):
         """ Constructor
 
         :param connection - PKIConnection object with DRM connection info.
-        :param crypto - CryptoProvider object.  NSSCryptoProvider is provided by
-                        default.  If a different crypto implementation is
+        :param crypto - CryptoProvider object.  NSSCryptoProvider is provided
+                        by default.  If a different crypto implementation is
                         desired, a different subclass of CryptoProvider must be
                         provided.
         :param transport_cert_nick - identifier for the DRM transport
                         certificate.  This will be passed to the
-                        CryptoProvider.get_cert() command to get a representation
-                        of the transport certificate usable for crypto ops.
-                        Note that for NSS databases, the database must have been
-                        initialized beforehand.
+                        CryptoProvider.get_cert() command to get a
+                        representation of the transport certificate usable for
+                        crypto ops.
+
+                        Note that for NSS databases, the database must have
+                        been initialized beforehand.
         """
         self.connection = connection
         self.crypto = crypto
-        self.keys = key.KeyClient(connection, crypto, transport_cert_nick)
+        self.info = InfoClient(connection)
+        self.keys = key.KeyClient(
+            connection,
+            crypto,
+            transport_cert_nick,
+            self.info
+        )
         self.system_certs = SystemCertClient(connection)
-- 
1.8.3.1


From 60f0adb9205d5c7d4d9294ca620530ff3df2000e Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 17 Mar 2017 04:48:07 +0100
Subject: [PATCH 31/59] Added SSLSocketListener for PKIConnection.

To help troubleshooting the PKIConnection has been modified to
register an SSL socket listener which will display SSL alerts
that it has received or sent.

https://pagure.io/dogtagpki/issue/2625

Change-Id: I8f2e4f55a3d6bc8a7360f666c9b18e4c0d6c6d83
---
 .../com/netscape/certsrv/client/PKIConnection.java | 40 ++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/base/common/src/com/netscape/certsrv/client/PKIConnection.java b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
index c2ffd09..d5e4c00 100644
--- a/base/common/src/com/netscape/certsrv/client/PKIConnection.java
+++ b/base/common/src/com/netscape/certsrv/client/PKIConnection.java
@@ -78,8 +78,13 @@ import org.jboss.resteasy.client.jaxrs.ResteasyWebTarget;
 import org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine;
 import org.mozilla.jss.CryptoManager;
 import org.mozilla.jss.CryptoManager.NotInitializedException;
+import org.mozilla.jss.ssl.SSLAlertDescription;
+import org.mozilla.jss.ssl.SSLAlertEvent;
+import org.mozilla.jss.ssl.SSLAlertLevel;
 import org.mozilla.jss.ssl.SSLCertificateApprovalCallback;
+import org.mozilla.jss.ssl.SSLHandshakeCompletedEvent;
 import org.mozilla.jss.ssl.SSLSocket;
+import org.mozilla.jss.ssl.SSLSocketListener;
 
 import com.netscape.certsrv.base.PKIException;
 
@@ -352,6 +357,41 @@ public class PKIConnection {
                 socket.setClientCertNickname(certNickname);
             }
 
+            socket.addSocketListener(new SSLSocketListener() {
+
+                @Override
+                public void alertReceived(SSLAlertEvent event) {
+
+                    int intLevel = event.getLevel();
+                    SSLAlertLevel level = SSLAlertLevel.valueOf(intLevel);
+
+                    int intDescription = event.getDescription();
+                    SSLAlertDescription description = SSLAlertDescription.valueOf(intDescription);
+
+                    if (level == SSLAlertLevel.FATAL || verbose) {
+                        System.err.println(level + ": SSL alert received: " + description);
+                    }
+                }
+
+                @Override
+                public void alertSent(SSLAlertEvent event) {
+
+                    int intLevel = event.getLevel();
+                    SSLAlertLevel level = SSLAlertLevel.valueOf(intLevel);
+
+                    int intDescription = event.getDescription();
+                    SSLAlertDescription description = SSLAlertDescription.valueOf(intDescription);
+
+                    if (level == SSLAlertLevel.FATAL || verbose) {
+                        System.err.println(level + ": SSL alert sent: " + description);
+                    }
+                }
+
+                @Override
+                public void handshakeCompleted(SSLHandshakeCompletedEvent event) {
+                }
+
+            });
             return socket;
         }
 
-- 
1.8.3.1


From 0409bfa35601a0b59f75c05cf8a34aed6514fc24 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Sat, 8 Apr 2017 09:04:54 +0200
Subject: [PATCH 32/59] Fixed pki user and group commands.

The UserCLI and GroupCLI have been fixed to use the subsystem name
in the client configuration object if available.

https://pagure.io/dogtagpki/issue/2626

Change-Id: Ibf099cefe880a238468fad7fb2aabc9cc2d55c1f
---
 base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java | 3 ++-
 base/java-tools/src/com/netscape/cmstools/user/UserCLI.java   | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java
index 5ccf70d..95eb3a2 100644
--- a/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/group/GroupCLI.java
@@ -73,7 +73,8 @@ public class GroupCLI extends CLI {
             SubsystemCLI subsystemCLI = (SubsystemCLI)parent;
             subsystem = subsystemCLI.getName();
         } else {
-            subsystem = "ca";
+            subsystem = client.getSubsystem();
+            if (subsystem == null) subsystem = "ca";
         }
 
         // create new group client
diff --git a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java
index 1acbf0b..affda9c 100644
--- a/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/user/UserCLI.java
@@ -76,7 +76,8 @@ public class UserCLI extends CLI {
             SubsystemCLI subsystemCLI = (SubsystemCLI)parent;
             subsystem = subsystemCLI.getName();
         } else {
-            subsystem = "ca";
+            subsystem = client.getSubsystem();
+            if (subsystem == null) subsystem = "ca";
         }
 
         // create new user client
-- 
1.8.3.1


From 0c8aedd8a79841751005c531cf6cfbc08a4fd4dd Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Sat, 8 Apr 2017 09:05:48 +0200
Subject: [PATCH 33/59] Deprecated -t option for pki CLI.

The MainCLI has been modified to generate a deprecation warning
for the -t option.

Change-Id: I28ac45954a900f6944528ef52913982d72896c92
---
 base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
index d7aa54c..1b9c569 100644
--- a/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/cli/MainCLI.java
@@ -124,12 +124,12 @@ public class MainCLI extends CLI {
 
     public void printVersion() {
         Package pkg = MainCLI.class.getPackage();
-        System.out.println("PKI Command-Line Interface "+pkg.getImplementationVersion());
+        System.out.println("PKI Command-Line Interface " + pkg.getImplementationVersion());
     }
 
     public void printHelp() {
 
-        formatter.printHelp(name+" [OPTIONS..] <command> [ARGS..]", options);
+        formatter.printHelp(name + " [OPTIONS..] <command> [ARGS..]", options);
         System.out.println();
 
         int leftPadding = 1;
@@ -169,7 +169,7 @@ public class MainCLI extends CLI {
         option.setArgName("port");
         options.addOption(option);
 
-        option = new Option("t", true, "Subsystem type");
+        option = new Option("t", true, "Subsystem type (deprecated)");
         option.setArgName("type");
         options.addOption(option);
 
@@ -340,8 +340,10 @@ public class MainCLI extends CLI {
         if (uri == null)
             uri = protocol + "://" + hostname + ":" + port;
 
-        if (subsystem != null)
+        if (subsystem != null) {
+            System.err.println("WARNING: The -t option has been deprecated. Use pki " + subsystem + " command instead.");
             uri = uri + "/" + subsystem;
+        }
 
         config.setServerURI(uri);
 
-- 
1.8.3.1


From 9e3551fdb2c8d1f1bd7ad57249752c8ad6aece32 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 7 Apr 2017 19:45:10 +0200
Subject: [PATCH 34/59] Added FIPS-compliant password generator.

A new function has been added to generate a random password that
meets FIPS requirements for a strong password. This function is
used to generate NSS database password during installation.

https://pagure.io/dogtagpki/issue/2556

Change-Id: I64dd36125ec968f6253f90835e6065325d720032
---
 base/common/python/pki/__init__.py                 | 63 ++++++++++++++++++++++
 .../python/pki/server/deployment/pkiparser.py      | 12 +----
 2 files changed, 65 insertions(+), 10 deletions(-)

diff --git a/base/common/python/pki/__init__.py b/base/common/python/pki/__init__.py
index c015126..1fc5385 100644
--- a/base/common/python/pki/__init__.py
+++ b/base/common/python/pki/__init__.py
@@ -26,7 +26,9 @@ from __future__ import print_function
 
 from functools import wraps
 import os
+import random
 import re
+import string
 import sys
 
 import requests
@@ -124,6 +126,67 @@ def implementation_version():
     raise Exception('Missing implementation version.')
 
 
+def generate_password():
+    """
+    This function generates FIPS-compliant password.
+
+    See sftk_newPinCheck() in the following file:
+    https://dxr.mozilla.org/nss/source/nss/lib/softoken/fipstokn.c
+
+    The minimum password length is FIPS_MIN_PIN Unicode characters.
+
+    The password must contain at least 3 character classes:
+     * digits (string.digits)
+     * ASCII lowercase letters (string.ascii_lowercase)
+     * ASCII uppercase letters (string.ascii_uppercase)
+     * ASCII non-alphanumeric characters (string.punctuation)
+     * non-ASCII characters
+
+    If an ASCII uppercase letter is the first character of the password,
+    the uppercase letter is not counted toward its character class.
+
+    If a digit is the last character of the password, the digit is not
+    counted toward its character class.
+
+    The FIPS_MIN_PIN is defined in the following file:
+    https://dxr.mozilla.org/nss/source/nss/lib/softoken/pkcs11i.h
+
+    #define FIPS_MIN_PIN 7
+    """
+
+    rnd = random.SystemRandom()
+
+    valid_chars = string.digits +\
+        string.ascii_lowercase +\
+        string.ascii_uppercase +\
+        string.punctuation
+
+    chars = []
+
+    # add 1 random char from each char class to meet
+    # the minimum number of char class requirement
+    chars.append(rnd.choice(string.digits))
+    chars.append(rnd.choice(string.ascii_lowercase))
+    chars.append(rnd.choice(string.ascii_uppercase))
+    chars.append(rnd.choice(string.punctuation))
+
+    # add 6 additional random chars
+    chars.extend(rnd.choice(valid_chars) for i in range(6))
+
+    # randomize the char order
+    rnd.shuffle(chars)
+
+    # add 2 random chars at the beginning and the end
+    # to maintain the minimum number of char class
+    chars.insert(0, rnd.choice(valid_chars))
+    chars.append(rnd.choice(valid_chars))
+
+    # final password is 12 chars
+    password = ''.join(chars)
+
+    return password
+
+
 # pylint: disable=R0903
 class Attribute(object):
     """
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index e05e0be..df04ff8 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -583,12 +583,6 @@ class PKIConfigParser:
 
             self.deployer.flatten_master_dict()
 
-            # Generate random 'pin's for use as security database passwords
-            # and add these to the "sensitive" key value pairs read in from
-            # the configuration file
-            pin_low = 100000000000
-            pin_high = 999999999999
-
             instance = pki.server.PKIInstance(self.mdict['pki_instance_name'])
             instance.load()
 
@@ -604,11 +598,9 @@ class PKIConfigParser:
 
             # otherwise, generate a random password
             else:
-                self.mdict['pki_pin'] = \
-                    random.randint(pin_low, pin_high)
+                self.mdict['pki_pin'] = pki.generate_password()
 
-            self.mdict['pki_client_pin'] = \
-                random.randint(pin_low, pin_high)
+            self.mdict['pki_client_pin'] = pki.generate_password()
 
             pkilogging.sensitive_parameters = \
                 self.mdict['sensitive_parameters'].split()
-- 
1.8.3.1


From d8081073d10065987341a6583a6a7e7351b22438 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 11 Apr 2017 18:04:41 +0200
Subject: [PATCH 35/59] Added pki-server <subsystem>-audit-file-find CLI.

A new pki-server <subsystem>-audit-file-find CLI has been added
to list audit log files on the server.

Change-Id: I88e827d45cfb83cf34052146e2ec678f4cd2345f
---
 base/server/python/pki/server/__init__.py  |  14 ++++
 base/server/python/pki/server/cli/audit.py | 109 +++++++++++++++++++++++++++++
 base/server/python/pki/server/cli/ca.py    |   2 +
 base/server/python/pki/server/cli/kra.py   |   2 +
 base/server/python/pki/server/cli/ocsp.py  |   2 +
 base/server/python/pki/server/cli/tks.py   |   2 +
 base/server/python/pki/server/cli/tps.py   |   2 +
 7 files changed, 133 insertions(+)
 create mode 100644 base/server/python/pki/server/cli/audit.py

diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 5032274..112dcbf 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -389,6 +389,20 @@ class PKISubsystem(object):
 
         pki.util.customize_file(input_file, output_file, params)
 
+    def get_audit_log_files(self):
+
+        current_file_path = self.config['log.instance.SignedAudit.fileName']
+        (log_dir, current_file) = os.path.split(current_file_path)
+
+        # sort log files based on timestamp
+        files = [f for f in os.listdir(log_dir) if f != current_file]
+        files.sort()
+
+        # put the current log file at the end
+        files.append(current_file)
+
+        return files
+
     def __repr__(self):
         return str(self.instance) + '/' + self.name
 
diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py
new file mode 100644
index 0000000..3bb9d5f
--- /dev/null
+++ b/base/server/python/pki/server/cli/audit.py
@@ -0,0 +1,109 @@
+# Authors:
+#     Endi S. Dewata <edewata@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2017 Red Hat, Inc.
+# All rights reserved.
+#
+
+from __future__ import absolute_import
+from __future__ import print_function
+import getopt
+import sys
+
+import pki.cli
+
+
+class AuditCLI(pki.cli.CLI):
+
+    def __init__(self, parent):
+        super(AuditCLI, self).__init__(
+            'audit', 'Audit management commands')
+
+        self.parent = parent
+        self.add_module(AuditFileFindCLI(self))
+
+
+class AuditFileFindCLI(pki.cli.CLI):
+
+    def __init__(self, parent):
+        super(AuditFileFindCLI, self).__init__(
+            'file-find', 'Find audit log files')
+
+        self.parent = parent
+
+    def print_help(self):
+        print('Usage: pki-server %s-audit-file-find [OPTIONS]' % self.parent.parent.name)
+        print()
+        print('  -i, --instance <instance ID>       Instance ID (default: pki-tomcat).')
+        print('      --help                         Show help message.')
+        print()
+
+    def execute(self, args):
+
+        try:
+            opts, _ = getopt.gnu_getopt(args, 'i:v', [
+                'instance=',
+                'verbose', 'help'])
+
+        except getopt.GetoptError as e:
+            print('ERROR: ' + str(e))
+            self.print_help()
+            sys.exit(1)
+
+        instance_name = 'pki-tomcat'
+
+        for o, a in opts:
+            if o in ('-i', '--instance'):
+                instance_name = a
+
+            elif o in ('-v', '--verbose'):
+                self.set_verbose(True)
+
+            elif o == '--help':
+                self.print_help()
+                sys.exit()
+
+            else:
+                print('ERROR: unknown option ' + o)
+                self.print_help()
+                sys.exit(1)
+
+        instance = pki.server.PKIInstance(instance_name)
+        if not instance.is_valid():
+            print('ERROR: Invalid instance %s.' % instance_name)
+            sys.exit(1)
+
+        instance.load()
+
+        subsystem_name = self.parent.parent.name
+        subsystem = instance.get_subsystem(subsystem_name)
+        if not subsystem:
+            print('ERROR: No %s subsystem in instance %s.'
+                  % (subsystem_name.upper(), instance_name))
+            sys.exit(1)
+
+        log_files = subsystem.get_audit_log_files()
+
+        self.print_message('%s entries matched' % len(log_files))
+
+        first = True
+        for filename in log_files:
+            if first:
+                first = False
+            else:
+                print()
+
+            print('  File name: %s' % filename)
diff --git a/base/server/python/pki/server/cli/ca.py b/base/server/python/pki/server/cli/ca.py
index 1d1c00f..550e511 100644
--- a/base/server/python/pki/server/cli/ca.py
+++ b/base/server/python/pki/server/cli/ca.py
@@ -28,6 +28,7 @@ import sys
 import tempfile
 
 import pki.cli
+import pki.server.cli.audit
 
 
 class CACLI(pki.cli.CLI):
@@ -38,6 +39,7 @@ class CACLI(pki.cli.CLI):
 
         self.add_module(CACertCLI())
         self.add_module(CACloneCLI())
+        self.add_module(pki.server.cli.audit.AuditCLI(self))
 
 
 class CACertCLI(pki.cli.CLI):
diff --git a/base/server/python/pki/server/cli/kra.py b/base/server/python/pki/server/cli/kra.py
index 5558d6a..3724014 100644
--- a/base/server/python/pki/server/cli/kra.py
+++ b/base/server/python/pki/server/cli/kra.py
@@ -32,6 +32,7 @@ import tempfile
 import time
 
 import pki.cli
+import pki.server.cli.audit
 
 
 KRA_VLVS = ['allKeys', 'kraAll',
@@ -51,6 +52,7 @@ class KRACLI(pki.cli.CLI):
 
         self.add_module(KRACloneCLI())
         self.add_module(KRADBCLI())
+        self.add_module(pki.server.cli.audit.AuditCLI(self))
 
 
 class KRACloneCLI(pki.cli.CLI):
diff --git a/base/server/python/pki/server/cli/ocsp.py b/base/server/python/pki/server/cli/ocsp.py
index 246f593..3e9b6aa 100644
--- a/base/server/python/pki/server/cli/ocsp.py
+++ b/base/server/python/pki/server/cli/ocsp.py
@@ -28,6 +28,7 @@ import sys
 import tempfile
 
 import pki.cli
+import pki.server.cli.audit
 
 
 class OCSPCLI(pki.cli.CLI):
@@ -37,6 +38,7 @@ class OCSPCLI(pki.cli.CLI):
             'ocsp', 'OCSP management commands')
 
         self.add_module(OCSPCloneCLI())
+        self.add_module(pki.server.cli.audit.AuditCLI(self))
 
 
 class OCSPCloneCLI(pki.cli.CLI):
diff --git a/base/server/python/pki/server/cli/tks.py b/base/server/python/pki/server/cli/tks.py
index 2c4157a..0e6a998 100644
--- a/base/server/python/pki/server/cli/tks.py
+++ b/base/server/python/pki/server/cli/tks.py
@@ -28,6 +28,7 @@ import sys
 import tempfile
 
 import pki.cli
+import pki.server.cli.audit
 
 
 class TKSCLI(pki.cli.CLI):
@@ -37,6 +38,7 @@ class TKSCLI(pki.cli.CLI):
             'tks', 'TKS management commands')
 
         self.add_module(TKSCloneCLI())
+        self.add_module(pki.server.cli.audit.AuditCLI(self))
 
 
 class TKSCloneCLI(pki.cli.CLI):
diff --git a/base/server/python/pki/server/cli/tps.py b/base/server/python/pki/server/cli/tps.py
index 1f71b8e..03df8de 100644
--- a/base/server/python/pki/server/cli/tps.py
+++ b/base/server/python/pki/server/cli/tps.py
@@ -32,6 +32,7 @@ import tempfile
 import time
 
 import pki.cli
+import pki.server.cli.audit
 
 
 TPS_VLV_PATH = '/usr/share/pki/tps/conf/vlv.ldif'
@@ -46,6 +47,7 @@ class TPSCLI(pki.cli.CLI):
 
         self.add_module(TPSCloneCLI())
         self.add_module(TPSDBCLI())
+        self.add_module(pki.server.cli.audit.AuditCLI(self))
 
 
 class TPSCloneCLI(pki.cli.CLI):
-- 
1.8.3.1


From a29888e42c14c9c7e642769b747bb288d39a0809 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 11 Apr 2017 18:04:41 +0200
Subject: [PATCH 36/59] Added pki-server <subsystem>-audit-file-verify CLI.

A new pki-server <subsystem>-audit-file-verify CLI has been added
to verify audit log files on the server.

Change-Id: I88e827d45cfb83cf34052146e2ec678f4cd2345f
---
 base/server/python/pki/server/__init__.py  |  5 ++
 base/server/python/pki/server/cli/audit.py | 91 ++++++++++++++++++++++++++++++
 2 files changed, 96 insertions(+)

diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 112dcbf..8898654 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -389,6 +389,11 @@ class PKISubsystem(object):
 
         pki.util.customize_file(input_file, output_file, params)
 
+    def get_audit_log_dir(self):
+
+        current_file_path = self.config['log.instance.SignedAudit.fileName']
+        return os.path.dirname(current_file_path)
+
     def get_audit_log_files(self):
 
         current_file_path = self.config['log.instance.SignedAudit.fileName']
diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py
index 3bb9d5f..0833ca8 100644
--- a/base/server/python/pki/server/cli/audit.py
+++ b/base/server/python/pki/server/cli/audit.py
@@ -21,7 +21,11 @@
 from __future__ import absolute_import
 from __future__ import print_function
 import getopt
+import os
+import shutil
+import subprocess
 import sys
+import tempfile
 
 import pki.cli
 
@@ -34,6 +38,7 @@ class AuditCLI(pki.cli.CLI):
 
         self.parent = parent
         self.add_module(AuditFileFindCLI(self))
+        self.add_module(AuditFileVerifyCLI(self))
 
 
 class AuditFileFindCLI(pki.cli.CLI):
@@ -107,3 +112,89 @@ class AuditFileFindCLI(pki.cli.CLI):
                 print()
 
             print('  File name: %s' % filename)
+
+
+class AuditFileVerifyCLI(pki.cli.CLI):
+
+    def __init__(self, parent):
+        super(AuditFileVerifyCLI, self).__init__(
+            'file-verify', 'Verify audit log files')
+
+        self.parent = parent
+
+    def print_help(self):
+        print('Usage: pki-server %s-audit-file-verify [OPTIONS]' % self.parent.parent.name)
+        print()
+        print('  -i, --instance <instance ID>       Instance ID (default: pki-tomcat).')
+        print('      --help                         Show help message.')
+        print()
+
+    def execute(self, args):
+
+        try:
+            opts, _ = getopt.gnu_getopt(args, 'i:v', [
+                'instance=',
+                'verbose', 'help'])
+
+        except getopt.GetoptError as e:
+            print('ERROR: ' + str(e))
+            self.print_help()
+            sys.exit(1)
+
+        instance_name = 'pki-tomcat'
+
+        for o, a in opts:
+            if o in ('-i', '--instance'):
+                instance_name = a
+
+            elif o in ('-v', '--verbose'):
+                self.set_verbose(True)
+
+            elif o == '--help':
+                self.print_help()
+                sys.exit()
+
+            else:
+                print('ERROR: unknown option ' + o)
+                self.print_help()
+                sys.exit(1)
+
+        instance = pki.server.PKIInstance(instance_name)
+        if not instance.is_valid():
+            print('ERROR: Invalid instance %s.' % instance_name)
+            sys.exit(1)
+
+        instance.load()
+
+        subsystem_name = self.parent.parent.name
+        subsystem = instance.get_subsystem(subsystem_name)
+        if not subsystem:
+            print('ERROR: No %s subsystem in instance %s.'
+                  % (subsystem_name.upper(), instance_name))
+            sys.exit(1)
+
+        log_dir = subsystem.get_audit_log_dir()
+        log_files = subsystem.get_audit_log_files()
+        signing_cert = subsystem.get_subsystem_cert('audit_signing')
+
+        tmpdir = tempfile.mkdtemp()
+
+        try:
+            file_list = os.path.join(tmpdir, 'audit.txt')
+
+            with open(file_list, 'w') as f:
+                for filename in log_files:
+                    f.write(os.path.join(log_dir, filename) + '\n')
+
+            cmd = ['AuditVerify',
+                   '-d', instance.nssdb_dir,
+                   '-n', signing_cert['nickname'],
+                   '-a', file_list]
+
+            if self.verbose:
+                print('Command: %s' % ' '.join(cmd))
+
+            subprocess.call(cmd)
+
+        finally:
+            shutil.rmtree(tmpdir)
-- 
1.8.3.1


From 77d2064858e4623fa25f4986647f318d8bf8a6f7 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Fri, 7 Apr 2017 12:23:47 -0400
Subject: [PATCH 37/59] Add KRAInfo resource

This resource (which will be accessed at /kra/rest/info)
will initially return the mechanism for archival or retrieval.

This is needed by clients to know how to package secrets when
archiving.

Change-Id: I6990ebb9c9dafc4158e51ba61a30e773d1d953ec
---
 .../src/com/netscape/certsrv/kra/KRAClient.java    |   3 +
 base/common/src/org/dogtagpki/common/KRAInfo.java  | 136 +++++++++++++++++++++
 .../src/org/dogtagpki/common/KRAInfoClient.java    |  48 ++++++++
 .../src/org/dogtagpki/common/KRAInfoResource.java  |  40 ++++++
 .../dogtagpki/server/kra/rest/KRAApplication.java  |   4 +
 .../org/dogtagpki/server/rest/KRAInfoService.java  |  67 ++++++++++
 6 files changed, 298 insertions(+)
 create mode 100644 base/common/src/org/dogtagpki/common/KRAInfo.java
 create mode 100644 base/common/src/org/dogtagpki/common/KRAInfoClient.java
 create mode 100644 base/common/src/org/dogtagpki/common/KRAInfoResource.java
 create mode 100644 base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java

diff --git a/base/common/src/com/netscape/certsrv/kra/KRAClient.java b/base/common/src/com/netscape/certsrv/kra/KRAClient.java
index 1eb102f..9440174 100644
--- a/base/common/src/com/netscape/certsrv/kra/KRAClient.java
+++ b/base/common/src/com/netscape/certsrv/kra/KRAClient.java
@@ -1,5 +1,7 @@
 package com.netscape.certsrv.kra;
 
+import org.dogtagpki.common.KRAInfoClient;
+
 import com.netscape.certsrv.client.PKIClient;
 import com.netscape.certsrv.client.SubsystemClient;
 import com.netscape.certsrv.group.GroupClient;
@@ -22,5 +24,6 @@ public class KRAClient extends SubsystemClient {
         addClient(new SelfTestClient(client, name));
         addClient(new SystemCertClient(client, name));
         addClient(new UserClient(client, name));
+        addClient(new KRAInfoClient(client, name));
     }
 }
diff --git a/base/common/src/org/dogtagpki/common/KRAInfo.java b/base/common/src/org/dogtagpki/common/KRAInfo.java
new file mode 100644
index 0000000..e17bd64
--- /dev/null
+++ b/base/common/src/org/dogtagpki/common/KRAInfo.java
@@ -0,0 +1,136 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package org.dogtagpki.common;
+
+import java.io.StringReader;
+import java.io.StringWriter;
+
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.Marshaller;
+import javax.xml.bind.Unmarshaller;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.netscape.certsrv.base.ResourceMessage;
+
+/**
+ * @author Ade Lee
+ */
+@XmlRootElement(name="KRAInfo")
+public class KRAInfo extends ResourceMessage {
+
+    private static Logger logger = LoggerFactory.getLogger(Info.class);
+
+    public static Marshaller marshaller;
+    public static Unmarshaller unmarshaller;
+
+    static {
+        try {
+            marshaller = JAXBContext.newInstance(KRAInfo.class).createMarshaller();
+            marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
+            unmarshaller = JAXBContext.newInstance(KRAInfo.class).createUnmarshaller();
+        } catch (Exception e) {
+            logger.error(e.getMessage(), e);
+        }
+    }
+
+    String archivalMechanism;
+    String recoveryMechanism;
+
+    @XmlElement(name="ArchivalMechanism")
+    public String getArchivalMechanism() {
+        return archivalMechanism;
+    }
+
+    public void setArchivalMechanism(String archivalMechanism) {
+        this.archivalMechanism = archivalMechanism;
+    }
+
+    @XmlElement(name="RecoveryMechanism")
+    public String getRecoveryMechanism() {
+        return recoveryMechanism;
+    }
+
+    public void setRecoveryMechanism(String recoveryMechanism) {
+        this.recoveryMechanism = recoveryMechanism;
+    }
+
+    @Override
+    public int hashCode() {
+        final int prime = 31;
+        int result = super.hashCode();
+        result = prime * result + ((archivalMechanism == null) ? 0 : archivalMechanism.hashCode());
+        result = prime * result + ((recoveryMechanism == null) ? 0 : recoveryMechanism.hashCode());
+        return result;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj)
+            return true;
+        if (!super.equals(obj))
+            return false;
+        if (getClass() != obj.getClass())
+            return false;
+        KRAInfo other = (KRAInfo) obj;
+        if (archivalMechanism == null) {
+            if (other.archivalMechanism != null)
+                return false;
+        } else if (!archivalMechanism.equals(other.archivalMechanism))
+            return false;
+        if (recoveryMechanism == null) {
+            if (other.recoveryMechanism != null)
+                return false;
+        } else if (!recoveryMechanism.equals(other.recoveryMechanism))
+            return false;
+        return true;
+    }
+
+    public String toString() {
+        try {
+            StringWriter sw = new StringWriter();
+            marshaller.marshal(this, sw);
+            return sw.toString();
+
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    public static KRAInfo valueOf(String string) throws Exception {
+        return (KRAInfo)unmarshaller.unmarshal(new StringReader(string));
+    }
+
+    public static void main(String args[]) throws Exception {
+
+        KRAInfo before = new KRAInfo();
+        before.setArchivalMechanism("encrypt");
+        before.setRecoveryMechanism("keywrap");
+
+        String string = before.toString();
+        System.out.println(string);
+
+        KRAInfo after = KRAInfo.valueOf(string);
+        System.out.println(before.equals(after));
+    }
+}
+
diff --git a/base/common/src/org/dogtagpki/common/KRAInfoClient.java b/base/common/src/org/dogtagpki/common/KRAInfoClient.java
new file mode 100644
index 0000000..c998401
--- /dev/null
+++ b/base/common/src/org/dogtagpki/common/KRAInfoClient.java
@@ -0,0 +1,48 @@
+//--- BEGIN COPYRIGHT BLOCK ---
+//This program is free software; you can redistribute it and/or modify
+//it under the terms of the GNU General Public License as published by
+//the Free Software Foundation; version 2 of the License.
+//
+//This program is distributed in the hope that it will be useful,
+//but WITHOUT ANY WARRANTY; without even the implied warranty of
+//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//GNU General Public License for more details.
+//
+//You should have received a copy of the GNU General Public License along
+//with this program; if not, write to the Free Software Foundation, Inc.,
+//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+//(C) 2017 Red Hat, Inc.
+//All rights reserved.
+//--- END COPYRIGHT BLOCK ---
+
+package org.dogtagpki.common;
+
+import java.net.URISyntaxException;
+
+import javax.ws.rs.core.Response;
+
+import com.netscape.certsrv.client.Client;
+import com.netscape.certsrv.client.PKIClient;
+
+/**
+ * @author Ade Lee
+ */
+public class KRAInfoClient extends Client {
+
+    public KRAInfoResource resource;
+
+    public KRAInfoClient(PKIClient client, String subsystem) throws URISyntaxException {
+        super(client, subsystem, "info");
+        init();
+    }
+
+    public void init() throws URISyntaxException {
+        resource = createProxy(KRAInfoResource.class);
+    }
+
+    public KRAInfo getInfo() throws Exception {
+        Response response = resource.getInfo();
+        return client.getEntity(response, KRAInfo.class);
+    }
+}
diff --git a/base/common/src/org/dogtagpki/common/KRAInfoResource.java b/base/common/src/org/dogtagpki/common/KRAInfoResource.java
new file mode 100644
index 0000000..540e3a6
--- /dev/null
+++ b/base/common/src/org/dogtagpki/common/KRAInfoResource.java
@@ -0,0 +1,40 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package org.dogtagpki.common;
+
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.core.Response;
+
+import org.jboss.resteasy.annotations.ClientResponseType;
+
+/**
+ * @author Ade Lee
+ */
+@Path("info")
+public interface KRAInfoResource {
+
+    String ENCRYPT_MECHANISM = "encrypt";
+    String KEYWRAP_MECHANISM = "keywrap";
+
+    @GET
+    @ClientResponseType(entityType=KRAInfo.class)
+    public Response getInfo() throws Exception;
+}
+
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java b/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java
index 6244270..a1f58a8 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KRAApplication.java
@@ -10,6 +10,7 @@ import org.dogtagpki.server.rest.AccountService;
 import org.dogtagpki.server.rest.AuditService;
 import org.dogtagpki.server.rest.AuthMethodInterceptor;
 import org.dogtagpki.server.rest.GroupService;
+import org.dogtagpki.server.rest.KRAInfoService;
 import org.dogtagpki.server.rest.MessageFormatInterceptor;
 import org.dogtagpki.server.rest.PKIExceptionMapper;
 import org.dogtagpki.server.rest.SecurityDomainService;
@@ -67,6 +68,9 @@ public class KRAApplication extends Application {
         // exception mapper
         classes.add(PKIExceptionMapper.class);
 
+        // info service
+        classes.add(KRAInfoService.class);
+
         // interceptors
         singletons.add(new SessionContextInterceptor());
         singletons.add(new AuthMethodInterceptor());
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java
new file mode 100644
index 0000000..c4b3252
--- /dev/null
+++ b/base/server/cms/src/org/dogtagpki/server/rest/KRAInfoService.java
@@ -0,0 +1,67 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package org.dogtagpki.server.rest;
+
+import javax.servlet.http.HttpSession;
+import javax.ws.rs.core.Response;
+
+import org.dogtagpki.common.KRAInfo;
+import org.dogtagpki.common.KRAInfoResource;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.cms.servlet.base.PKIService;
+
+/**
+ * @author Ade Lee
+ */
+public class KRAInfoService extends PKIService implements KRAInfoResource {
+
+    private static Logger logger = LoggerFactory.getLogger(InfoService.class);
+
+    @Override
+    public Response getInfo() throws Exception {
+
+        HttpSession session = servletRequest.getSession();
+        logger.debug("KRAInfoService.getInfo(): session: " + session.getId());
+
+        KRAInfo info = new KRAInfo();
+        info.setArchivalMechanism(getArchivalMechanism());
+        info.setRecoveryMechanism(getRecoveryMechanism());
+
+
+        return createOKResponse(info);
+    }
+
+    String getArchivalMechanism() throws EBaseException {
+        IConfigStore cs = CMS.getConfigStore();
+        boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false);
+        return encrypt_archival ? KRAInfoResource.ENCRYPT_MECHANISM : KRAInfoResource.KEYWRAP_MECHANISM;
+    }
+
+    String getRecoveryMechanism() throws EBaseException {
+        IConfigStore cs = CMS.getConfigStore();
+        boolean encrypt_recovery = cs.getBoolean("kra.allowEncDecrypt.recovery", false);
+        return encrypt_recovery ? KRAInfoResource.ENCRYPT_MECHANISM : KRAInfoResource.KEYWRAP_MECHANISM;
+    }
+}
+
-- 
1.8.3.1


From 24d7e952e4f048fcb58dcd1b33009e92afde365d Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Fri, 7 Apr 2017 16:52:31 -0400
Subject: [PATCH 38/59] Add CAInfo resource

This resource (which will be accessed at /ca/rest/info)
will initially return the mechanism for archival.

This is needed by clients to know how to package secrets when
archiving.  We may add the transport cert later.

Change-Id: Ib13d52344e38dc9b54c0d2a1645f1211dd84069b
---
 .../dogtagpki/server/ca/rest/CAApplication.java    |   4 +
 base/common/src/org/dogtagpki/common/CAInfo.java   | 119 +++++++++++++++++++++
 .../src/org/dogtagpki/common/CAInfoClient.java     |  49 +++++++++
 .../src/org/dogtagpki/common/CAInfoResource.java   |  37 +++++++
 .../org/dogtagpki/server/rest/CAInfoService.java   |  64 +++++++++++
 5 files changed, 273 insertions(+)
 create mode 100644 base/common/src/org/dogtagpki/common/CAInfo.java
 create mode 100644 base/common/src/org/dogtagpki/common/CAInfoClient.java
 create mode 100644 base/common/src/org/dogtagpki/common/CAInfoResource.java
 create mode 100644 base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java

diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java b/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java
index ae18e02..45881b9 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/CAApplication.java
@@ -9,6 +9,7 @@ import org.dogtagpki.server.rest.ACLInterceptor;
 import org.dogtagpki.server.rest.AccountService;
 import org.dogtagpki.server.rest.AuditService;
 import org.dogtagpki.server.rest.AuthMethodInterceptor;
+import org.dogtagpki.server.rest.CAInfoService;
 import org.dogtagpki.server.rest.FeatureService;
 import org.dogtagpki.server.rest.GroupService;
 import org.dogtagpki.server.rest.MessageFormatInterceptor;
@@ -65,6 +66,9 @@ public class CAApplication extends Application {
         // features
         classes.add(FeatureService.class);
 
+        // info service
+        classes.add(CAInfoService.class);
+
         // security domain
         IConfigStore cs = CMS.getConfigStore();
 
diff --git a/base/common/src/org/dogtagpki/common/CAInfo.java b/base/common/src/org/dogtagpki/common/CAInfo.java
new file mode 100644
index 0000000..89255ed
--- /dev/null
+++ b/base/common/src/org/dogtagpki/common/CAInfo.java
@@ -0,0 +1,119 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package org.dogtagpki.common;
+
+import java.io.StringReader;
+import java.io.StringWriter;
+
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.Marshaller;
+import javax.xml.bind.Unmarshaller;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlRootElement;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.netscape.certsrv.base.ResourceMessage;
+
+/**
+ * @author Ade Lee
+ */
+@XmlRootElement(name="CAInfo")
+public class CAInfo extends ResourceMessage {
+
+    private static Logger logger = LoggerFactory.getLogger(Info.class);
+
+    public static Marshaller marshaller;
+    public static Unmarshaller unmarshaller;
+
+    static {
+        try {
+            marshaller = JAXBContext.newInstance(CAInfo.class).createMarshaller();
+            marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, true);
+            unmarshaller = JAXBContext.newInstance(CAInfo.class).createUnmarshaller();
+        } catch (Exception e) {
+            logger.error(e.getMessage(), e);
+        }
+    }
+
+    String archivalMechanism;
+
+    @XmlElement(name="ArchivalMechanism")
+    public String getArchivalMechanism() {
+        return archivalMechanism;
+    }
+
+    public void setArchivalMechanism(String archivalMechanism) {
+        this.archivalMechanism = archivalMechanism;
+    }
+
+    @Override
+    public int hashCode() {
+        final int prime = 31;
+        int result = super.hashCode();
+        result = prime * result + ((archivalMechanism == null) ? 0 : archivalMechanism.hashCode());
+        return result;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj)
+            return true;
+        if (!super.equals(obj))
+            return false;
+        if (getClass() != obj.getClass())
+            return false;
+        CAInfo other = (CAInfo) obj;
+        if (archivalMechanism == null) {
+            if (other.archivalMechanism != null)
+                return false;
+        } else if (!archivalMechanism.equals(other.archivalMechanism))
+            return false;
+        return true;
+    }
+
+    public String toString() {
+        try {
+            StringWriter sw = new StringWriter();
+            marshaller.marshal(this, sw);
+            return sw.toString();
+
+        } catch (Exception e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    public static CAInfo valueOf(String string) throws Exception {
+        return (CAInfo)unmarshaller.unmarshal(new StringReader(string));
+    }
+
+    public static void main(String args[]) throws Exception {
+
+        CAInfo before = new CAInfo();
+        before.setArchivalMechanism("encrypt");
+
+        String string = before.toString();
+        System.out.println(string);
+
+        CAInfo after = CAInfo.valueOf(string);
+        System.out.println(before.equals(after));
+    }
+}
+
diff --git a/base/common/src/org/dogtagpki/common/CAInfoClient.java b/base/common/src/org/dogtagpki/common/CAInfoClient.java
new file mode 100644
index 0000000..859c829
--- /dev/null
+++ b/base/common/src/org/dogtagpki/common/CAInfoClient.java
@@ -0,0 +1,49 @@
+//--- BEGIN COPYRIGHT BLOCK ---
+//This program is free software; you can redistribute it and/or modify
+//it under the terms of the GNU General Public License as published by
+//the Free Software Foundation; version 2 of the License.
+//
+//This program is distributed in the hope that it will be useful,
+//but WITHOUT ANY WARRANTY; without even the implied warranty of
+//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+//GNU General Public License for more details.
+//
+//You should have received a copy of the GNU General Public License along
+//with this program; if not, write to the Free Software Foundation, Inc.,
+//51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+//(C) 2017 Red Hat, Inc.
+//All rights reserved.
+//--- END COPYRIGHT BLOCK ---
+
+package org.dogtagpki.common;
+
+import java.net.URISyntaxException;
+
+import javax.ws.rs.core.Response;
+
+import com.netscape.certsrv.client.Client;
+import com.netscape.certsrv.client.PKIClient;
+
+/**
+ * @author Ade Lee
+ */
+public class CAInfoClient extends Client {
+
+    public CAInfoResource resource;
+
+    public CAInfoClient(PKIClient client, String subsystem) throws URISyntaxException {
+        super(client, subsystem, "info");
+        init();
+    }
+
+    public void init() throws URISyntaxException {
+        resource = createProxy(CAInfoResource.class);
+    }
+
+    public CAInfo getInfo() throws Exception {
+        Response response = resource.getInfo();
+        return client.getEntity(response, CAInfo.class);
+    }
+}
+
diff --git a/base/common/src/org/dogtagpki/common/CAInfoResource.java b/base/common/src/org/dogtagpki/common/CAInfoResource.java
new file mode 100644
index 0000000..6c18cd5
--- /dev/null
+++ b/base/common/src/org/dogtagpki/common/CAInfoResource.java
@@ -0,0 +1,37 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package org.dogtagpki.common;
+
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.core.Response;
+
+import org.jboss.resteasy.annotations.ClientResponseType;
+
+/**
+ * @author Ade Lee
+ */
+@Path("info")
+public interface CAInfoResource {
+
+    @GET
+    @ClientResponseType(entityType=CAInfo.class)
+    public Response getInfo() throws Exception;
+}
+
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java
new file mode 100644
index 0000000..975ad61
--- /dev/null
+++ b/base/server/cms/src/org/dogtagpki/server/rest/CAInfoService.java
@@ -0,0 +1,64 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2017 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+
+package org.dogtagpki.server.rest;
+
+import javax.servlet.http.HttpSession;
+import javax.ws.rs.core.Response;
+
+import org.dogtagpki.common.CAInfo;
+import org.dogtagpki.common.CAInfoResource;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.cms.servlet.base.PKIService;
+
+/**
+ * @author Ade Lee
+ */
+public class CAInfoService extends PKIService implements CAInfoResource {
+
+    private static Logger logger = LoggerFactory.getLogger(InfoService.class);
+
+    @Override
+    public Response getInfo() throws Exception {
+
+        HttpSession session = servletRequest.getSession();
+        logger.debug("CAInfoService.getInfo(): session: " + session.getId());
+
+        CAInfo info = new CAInfo();
+        String archivalMechanism = getArchivalMechanism();
+
+        if (archivalMechanism != null)
+            info.setArchivalMechanism(getArchivalMechanism());
+
+        return createOKResponse(info);
+    }
+
+    String getArchivalMechanism() throws EBaseException {
+        IConfigStore cs = CMS.getConfigStore();
+        boolean kra_present = cs.getBoolean("ca.connector.KRA.enable", false);
+        if (!kra_present) return null;
+
+        boolean encrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false);
+        return encrypt_archival ? KRAInfoService.ENCRYPT_MECHANISM : KRAInfoService.KEYWRAP_MECHANISM;
+    }
+}
-- 
1.8.3.1


From 2a73c978784d58b11375aa724cbd2c04607eafc1 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 12 Apr 2017 01:51:40 +0200
Subject: [PATCH 40/59] Added audit event constants for SSL session.

Change-Id: I73b3a69ffc289ad6bf89eebaa2d95237df25551f
---
 .../src/com/netscape/certsrv/logging/AuditEvent.java       | 14 ++++++++++----
 base/server/cms/src/com/netscape/cms/logging/LogFile.java  |  4 +---
 .../src/org/dogtagpki/server/PKIServerSocketListener.java  |  9 +++++----
 3 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
index 8ae5cd6..b409a12 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
@@ -35,10 +35,17 @@ import com.netscape.certsrv.base.MessageFormatter;
  */
 public class AuditEvent implements IBundleLogEvent {
 
-    /**
-     *
-     */
+    public final static String ACCESS_SESSION_ESTABLISH_FAILURE =
+            "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE";
+    public final static String ACCESS_SESSION_ESTABLISH_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS";
+    public final static String ACCESS_SESSION_TERMINATED =
+            "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED";
+    public final static String AUDIT_LOG_SIGNING =
+            "LOGGING_SIGNED_AUDIT_SIGNING_3";
+
     private static final long serialVersionUID = -844306657733902324L;
+    private static final String INVALID_LOG_LEVEL = "log level: {0} is invalid, should be 0-6";
 
     protected Object mParams[] = null;
 
@@ -54,7 +61,6 @@ public class AuditEvent implements IBundleLogEvent {
      * The bundle name for this event.
      */
     private String mBundleName = LogResources.class.getName();
-    private static final String INVALID_LOG_LEVEL = "log level: {0} is invalid, should be 0-6";
 
     /**
      * Constructs a message event
diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
index 9d19edd..fdf3f83 100644
--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java
+++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
@@ -104,8 +104,6 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
 
     private final static String LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP =
                                "LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2";
-    private final static String LOGGING_SIGNED_AUDIT_SIGNING =
-                               "LOGGING_SIGNED_AUDIT_SIGNING_3";
     private final static String LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN =
                                "LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2";
     private final static String LOG_SIGNED_AUDIT_EXCEPTION =
@@ -723,7 +721,7 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
         // so as to avoid infinite recursiveness of calling
         // the log() method
         String auditMessage = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_SIGNING,
+                AuditEvent.AUDIT_LOG_SIGNING,
                 ILogger.SYSTEM_UID,
                 ILogger.SUCCESS,
                 base64Encode(sigBytes));
diff --git a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
index adba676..7016bc8 100644
--- a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
+++ b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
@@ -33,6 +33,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.IAuditor;
 
 public class PKIServerSocketListener implements SSLSocketListener {
@@ -66,7 +67,7 @@ public class PKIServerSocketListener implements SSLSocketListener {
             IAuditor auditor = CMS.getAuditor();
 
             String auditMessage = CMS.getLogMessage(
-                    "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED",
+                    AuditEvent.ACCESS_SESSION_TERMINATED,
                     clientIP,
                     serverIP,
                     subjectID,
@@ -108,7 +109,7 @@ public class PKIServerSocketListener implements SSLSocketListener {
             if (description == SSLAlertDescription.CLOSE_NOTIFY.getID()) {
 
                 String auditMessage = CMS.getLogMessage(
-                        "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED",
+                        AuditEvent.ACCESS_SESSION_TERMINATED,
                         clientIP,
                         serverIP,
                         subjectID,
@@ -119,7 +120,7 @@ public class PKIServerSocketListener implements SSLSocketListener {
             } else {
 
                 String auditMessage = CMS.getLogMessage(
-                        "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE",
+                        AuditEvent.ACCESS_SESSION_ESTABLISH_FAILURE,
                         clientIP,
                         serverIP,
                         subjectID,
@@ -157,7 +158,7 @@ public class PKIServerSocketListener implements SSLSocketListener {
             IAuditor auditor = CMS.getAuditor();
 
             String auditMessage = CMS.getLogMessage(
-                    "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS",
+                    AuditEvent.ACCESS_SESSION_ESTABLISH_SUCCESS,
                     clientIP,
                     serverIP,
                     subjectID);
-- 
1.8.3.1


From e22d0e99aa33bccc3e4041f5ed501fedf0dcae49 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 12 Apr 2017 02:28:31 +0200
Subject: [PATCH 41/59] Added audit event constants for TPS.

Change-Id: Id7845ebf2a14cebe25189a8363cee759030a16cb
---
 .../dogtagpki/server/ca/rest/AuthorityService.java |  7 +--
 .../com/netscape/certsrv/logging/AuditEvent.java   | 51 ++++++++++++++++++++++
 .../cms/servlet/base/SubsystemService.java         |  3 +-
 .../server/tps/processor/TPSEnrollProcessor.java   | 15 +++++-----
 .../server/tps/processor/TPSPinResetProcessor.java |  5 ++-
 .../server/tps/processor/TPSProcessor.java         | 23 ++++++------
 .../server/tps/rest/AuthenticatorService.java      |  3 +-
 .../server/tps/rest/ConnectorService.java          |  3 +-
 .../server/tps/rest/ProfileMappingService.java     |  3 +-
 .../dogtagpki/server/tps/rest/ProfileService.java  |  3 +-
 .../dogtagpki/server/tps/rest/TokenService.java    |  5 ++-
 11 files changed, 86 insertions(+), 35 deletions(-)

diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
index 215d0fa..7ba9596 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/AuthorityService.java
@@ -55,6 +55,7 @@ import com.netscape.certsrv.ca.ICertificateAuthority;
 import com.netscape.certsrv.ca.IssuerUnavailableException;
 import com.netscape.certsrv.common.OpDef;
 import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.cms.servlet.base.SubsystemService;
 import com.netscape.cmsutil.util.Utils;
@@ -70,10 +71,6 @@ public class AuthorityService extends SubsystemService implements AuthorityResou
         hostCA = (ICertificateAuthority) CMS.getSubsystem("ca");
     }
 
-    private final static String LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG =
-            "LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3";
-
-
     @Override
     public Response listCAs() {
         List<AuthorityData> results = new ArrayList<>();
@@ -373,7 +370,7 @@ public class AuthorityService extends SubsystemService implements AuthorityResou
             String status, String op, String id,
             Map<String, String> params) {
         String msg = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG,
+                AuditEvent.AUTHORITY_CONFIG,
                 auditor.getSubjectID(),
                 status,
                 auditor.getParamString(ScopeDef.SC_AUTHORITY, op, id, params));
diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
index b409a12..abe16b6 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
@@ -35,6 +35,57 @@ import com.netscape.certsrv.base.MessageFormatter;
  */
 public class AuditEvent implements IBundleLogEvent {
 
+    public final static String TOKEN_CERT_ENROLLMENT =
+            "LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9";
+    public final static String TOKEN_CERT_RENEWAL =
+            "LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9";
+    public final static String TOKEN_CERT_RETRIEVAL =
+            "LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9";
+    public final static String TOKEN_KEY_RECOVERY =
+            "LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10";
+    public final static String TOKEN_CERT_STATUS_CHANGE_REQUEST =
+            "LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10";
+    public final static String TOKEN_PIN_RESET_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS_6";
+    public final static String TOKEN_PIN_RESET_FAILURE =
+            "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE_6";
+    public final static String TOKEN_OP_REQUEST =
+            "LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6";
+    public final static String TOKEN_FORMAT_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS_9";
+    public final static String TOKEN_FORMAT_FAILURE =
+            "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9";
+    public final static String TOKEN_APPLET_UPGRADE_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS_9";
+    public final static String TOKEN_APPLET_UPGRADE_FAILURE =
+            "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE_9";
+    public final static String TOKEN_KEY_CHANGEOVER_REQUIRED =
+            "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10";
+    public final static String TOKEN_KEY_CHANGEOVER_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS_10";
+    public final static String TOKEN_KEY_CHANGEOVER_FAILURE =
+            "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE_10";
+    public final static String TOKEN_AUTH_FAILURE =
+            "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE_9";
+    public final static String TOKEN_AUTH_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS_9";
+    public final static String CONFIG_TOKEN_GENERAL =
+            "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5";
+    public final static String CONFIG_TOKEN_PROFILE =
+            "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6";
+    public final static String CONFIG_TOKEN_MAPPING_RESOLVER =
+            "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6";
+    public final static String CONFIG_TOKEN_AUTHENTICATOR =
+            "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6";
+    public final static String CONFIG_TOKEN_CONNECTOR =
+            "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6";
+    public final static String CONFIG_TOKEN_RECORD =
+            "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6";
+    public final static String TOKEN_STATE_CHANGE =
+            "LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8";
+    public final static String AUTHORITY_CONFIG =
+            "LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3";
+
     public final static String ACCESS_SESSION_ESTABLISH_FAILURE =
             "LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE";
     public final static String ACCESS_SESSION_ESTABLISH_SUCCESS =
diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java b/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java
index 48c985c..30d6b9c 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/base/SubsystemService.java
@@ -28,6 +28,7 @@ import javax.ws.rs.core.HttpHeaders;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authorization.IAuthzSubsystem;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.IAuditor;
 import com.netscape.certsrv.logging.ILogger;
 
@@ -94,7 +95,7 @@ public class SubsystemService extends PKIService {
     public void auditConfigTokenGeneral(String status, String service, Map<String, String> params, String info) {
 
         String msg = CMS.getLogMessage(
-                "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5",
+                AuditEvent.CONFIG_TOKEN_GENERAL,
                 servletRequest.getUserPrincipal().getName(),
                 status,
                 service,
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
index 672f53d..118bf50 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
@@ -15,12 +15,6 @@ import java.util.Map;
 import java.util.Random;
 import java.util.zip.DataFormatException;
 
-import netscape.security.provider.RSAPublicKey;
-//import org.mozilla.jss.pkcs11.PK11ECPublicKey;
-import netscape.security.util.BigInt;
-import netscape.security.x509.RevocationReason;
-import netscape.security.x509.X509CertImpl;
-
 import org.dogtagpki.server.tps.TPSSession;
 import org.dogtagpki.server.tps.TPSSubsystem;
 import org.dogtagpki.server.tps.TPSTokenPolicy;
@@ -59,20 +60,21 @@ import org.mozilla.jss.pkcs11.PK11PubKey;
 import org.mozilla.jss.pkcs11.PK11RSAPublicKey;
 import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.EPropertyNotFound;
 import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.tps.token.TokenStatus;
 import com.netscape.cmsutil.util.Utils;
 
 import netscape.security.provider.RSAPublicKey;
 //import org.mozilla.jss.pkcs11.PK11ECPublicKey;
 import netscape.security.util.BigInt;
 import netscape.security.x509.RevocationReason;
 import netscape.security.x509.X509CertImpl;
 import sun.security.pkcs11.wrapper.PKCS11Constants;
 
 public class TPSEnrollProcessor extends TPSProcessor {
 
     public TPSEnrollProcessor(TPSSession session) {
@@ -3688,13 +3688,13 @@ public class TPSEnrollProcessor extends TPSProcessor {
         String auditType = "";
         switch (op) {
         case "retrieval":
-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9";
+            auditType = AuditEvent.TOKEN_CERT_RETRIEVAL;
             break;
         case "renewal":
-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9";
+            auditType = AuditEvent.TOKEN_CERT_RENEWAL;
             break;
         default:
-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9";
+            auditType = AuditEvent.TOKEN_CERT_ENROLLMENT;
         }
 
         String auditMessage = CMS.getLogMessage(
@@ -3724,7 +3724,7 @@ public class TPSEnrollProcessor extends TPSProcessor {
             serialNum = serial.toString();
 
         String auditMessage = CMS.getLogMessage(
-                "LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10",
+                AuditEvent.TOKEN_KEY_RECOVERY,
                 (session != null) ? session.getIpAddress() : null,
                 subjectID,
                 aInfo.getCUIDhexStringPlain(),
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
index fe3f801..b309657 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
@@ -33,6 +33,7 @@ import org.dogtagpki.tps.msg.BeginOpMsg;
 import org.dogtagpki.tps.msg.EndOpMsg.TPSStatus;
 
 import com.netscape.certsrv.apps.CMS;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.tps.token.TokenStatus;
 
 public class TPSPinResetProcessor extends TPSProcessor {
@@ -197,10 +198,10 @@ public class TPSPinResetProcessor extends TPSProcessor {
         String auditType = "";
         switch (status) {
         case "success":
-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS_6";
+            auditType = AuditEvent.TOKEN_PIN_RESET_SUCCESS;
             break;
         default:
-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE_6";
+            auditType = AuditEvent.TOKEN_PIN_RESET_FAILURE;
         }
 
         String auditMessage = CMS.getLogMessage(
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
index 7d17f36..910a263 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
@@ -93,14 +93,15 @@ import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.EPropertyNotFound;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.tps.token.TokenStatus;
 import com.netscape.cms.servlet.tks.SecureChannelProtocol;
 import com.netscape.cmsutil.crypto.CryptoUtil;
 import com.netscape.symkey.SessionKey;
 
 import netscape.security.x509.RevocationReason;
 
 public class TPSProcessor {
 
     public static final int RESULT_NO_ERROR = 0;
@@ -4054,9 +4055,9 @@ public class TPSProcessor {
             String status,
             String authMgrId) {
 
-        String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE_9";
+        String auditType = AuditEvent.TOKEN_AUTH_FAILURE;
         if (status.equals("success"))
-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS_9";
+            auditType = AuditEvent.TOKEN_AUTH_SUCCESS;
 
         String auditMessage = CMS.getLogMessage(
                 auditType,
@@ -4078,7 +4079,7 @@ public class TPSProcessor {
     protected void auditOpRequest(String op, AppletInfo aInfo,
             String status,
             String info) {
-        String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6";
+        String auditType = AuditEvent.TOKEN_OP_REQUEST;
 
         String auditMessage = CMS.getLogMessage(
                 auditType,
@@ -4100,10 +4101,10 @@ public class TPSProcessor {
         String auditType = "";
         switch (status) {
         case "success":
-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS_9";
+            auditType = AuditEvent.TOKEN_FORMAT_SUCCESS;
             break;
         default:
-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9";
+            auditType = AuditEvent.TOKEN_FORMAT_FAILURE;
         }
 
         String auditMessage = CMS.getLogMessage(
@@ -4129,10 +4130,10 @@ public class TPSProcessor {
         String auditType = "";
         switch (status) {
         case "success":
-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS_9";
+            auditType = AuditEvent.TOKEN_APPLET_UPGRADE_SUCCESS;
             break;
         default:
-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE_9";
+            auditType = AuditEvent.TOKEN_APPLET_UPGRADE_FAILURE;
         }
 
         String auditMessage = CMS.getLogMessage(
@@ -4154,7 +4155,7 @@ public class TPSProcessor {
             String newKeyVersion,
             String info) {
 
-        String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10";
+        String auditType = AuditEvent.TOKEN_KEY_CHANGEOVER_REQUIRED;
 
         String auditMessage = CMS.getLogMessage(
                 auditType,
@@ -4180,10 +4181,10 @@ public class TPSProcessor {
         String auditType = "";
         switch (status) {
         case "success":
-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS_10";
+            auditType = AuditEvent.TOKEN_KEY_CHANGEOVER_SUCCESS;
             break;
         default:
-            auditType = "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE_10";
+            auditType = AuditEvent.TOKEN_KEY_CHANGEOVER_FAILURE;
         }
 
         String auditMessage = CMS.getLogMessage(
@@ -4212,7 +4213,7 @@ public class TPSProcessor {
             String caConnId,
             String info) {
 
-        String auditType = "LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10";
+        String auditType = AuditEvent.TOKEN_CERT_STATUS_CHANGE_REQUEST;
         /*
          * requestType is "revoke", "on-hold", or "off-hold"
          */
diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java b/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java
index 50453ee..6efe4cb 100644
--- a/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java
+++ b/base/tps/src/org/dogtagpki/server/tps/rest/AuthenticatorService.java
@@ -39,6 +39,7 @@ import com.netscape.certsrv.base.BadRequestException;
 import com.netscape.certsrv.base.ForbiddenException;
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.tps.authenticator.AuthenticatorCollection;
 import com.netscape.certsrv.tps.authenticator.AuthenticatorData;
@@ -474,7 +475,7 @@ public class AuthenticatorService extends SubsystemService implements Authentica
             Map<String, String> params, String info) {
 
         String msg = CMS.getLogMessage(
-                "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6",
+                AuditEvent.CONFIG_TOKEN_AUTHENTICATOR,
                 servletRequest.getUserPrincipal().getName(),
                 status,
                 service,
diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java
index 01bc132..3e1e5df 100644
--- a/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java
+++ b/base/tps/src/org/dogtagpki/server/tps/rest/ConnectorService.java
@@ -39,6 +39,7 @@ import com.netscape.certsrv.base.BadRequestException;
 import com.netscape.certsrv.base.ForbiddenException;
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.tps.connector.ConnectorCollection;
 import com.netscape.certsrv.tps.connector.ConnectorData;
@@ -471,7 +472,7 @@ public class ConnectorService extends SubsystemService implements ConnectorResou
             String info) {
 
         String msg = CMS.getLogMessage(
-                "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6",
+                AuditEvent.CONFIG_TOKEN_CONNECTOR,
                 servletRequest.getUserPrincipal().getName(),
                 status,
                 service,
diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java
index 2c070c0..9bbb616 100644
--- a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java
+++ b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileMappingService.java
@@ -39,6 +39,7 @@ import com.netscape.certsrv.base.BadRequestException;
 import com.netscape.certsrv.base.ForbiddenException;
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.tps.profile.ProfileMappingCollection;
 import com.netscape.certsrv.tps.profile.ProfileMappingData;
@@ -448,7 +449,7 @@ public class ProfileMappingService extends SubsystemService implements ProfileMa
     public void auditMappingResolverChange(String status, String service, String resolverID, Map<String, String> params,
             String info) {
         String msg = CMS.getLogMessage(
-                "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6",
+                AuditEvent.CONFIG_TOKEN_MAPPING_RESOLVER,
                 servletRequest.getUserPrincipal().getName(),
                 status,
                 service,
diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java
index 8058caf..43e14be 100644
--- a/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java
+++ b/base/tps/src/org/dogtagpki/server/tps/rest/ProfileService.java
@@ -39,6 +39,7 @@ import com.netscape.certsrv.base.BadRequestException;
 import com.netscape.certsrv.base.ForbiddenException;
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.tps.profile.ProfileCollection;
 import com.netscape.certsrv.tps.profile.ProfileData;
@@ -470,7 +471,7 @@ public class ProfileService extends SubsystemService implements ProfileResource
             String info) {
 
         String msg = CMS.getLogMessage(
-                "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6",
+                AuditEvent.CONFIG_TOKEN_PROFILE,
                 servletRequest.getUserPrincipal().getName(),
                 status,
                 service,
diff --git a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
index f3d0d80..73d0a64 100644
--- a/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
+++ b/base/tps/src/org/dogtagpki/server/tps/rest/TokenService.java
@@ -44,6 +44,7 @@ import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.dbs.EDBException;
 import com.netscape.certsrv.dbs.IDBVirtualList;
 import com.netscape.certsrv.ldap.LDAPExceptionConverter;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.tps.token.TokenCollection;
 import com.netscape.certsrv.tps.token.TokenData;
@@ -814,7 +815,7 @@ public class TokenService extends SubsystemService implements TokenResource {
             String info) {
 
         String msg = CMS.getLogMessage(
-                "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6",
+                AuditEvent.CONFIG_TOKEN_RECORD,
                 servletRequest.getUserPrincipal().getName(),
                 status,
                 service,
@@ -832,7 +833,7 @@ public class TokenService extends SubsystemService implements TokenResource {
             String newReason, Map<String, String> params, String info) {
 
         String msg = CMS.getLogMessage(
-                "LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8",
+                AuditEvent.TOKEN_STATE_CHANGE,
                 servletRequest.getUserPrincipal().getName(),
                 status,
                 oldState.toString(),
-- 
1.8.3.1


From d2838897eb2ef43f538a1c57e6195292237aa28c Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 12 Apr 2017 02:46:49 +0200
Subject: [PATCH 42/59] Reorganized audit event constants for KRA.

Change-Id: Ic4a79b0c73812c7b89daca3c804e6a88c738536a
---
 .../com/netscape/certsrv/logging/AuditEvent.java   | 28 ++++++++++++++++++++++
 .../src/com/netscape/kra/AsymKeyGenService.java    |  5 ++--
 .../com/netscape/kra/SecurityDataProcessor.java    | 12 +++-------
 .../kra/src/com/netscape/kra/SymKeyGenService.java |  6 ++---
 .../server/kra/rest/KeyRequestService.java         | 26 +++++---------------
 .../org/dogtagpki/server/kra/rest/KeyService.java  | 10 +++-----
 .../servlet/csadmin/SecurityDomainProcessor.java   |  8 +++----
 .../cms/servlet/csadmin/UpdateDomainXML.java       |  7 +++---
 .../cms/servlet/csadmin/UpdateNumberRange.java     |  9 ++++---
 .../com/netscape/cmscore/session/SessionTimer.java |  6 ++---
 10 files changed, 56 insertions(+), 61 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
index abe16b6..dc632c3 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
@@ -35,6 +35,34 @@ import com.netscape.certsrv.base.MessageFormatter;
  */
 public class AuditEvent implements IBundleLogEvent {
 
+    public final static String SECURITY_DOMAIN_UPDATE =
+            "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1";
+    public final static String CONFIG_SERIAL_NUMBER =
+            "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1";
+
+    public final static String SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED =
+            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6";
+    public static final String SECURITY_DATA_ARCHIVAL_REQUEST =
+            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_4";
+    public final static String SECURITY_DATA_RECOVERY_REQUEST_PROCESSED =
+            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5";
+    public static final String SECURITY_DATA_RECOVERY_REQUEST =
+            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_4";
+    public static final String SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE =
+            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4";
+    public final static String SECURITY_DATA_RETRIEVE_KEY =
+            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY_5";
+    public final static String KEY_STATUS_CHANGE =
+            "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6";
+    public final static String SYMKEY_GENERATION_REQUEST_PROCESSED =
+            "LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED_6";
+    public static final String SYMKEY_GENERATION_REQUEST =
+            "LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST_4";
+    public static final String ASYMKEY_GENERATION_REQUEST =
+            "LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST_4";
+    public final static String ASYMKEY_GENERATION_REQUEST_PROCESSED =
+            "LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED_6";
+
     public final static String TOKEN_CERT_ENROLLMENT =
             "LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9";
     public final static String TOKEN_CERT_RENEWAL =
diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
index a731fb1..75e340c 100644
--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java
+++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
@@ -35,6 +35,7 @@ import com.netscape.certsrv.dbs.keydb.IKeyRepository;
 import com.netscape.certsrv.key.AsymKeyGenerationRequest;
 import com.netscape.certsrv.key.KeyRequestResource;
 import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.request.IRequest;
 import com.netscape.certsrv.request.IService;
@@ -63,8 +64,6 @@ public class AsymKeyGenService implements IService {
     private IKeyRecoveryAuthority kra = null;
     private IStorageKeyUnit storageUnit = null;
     private ILogger signedAuditLogger = CMS.getSignedAuditLogger();
-    private final static String LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED =
-            "LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED_6";
 
     public AsymKeyGenService(IKeyRecoveryAuthority kra) {
         this.kra = kra;
@@ -233,7 +232,7 @@ public class AsymKeyGenService implements IService {
             String clientKeyID,
             String keyID, String reason) {
         String auditMessage = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED,
+                AuditEvent.ASYMKEY_GENERATION_REQUEST_PROCESSED,
                 subjectID,
                 status,
                 requestID.toString(),
diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
index 3475eae..78d64c5 100644
--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
@@ -38,6 +38,7 @@ import com.netscape.certsrv.dbs.keydb.IKeyRepository;
 import com.netscape.certsrv.key.KeyRequestResource;
 import com.netscape.certsrv.kra.EKRAException;
 import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.profile.IEnrollProfile;
 import com.netscape.certsrv.request.IRequest;
@@ -65,13 +66,6 @@ public class SecurityDataProcessor {
     private static boolean allowEncDecrypt_archival = false;
     private static boolean allowEncDecrypt_recovery = false;
 
-    private final static String LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED =
-            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED_6";
-
-    private final static String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED =
-            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED_5";
-
-
     public SecurityDataProcessor(IKeyRecoveryAuthority kra) {
         this.kra = kra;
         transportUnit = kra.getTransportKeyUnit();
@@ -779,7 +773,7 @@ public class SecurityDataProcessor {
     private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID,
             String keyID, String reason) {
         String auditMessage = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,
+                AuditEvent.SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,
                 subjectID,
                 status,
                 requestID.toString(),
@@ -791,7 +785,7 @@ public class SecurityDataProcessor {
     private void auditArchivalRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID,
             String keyID, String reason) {
         String auditMessage = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,
+                AuditEvent.SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,
                 subjectID,
                 status,
                 requestID.toString(),
diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java
index 9c50eb3..f700a79 100644
--- a/base/kra/src/com/netscape/kra/SymKeyGenService.java
+++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java
@@ -34,6 +34,7 @@ import com.netscape.certsrv.dbs.keydb.IKeyRepository;
 import com.netscape.certsrv.key.KeyRequestResource;
 import com.netscape.certsrv.key.SymKeyGenerationRequest;
 import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.request.IRequest;
 import com.netscape.certsrv.request.IService;
@@ -60,9 +61,6 @@ public class SymKeyGenService implements IService {
     private IStorageKeyUnit mStorageUnit = null;
     private ILogger signedAuditLogger = CMS.getSignedAuditLogger();
 
-    private final static String LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED =
-            "LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED_6";
-
     public SymKeyGenService(IKeyRecoveryAuthority kra) {
         mKRA = kra;
         mStorageUnit = kra.getStorageKeyUnit();
@@ -252,7 +250,7 @@ public class SymKeyGenService implements IService {
     private void auditSymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID,
             String keyID, String reason) {
         String auditMessage = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED,
+                AuditEvent.SYMKEY_GENERATION_REQUEST_PROCESSED,
                 subjectID,
                 status,
                 requestID.toString(),
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
index e0c4ca9..38f7e93 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyRequestService.java
@@ -48,6 +48,7 @@ import com.netscape.certsrv.key.KeyRequestInfoCollection;
 import com.netscape.certsrv.key.KeyRequestResource;
 import com.netscape.certsrv.key.KeyRequestResponse;
 import com.netscape.certsrv.key.SymKeyGenerationRequest;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.request.RequestId;
 import com.netscape.certsrv.request.RequestNotFoundException;
@@ -62,21 +63,6 @@ import com.netscape.cmsutil.ldap.LDAPUtil;
  */
 public class KeyRequestService extends SubsystemService implements KeyRequestResource {
 
-    private static final String LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST =
-            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_4";
-
-    private static final String LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST =
-            "LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST_4";
-
-    private static final String LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST =
-            "LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST_4";
-
-    private static final String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST =
-            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_4";
-
-    private static final String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE =
-            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE_4";
-
     public static final int DEFAULT_START = 0;
     public static final int DEFAULT_PAGESIZE = 20;
     public static final int DEFAULT_MAXRESULTS = 100;
@@ -349,7 +335,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes
 
     public void auditRecoveryRequestChange(RequestId requestId, String status, String operation) {
         String msg = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,
+                AuditEvent.SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,
                 getRequestor(),
                 status,
                 requestId.toString(),
@@ -359,7 +345,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes
 
     public void auditRecoveryRequestMade(RequestId requestId, String status, KeyId dataId) {
         String msg = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST,
+                AuditEvent.SECURITY_DATA_RECOVERY_REQUEST,
                 getRequestor(),
                 status,
                 requestId != null? requestId.toString(): "null",
@@ -369,7 +355,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes
 
     public void auditArchivalRequestMade(RequestId requestId, String status, String clientKeyID) {
         String msg = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST,
+                AuditEvent.SECURITY_DATA_ARCHIVAL_REQUEST,
                 getRequestor(),
                 status,
                 requestId != null? requestId.toString(): "null",
@@ -379,7 +365,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes
 
     public void auditSymKeyGenRequestMade(RequestId requestId, String status, String clientKeyID) {
         String msg = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST,
+                AuditEvent.SYMKEY_GENERATION_REQUEST,
                 getRequestor(),
                 status,
                 requestId != null ? requestId.toString() : "null",
@@ -389,7 +375,7 @@ public class KeyRequestService extends SubsystemService implements KeyRequestRes
 
     public void auditAsymKeyGenRequestMade(RequestId requestId, String status, String clientKeyID) {
         String msg = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST,
+                AuditEvent.ASYMKEY_GENERATION_REQUEST,
                 getRequestor(),
                 status,
                 requestId != null ? requestId.toString() : "null",
diff --git a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
index e15b263..7a21971 100644
--- a/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
+++ b/base/kra/src/org/dogtagpki/server/kra/rest/KeyService.java
@@ -60,6 +60,7 @@ import com.netscape.certsrv.key.KeyRecoveryRequest;
 import com.netscape.certsrv.key.KeyResource;
 import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
 import com.netscape.certsrv.kra.IKeyService;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.request.IRequest;
 import com.netscape.certsrv.request.IRequestQueue;
@@ -77,11 +78,6 @@ import com.netscape.cmsutil.util.Utils;
  */
 public class KeyService extends SubsystemService implements KeyResource {
 
-    private final static String LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY =
-            "LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY_5";
-    private final static String LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE =
-            "LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE_6";
-
     public static final int DEFAULT_MAXRESULTS = 100;
     public static final int DEFAULT_MAXTIME = 10;
     public static final String ATTR_SERIALNO = "serialNumber";
@@ -606,7 +602,7 @@ public class KeyService extends SubsystemService implements KeyResource {
 
     public void auditRetrieveKey(String status, String reason) {
         String msg = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_SECURITY_DATA_RETRIEVE_KEY,
+                AuditEvent.SECURITY_DATA_RETRIEVE_KEY,
                 servletRequest.getUserPrincipal().getName(),
                 status,
                 requestId != null ? requestId.toString(): "null",
@@ -628,7 +624,7 @@ public class KeyService extends SubsystemService implements KeyResource {
     public void auditKeyStatusChange(String status, String keyID, String oldKeyStatus,
             String newKeyStatus, String info) {
         String msg = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE,
+                AuditEvent.KEY_STATUS_CHANGE,
                 servletRequest.getUserPrincipal().getName(),
                 status,
                 keyID,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
index 3a2b694..69e76fc 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
@@ -43,6 +43,7 @@ import com.netscape.certsrv.base.ISecurityDomainSessionTable;
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.base.UnauthorizedException;
 import com.netscape.certsrv.ldap.ILdapConnFactory;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.system.DomainInfo;
 import com.netscape.certsrv.system.InstallToken;
@@ -64,9 +65,6 @@ import netscape.ldap.LDAPSearchResults;
  */
 public class SecurityDomainProcessor extends CAProcessor {
 
-    public final static String LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE =
-            "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1";
-
     public final static String[] TYPES = { "CA", "KRA", "OCSP", "TKS", "RA", "TPS" };
 
     Random random = new Random();
@@ -128,7 +126,7 @@ public class SecurityDomainProcessor extends CAProcessor {
 
         if (status == ISecurityDomainSessionTable.SUCCESS) {
             message = CMS.getLogMessage(
-                               LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE,
+                               AuditEvent.SECURITY_DOMAIN_UPDATE,
                                user,
                                ILogger.SUCCESS,
                                auditParams);
@@ -136,7 +134,7 @@ public class SecurityDomainProcessor extends CAProcessor {
 
         } else {
             message = CMS.getLogMessage(
-                               LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE,
+                               AuditEvent.SECURITY_DOMAIN_UPDATE,
                                user,
                                ILogger.FAILURE,
                                auditParams);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
index 1a23823..bed4357 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
@@ -47,6 +47,7 @@ import com.netscape.certsrv.authorization.EAuthzAccessDenied;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.ldap.ILdapConnFactory;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.cms.servlet.base.CMSServlet;
 import com.netscape.cms.servlet.base.UserInfo;
@@ -62,8 +63,6 @@ public class UpdateDomainXML extends CMSServlet {
     private static final long serialVersionUID = 4059169588555717548L;
     private final static String SUCCESS = "0";
     private final static String FAILED = "1";
-    private final static String LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE =
-            "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1";
     private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE =
             "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3";
 
@@ -501,14 +500,14 @@ public class UpdateDomainXML extends CMSServlet {
 
         if (status.equals(SUCCESS)) {
             auditMessage = CMS.getLogMessage(
-                               LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE,
+                               AuditEvent.SECURITY_DOMAIN_UPDATE,
                                auditSubjectID,
                                ILogger.SUCCESS,
                                auditParams);
         } else {
             // what if already exists or already deleted
             auditMessage = CMS.getLogMessage(
-                               LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE,
+                               AuditEvent.SECURITY_DOMAIN_UPDATE,
                                auditSubjectID,
                                ILogger.FAILURE,
                                auditParams);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java
index e068bd4..2586da2 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateNumberRange.java
@@ -37,6 +37,7 @@ import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.ca.ICertificateAuthority;
 import com.netscape.certsrv.dbs.repository.IRepository;
 import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.cms.servlet.base.CMSServlet;
 import com.netscape.cms.servlet.base.UserInfo;
@@ -52,8 +53,6 @@ public class UpdateNumberRange extends CMSServlet {
     private static final long serialVersionUID = -1584171713024263331L;
     private final static String SUCCESS = "0";
     private final static String AUTH_FAILURE = "2";
-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER =
-            "LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1";
 
     public UpdateNumberRange() {
         super();
@@ -208,7 +207,7 @@ public class UpdateNumberRange extends CMSServlet {
                 CMS.debug("UpdateNumberRange::process() - " +
                            "beginNum is null!");
                 auditMessage = CMS.getLogMessage(
-                                   LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER,
+                                   AuditEvent.CONFIG_SERIAL_NUMBER,
                                    auditSubjectID,
                                    ILogger.FAILURE,
                                    auditParams);
@@ -240,7 +239,7 @@ public class UpdateNumberRange extends CMSServlet {
                           "+endNumber;;" + endNum.toString(radix);
 
             auditMessage = CMS.getLogMessage(
-                               LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER,
+                               AuditEvent.CONFIG_SERIAL_NUMBER,
                                auditSubjectID,
                                ILogger.SUCCESS,
                                auditParams);
@@ -251,7 +250,7 @@ public class UpdateNumberRange extends CMSServlet {
             CMS.debug(e);
 
             auditMessage = CMS.getLogMessage(
-                               LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER,
+                               AuditEvent.CONFIG_SERIAL_NUMBER,
                                auditSubjectID,
                                ILogger.FAILURE,
                                auditParams);
diff --git a/base/server/cmscore/src/com/netscape/cmscore/session/SessionTimer.java b/base/server/cmscore/src/com/netscape/cmscore/session/SessionTimer.java
index 0f79fc4..c6db131 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/session/SessionTimer.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/session/SessionTimer.java
@@ -23,14 +23,12 @@ import java.util.TimerTask;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.ISecurityDomainSessionTable;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 
 public class SessionTimer extends TimerTask {
     private ISecurityDomainSessionTable m_sessiontable = null;
     private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
-    private final static String LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE =
-            "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1";
-
     public SessionTimer(ISecurityDomainSessionTable table) {
         super();
         m_sessiontable = table;
@@ -61,7 +59,7 @@ public class SessionTimer extends TimerTask {
                 // audit message
                 String auditParams = "operation;;expire_token+token;;" + sessionId;
                 String auditMessage = CMS.getLogMessage(
-                                         LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE,
+                                         AuditEvent.SECURITY_DOMAIN_UPDATE,
                                          "system",
                                          ILogger.SUCCESS,
                                          auditParams);
-- 
1.8.3.1


From f0eedf609ef2042915556738dafba0fa9d8da6cc Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 12 Apr 2017 03:11:51 +0200
Subject: [PATCH 43/59] Reorganized audit event constants for TKS.

Change-Id: I7fee37c8369945c6aedae78bd56063bc4488c0f7
---
 .../com/netscape/certsrv/logging/AuditEvent.java   | 25 ++++++++
 .../com/netscape/cms/servlet/tks/TokenServlet.java | 73 ++++++----------------
 2 files changed, 44 insertions(+), 54 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
index dc632c3..8abb9a5 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
@@ -35,6 +35,31 @@ import com.netscape.certsrv.base.MessageFormatter;
  */
 public class AuditEvent implements IBundleLogEvent {
 
+    public final static String COMPUTE_RANDOM_DATA_REQUEST =
+            "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2";
+    public final static String COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS_3";
+    public final static String COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE =
+            "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE_4";
+    public final static String COMPUTE_SESSION_KEY_REQUEST =
+            "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.
+    public final static String COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_13"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.  Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd.
+    public final static String COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE =
+            "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_14"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.  Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd.
+    public final static String DIVERSIFY_KEY_REQUEST =
+            "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.
+    public final static String DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_12"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.  Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd.
+    public final static String DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE =
+            "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_13"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.  Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd.
+    public final static String ENCRYPT_DATA_REQUEST =
+            "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.
+    public final static String ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS_12";
+    public final static String ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE =
+            "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE_13";
+
     public final static String SECURITY_DOMAIN_UPDATE =
             "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1";
     public final static String CONFIG_SERIAL_NUMBER =
diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java
index 6a17466..3915b73 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java
@@ -47,6 +47,7 @@ import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.IPrettyPrintFormat;
 import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.cms.servlet.base.CMSServlet;
 import com.netscape.cms.servlet.common.CMSRequest;
@@ -75,42 +76,6 @@ public class TokenServlet extends CMSServlet {
     String mCurrentUID = null;
     IPrettyPrintFormat pp = CMS.getPrettyPrintFormat(":");
 
-    private final static String LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST =
-            "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.
-
-    private final static String LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_13"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.  Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd.
-
-    private final static String LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE =
-            "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_14"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.  Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd.
-
-    private final static String LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST =
-            "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.
-
-    private final static String LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_12"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.  Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd.
-
-    private final static String LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE =
-            "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_13"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.  Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd.
-
-    private final static String LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST =
-            "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.
-
-    private final static String LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS_12";
-
-    private final static String LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE =
-            "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE_13";
-
-    private final static String LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST =
-            "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2";
-
-    private final static String LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS_3";
-
-    private final static String LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE =
-            "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE_4";
-
     // Derivation Constants for SCP02
     public final static byte[] C_MACDerivationConstant = { (byte) 0x01, (byte) 0x01 };
     public final static byte[] ENCDerivationConstant = { 0x01, (byte) 0x82 };
@@ -404,7 +369,7 @@ public class TokenServlet extends CMSServlet {
         }
 
         auditMessage = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST,
+                AuditEvent.COMPUTE_SESSION_KEY_REQUEST,
                 rCUID,
                 rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD.
                 ILogger.SUCCESS,
@@ -834,7 +799,7 @@ public class TokenServlet extends CMSServlet {
                     "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd
             };
-            auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
+            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
                     logParams);
 
         } else {
@@ -854,7 +819,7 @@ public class TokenServlet extends CMSServlet {
                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd
                     errorMsg // Error
             };
-            auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
+            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
                     logParams);
         }
 
@@ -922,7 +887,7 @@ public class TokenServlet extends CMSServlet {
 
         // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID
         auditMessage = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST,
+                AuditEvent.COMPUTE_SESSION_KEY_REQUEST,
                 rCUID,
                 rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD.
                 ILogger.SUCCESS,
@@ -1492,7 +1457,7 @@ public class TokenServlet extends CMSServlet {
                     "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd
             };
-            auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
+            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
                     logParams);
 
         } else {
@@ -1514,7 +1479,7 @@ public class TokenServlet extends CMSServlet {
                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd
                     errorMsg // Error
             };
-            auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
+            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
                     logParams);
 
         }
@@ -1635,7 +1600,7 @@ public class TokenServlet extends CMSServlet {
 
         // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID
         auditMessage = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST,
+                AuditEvent.DIVERSIFY_KEY_REQUEST,
                 rCUID,
                 rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD.
                 ILogger.SUCCESS,
@@ -1924,7 +1889,7 @@ public class TokenServlet extends CMSServlet {
                     "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd
             };
-            auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, logParams);
+            auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, logParams);
         } else {
             // AC: KDF SPEC CHANGE - Log both CUID and KDD
             //                       Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
@@ -1946,7 +1911,7 @@ public class TokenServlet extends CMSServlet {
                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd
                     errorMsg // Error
             };
-            auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE, logParams);
+            auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE, logParams);
         }
 
         audit(auditMessage);
@@ -2011,7 +1976,7 @@ public class TokenServlet extends CMSServlet {
 
         // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID
         String auditMessage = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST,
+                AuditEvent.ENCRYPT_DATA_REQUEST,
                 rCUID,
                 rKDD, // AC: KDF SPEC CHANGE - Log both CUID and KDD.
                 ILogger.SUCCESS,
@@ -2262,7 +2227,7 @@ public class TokenServlet extends CMSServlet {
                     "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd
             };
-            auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS, logParams);
+            auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS, logParams);
         } else {
             // AC: KDF SPEC CHANGE - Log both CUID and KDD
             //                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
@@ -2281,7 +2246,7 @@ public class TokenServlet extends CMSServlet {
                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd
                     errorMsg // Error
             };
-            auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE, logParams);
+            auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE, logParams);
         }
 
         audit(auditMessage);
@@ -2344,7 +2309,7 @@ public class TokenServlet extends CMSServlet {
         CMS.debug("TokenServlet::processComputeRandomData data size requested: " + dataSize);
 
         String auditMessage = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST,
+                AuditEvent.COMPUTE_RANDOM_DATA_REQUEST,
                 ILogger.SUCCESS,
                 agentId);
 
@@ -2403,13 +2368,13 @@ public class TokenServlet extends CMSServlet {
 
         if (status.equals("0")) {
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,
+                    AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,
                     ILogger.SUCCESS,
                     status,
                     agentId);
         } else {
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,
+                    AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,
                     ILogger.FAILURE,
                     status,
                     agentId,
@@ -2533,7 +2498,7 @@ public class TokenServlet extends CMSServlet {
         }
 
         auditMessage = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST,
+                AuditEvent.COMPUTE_SESSION_KEY_REQUEST,
                 rCUID,
                 rKDD,
                 ILogger.SUCCESS,
@@ -2956,7 +2921,7 @@ public class TokenServlet extends CMSServlet {
                     keySet, // TKSKeyset
                     log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion
             };
-            auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
+            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
                     logParams);
 
         } else {
@@ -2973,7 +2938,7 @@ public class TokenServlet extends CMSServlet {
                     log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion
                     errorMsg // Error
             };
-            auditMessage = CMS.getLogMessage(LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
+            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
                     logParams);
 
         }
-- 
1.8.3.1


From e770f3a4ff34c27bc698d47aedc518a7ae6b31f9 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 12 Apr 2017 03:54:29 +0200
Subject: [PATCH 44/59] Reorganized audit event constants for OCSP.

Change-Id: I3eb97554a1d0f4b86c981692ab0130b28c9c5288
---
 .../com/netscape/certsrv/logging/AuditEvent.java   | 17 ++++++++++++
 .../com/netscape/cms/authentication/CMCAuth.java   | 25 +++++++++---------
 .../netscape/cms/servlet/ocsp/AddCAServlet.java    | 22 +++++++---------
 .../netscape/cms/servlet/ocsp/AddCRLServlet.java   | 30 ++++++++++------------
 .../netscape/cms/servlet/ocsp/RemoveCAServlet.java | 17 ++++--------
 5 files changed, 56 insertions(+), 55 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
index 8abb9a5..bc892a9 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
@@ -35,6 +35,23 @@ import com.netscape.certsrv.base.MessageFormatter;
  */
 public class AuditEvent implements IBundleLogEvent {
 
+    public final static String CRL_RETRIEVAL =
+            "LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3";
+    public final static String CRL_VALIDATION =
+            "LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2";
+    public final static String OCSP_ADD_CA_REQUEST =
+            "LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_3";
+    public final static String OCSP_ADD_CA_REQUEST_PROCESSED =
+            "LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED_3";
+    public final static String OCSP_REMOVE_CA_REQUEST =
+            "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_3";
+    public final static String OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS_3";
+    public final static String OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE =
+            "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3";
+    public final static String CMC_SIGNED_REQUEST_SIG_VERIFY =
+            "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5";
+
     public final static String COMPUTE_RANDOM_DATA_REQUEST =
             "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2";
     public final static String COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS =
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
index 8523189..02aceb4 100644
--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
@@ -79,6 +79,7 @@ import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.IExtendedPluginInfo;
 import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.profile.EProfileException;
 import com.netscape.certsrv.profile.IProfile;
@@ -181,8 +182,6 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
             "enrollment";
     private final static String SIGNED_AUDIT_REVOCATION_REQUEST_TYPE =
             "revocation";
-    private final static String LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY =
-            "LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY_5";
 
     /////////////////////
     // default methods //
@@ -266,7 +265,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
+                        AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditReqType,
@@ -285,7 +284,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
+                        AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditReqType,
@@ -334,7 +333,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
                         !cmcReq.hasContent()) {
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
+                            AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditReqType,
@@ -380,7 +379,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
                         !ci.hasContent()) {
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
+                            AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditReqType,
@@ -561,7 +560,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
                             } catch (Exception e) {
                                 // store a message in the signed audit log file
                                 auditMessage = CMS.getLogMessage(
-                                        LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
+                                        AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
                                         auditSubjectID,
                                         ILogger.FAILURE,
                                         auditReqType,
@@ -615,7 +614,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
                             } catch (Exception e) {
                                 // store a message in the signed audit log file
                                 auditMessage = CMS.getLogMessage(
-                                        LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
+                                        AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
                                         auditSubjectID,
                                         ILogger.FAILURE,
                                         auditReqType,
@@ -640,7 +639,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
             } catch (Exception e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
+                        AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditReqType,
@@ -656,7 +655,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
+                    AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
                     auditSubjectID,
                     ILogger.SUCCESS,
                     auditReqType,
@@ -669,7 +668,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
         } catch (EMissingCredential eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
+                    AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
                     auditSubjectID,
                     ILogger.FAILURE,
                     auditReqType,
@@ -683,7 +682,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
         } catch (EInvalidCredentials eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
+                    AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
                     auditSubjectID,
                     ILogger.FAILURE,
                     auditReqType,
@@ -697,7 +696,7 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
         } catch (EBaseException eAudit3) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY,
+                    AuditEvent.CMC_SIGNED_REQUEST_SIG_VERIFY,
                     auditSubjectID,
                     ILogger.FAILURE,
                     auditReqType,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCAServlet.java b/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCAServlet.java
index f19a9d6..0088e92 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCAServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCAServlet.java
@@ -35,6 +35,7 @@ import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IArgBlock;
 import com.netscape.certsrv.common.ICMSRequest;
 import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.AuditFormat;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.ocsp.IDefStore;
@@ -69,11 +70,6 @@ public class AddCAServlet extends CMSServlet {
     private String mFormPath = null;
     private IOCSPAuthority mOCSPAuthority = null;
 
-    private final static String LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST =
-            "LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_3";
-    private final static String LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED =
-            "LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED_3";
-
     public AddCAServlet() {
         super();
     }
@@ -162,7 +158,7 @@ public class AddCAServlet extends CMSServlet {
 
         if (b64 == null) {
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST,
+                    AuditEvent.OCSP_ADD_CA_REQUEST,
                     auditSubjectID,
                     ILogger.FAILURE,
                     ILogger.SIGNED_AUDIT_EMPTY_VALUE);
@@ -175,7 +171,7 @@ public class AddCAServlet extends CMSServlet {
         auditCA = Cert.normalizeCertStr(Cert.stripCertBrackets(b64.trim()));
         // record the fact that a request to add CA is made
         auditMessage = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST,
+                AuditEvent.OCSP_ADD_CA_REQUEST,
                 auditSubjectID,
                 ILogger.SUCCESS,
                 auditCA);
@@ -184,7 +180,7 @@ public class AddCAServlet extends CMSServlet {
 
         if (b64.indexOf(BEGIN_HEADER) == -1) {
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED,
+                    AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED,
                     auditSubjectID,
                     ILogger.FAILURE,
                     auditCASubjectDN);
@@ -195,7 +191,7 @@ public class AddCAServlet extends CMSServlet {
         }
         if (b64.indexOf(END_HEADER) == -1) {
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED,
+                    AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED,
                     auditSubjectID,
                     ILogger.FAILURE,
                     auditCASubjectDN);
@@ -216,7 +212,7 @@ public class AddCAServlet extends CMSServlet {
             if (cert == null) {
                 CMS.debug("AddCAServlet::process() - cert is null!");
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED,
+                        AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditCASubjectDN);
@@ -245,7 +241,7 @@ public class AddCAServlet extends CMSServlet {
                 auditCASubjectDN = leafCert.getSubjectDN().getName();
             } catch (Exception e) {
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED,
+                        AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditCASubjectDN);
@@ -270,7 +266,7 @@ public class AddCAServlet extends CMSServlet {
                 rec.set(ICRLIssuingPointRecord.ATTR_CA_CERT, leafCert.getEncoded());
             } catch (Exception e) {
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED,
+                        AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditCASubjectDN);
@@ -282,7 +278,7 @@ public class AddCAServlet extends CMSServlet {
             defStore.addCRLIssuingPoint(leafCert.getSubjectDN().getName(), rec);
             log(ILogger.EV_AUDIT, AuditFormat.LEVEL, "Added CA certificate " + leafCert.getSubjectDN().getName());
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED,
+                    AuditEvent.OCSP_ADD_CA_REQUEST_PROCESSED,
                     auditSubjectID,
                     ILogger.SUCCESS,
                     auditCASubjectDN);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java b/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java
index 386ce93..5b4f624 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/ocsp/AddCRLServlet.java
@@ -40,6 +40,7 @@ import com.netscape.certsrv.base.IArgBlock;
 import com.netscape.certsrv.common.ICMSRequest;
 import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord;
 import com.netscape.certsrv.dbs.repository.IRepositoryRecord;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.AuditFormat;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.ocsp.IDefStore;
@@ -77,11 +78,6 @@ public class AddCRLServlet extends CMSServlet {
     private String mFormPath = null;
     private IOCSPAuthority mOCSPAuthority = null;
 
-    private final static String LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL =
-            "LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3";
-    private final static String LOGGING_SIGNED_AUDIT_CRL_VALIDATION =
-            "LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2";
-
     public AddCRLServlet() {
         super();
     }
@@ -153,7 +149,7 @@ public class AddCRLServlet extends CMSServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL,
+                        AuditEvent.CRL_RETRIEVAL,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditCRLNum);
@@ -181,7 +177,7 @@ public class AddCRLServlet extends CMSServlet {
             if (b64 == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL,
+                        AuditEvent.CRL_RETRIEVAL,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditCRLNum);
@@ -216,7 +212,7 @@ public class AddCRLServlet extends CMSServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL,
+                        AuditEvent.CRL_RETRIEVAL,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditCRLNum);
@@ -237,7 +233,7 @@ public class AddCRLServlet extends CMSServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL,
+                        AuditEvent.CRL_RETRIEVAL,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditCRLNum);
@@ -253,7 +249,7 @@ public class AddCRLServlet extends CMSServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL,
+                        AuditEvent.CRL_RETRIEVAL,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditCRLNum);
@@ -290,7 +286,7 @@ public class AddCRLServlet extends CMSServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL,
+                        AuditEvent.CRL_RETRIEVAL,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditCRLNum);
@@ -304,7 +300,7 @@ public class AddCRLServlet extends CMSServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL,
+                        AuditEvent.CRL_RETRIEVAL,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditCRLNum);
@@ -329,7 +325,7 @@ public class AddCRLServlet extends CMSServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CRL_VALIDATION,
+                        AuditEvent.CRL_VALIDATION,
                         auditSubjectID,
                         ILogger.FAILURE);
 
@@ -383,7 +379,7 @@ public class AddCRLServlet extends CMSServlet {
 
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CRL_VALIDATION,
+                            AuditEvent.CRL_VALIDATION,
                             auditSubjectID,
                             ILogger.SUCCESS);
 
@@ -400,7 +396,7 @@ public class AddCRLServlet extends CMSServlet {
 
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CRL_VALIDATION,
+                            AuditEvent.CRL_VALIDATION,
                             auditSubjectID,
                             ILogger.FAILURE);
 
@@ -547,7 +543,7 @@ public class AddCRLServlet extends CMSServlet {
             if (!CRLFetched) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL,
+                        AuditEvent.CRL_RETRIEVAL,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditCRLNum);
@@ -557,7 +553,7 @@ public class AddCRLServlet extends CMSServlet {
                 if (!CRLValidated) {
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CRL_VALIDATION,
+                            AuditEvent.CRL_VALIDATION,
                             auditSubjectID,
                             ILogger.FAILURE);
 
diff --git a/base/server/cms/src/com/netscape/cms/servlet/ocsp/RemoveCAServlet.java b/base/server/cms/src/com/netscape/cms/servlet/ocsp/RemoveCAServlet.java
index 55f688a..b6352a1 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/ocsp/RemoveCAServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/ocsp/RemoveCAServlet.java
@@ -32,6 +32,7 @@ import com.netscape.certsrv.authorization.AuthzToken;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IArgBlock;
 import com.netscape.certsrv.common.ICMSRequest;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.ocsp.IDefStore;
 import com.netscape.certsrv.ocsp.IOCSPAuthority;
@@ -56,14 +57,6 @@ public class RemoveCAServlet extends CMSServlet {
     private String mFormPath = null;
     private IOCSPAuthority mOCSPAuthority = null;
 
-    private final static String LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST =
-            "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_3";
-    private final static String LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS_3";
-
-    private final static String LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE =
-            "LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE_3";
-
     public RemoveCAServlet() {
         super();
     }
@@ -151,7 +144,7 @@ public class RemoveCAServlet extends CMSServlet {
 
         if (caID == null) {
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,
+                    AuditEvent.OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,
                     auditSubjectID,
                     ILogger.FAILURE,
                     ILogger.SIGNED_AUDIT_EMPTY_VALUE);
@@ -160,7 +153,7 @@ public class RemoveCAServlet extends CMSServlet {
         }
 
         auditMessage = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST,
+                AuditEvent.OCSP_REMOVE_CA_REQUEST,
                 auditSubjectID,
                 ILogger.SUCCESS,
                 caID);
@@ -175,7 +168,7 @@ public class RemoveCAServlet extends CMSServlet {
         } catch (EBaseException e) {
 
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,
+                    AuditEvent.OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE,
                     auditSubjectID,
                     ILogger.FAILURE,
                     caID);
@@ -188,7 +181,7 @@ public class RemoveCAServlet extends CMSServlet {
         CMS.debug("RemoveCAServlet::process: CRL IssuingPoint for CA successfully removed: " + caID);
 
         auditMessage = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,
+                AuditEvent.OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS,
                 auditSubjectID,
                 ILogger.SUCCESS,
                 caID);
-- 
1.8.3.1


From 0afe49b7b758d46f8bc0ca87cf2124e90084ebce Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 12 Apr 2017 04:13:14 +0200
Subject: [PATCH 45/59] Reorganized audit event constants for authentication.

Change-Id: Iade8cb7fdf3c3f93afb13ff814da0f72dc8f8049
---
 .../dogtagpki/server/ca/rest/ProfileService.java   |  5 +--
 .../com/netscape/certsrv/logging/AuditEvent.java   | 19 ++++++++++
 .../netscape/cms/profile/common/EnrollProfile.java |  8 ++--
 .../netscape/cms/profile/input/EnrollInput.java    |  8 ++--
 .../cms/src/com/netscape/cms/realm/PKIRealm.java   | 14 +++----
 .../netscape/cms/servlet/admin/AdminServlet.java   | 43 +++++++++-------------
 .../com/netscape/cms/servlet/base/CMSServlet.java  | 27 +++++---------
 .../cms/servlet/connector/ConnectorServlet.java    | 19 +++++-----
 .../cms/servlet/processors/CAProcessor.java        | 31 ++++++----------
 .../cms/servlet/processors/CRMFProcessor.java      | 12 +++---
 .../cms/servlet/profile/ProfileApproveServlet.java | 21 +++++------
 .../org/dogtagpki/server/rest/ACLInterceptor.java  | 24 +++++-------
 12 files changed, 106 insertions(+), 125 deletions(-)

diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
index 694fb92..eae68ef 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
@@ -51,6 +51,7 @@ import com.netscape.certsrv.base.UnauthorizedException;
 import com.netscape.certsrv.common.NameValuePairs;
 import com.netscape.certsrv.common.OpDef;
 import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.profile.EProfileException;
 import com.netscape.certsrv.profile.IProfile;
@@ -89,8 +90,6 @@ public class ProfileService extends SubsystemService implements ProfileResource
     private IProfileSubsystem ps = (IProfileSubsystem) CMS.getSubsystem(IProfileSubsystem.ID);
     private IPluginRegistry registry = (IPluginRegistry) CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY);
 
-    private final static String LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL =
-            "LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4";
     private final static String LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE =
             "LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3";
 
@@ -1189,7 +1188,7 @@ public class ProfileService extends SubsystemService implements ProfileResource
 
     public void auditProfileChangeState(String profileId, String op, String status) {
         String msg = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL,
+                AuditEvent.CERT_PROFILE_APPROVAL,
                 auditor.getSubjectID(),
                 status,
                 profileId,
diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
index bc892a9..82cb77f 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
@@ -35,6 +35,25 @@ import com.netscape.certsrv.base.MessageFormatter;
  */
 public class AuditEvent implements IBundleLogEvent {
 
+    public final static String AUTHZ_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4";
+    public final static String AUTHZ_SUCCESS_INFO =
+            "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_5";
+    public final static String AUTHZ_FAIL =
+            "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4";
+    public final static String AUTHZ_FAIL_INFO =
+            "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_5";
+    public final static String INTER_BOUNDARY =
+            "LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5";
+    public final static String AUTH_FAIL =
+            "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4";
+    public final static String AUTH_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3";
+    public final static String CERT_PROFILE_APPROVAL =
+            "LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4";
+    public final static String PROOF_OF_POSSESSION =
+            "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2";
+
     public final static String CRL_RETRIEVAL =
             "LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3";
     public final static String CRL_VALIDATION =
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
index f4a59d2..0ec3c94 100644
--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
@@ -76,6 +76,7 @@ import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.EPropertyNotFound;
 import com.netscape.certsrv.base.SessionContext;
 import com.netscape.certsrv.ca.ICertificateAuthority;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.profile.EDeferException;
 import com.netscape.certsrv.profile.EProfileException;
@@ -121,9 +122,6 @@ public abstract class EnrollProfile extends BasicProfile
 
     private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST =
             "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5";
-    private final static String LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION =
-            "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2";
-
     private PKIData mCMCData;
 
     public EnrollProfile() {
@@ -2073,7 +2071,7 @@ public abstract class EnrollProfile extends BasicProfile
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION,
+                    AuditEvent.PROOF_OF_POSSESSION,
                     auditSubjectID,
                     ILogger.SUCCESS);
             audit(auditMessage);
@@ -2093,7 +2091,7 @@ public abstract class EnrollProfile extends BasicProfile
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION,
+                    AuditEvent.PROOF_OF_POSSESSION,
                     auditSubjectID,
                     ILogger.FAILURE);
 
diff --git a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java
index f246951..81e71c4 100644
--- a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java
+++ b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java
@@ -30,6 +30,7 @@ import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.profile.EProfileException;
 import com.netscape.certsrv.profile.IProfile;
@@ -48,9 +49,6 @@ import com.netscape.cmsutil.crypto.CryptoUtil;
  */
 public abstract class EnrollInput implements IProfileInput {
 
-    private final static String LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION =
-            "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2";
-
     protected IConfigStore mConfig = null;
     protected Vector<String> mValueNames = new Vector<String>();
     protected Vector<String> mConfigNames = new Vector<String>();
@@ -219,7 +217,7 @@ public abstract class EnrollInput implements IProfileInput {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION,
+                    AuditEvent.PROOF_OF_POSSESSION,
                     auditSubjectID,
                     ILogger.SUCCESS);
             audit(auditMessage);
@@ -230,7 +228,7 @@ public abstract class EnrollInput implements IProfileInput {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION,
+                    AuditEvent.PROOF_OF_POSSESSION,
                     auditSubjectID,
                     ILogger.FAILURE);
 
diff --git a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
index 1933601..28fb0b9 100644
--- a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
+++ b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
@@ -16,6 +16,7 @@ import com.netscape.certsrv.authentication.IAuthToken;
 import com.netscape.certsrv.authentication.ICertUserDBAuthentication;
 import com.netscape.certsrv.authentication.IPasswdUserDBAuthentication;
 import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.usrgrp.EUsrGrpException;
 import com.netscape.certsrv.usrgrp.IGroup;
@@ -35,11 +36,6 @@ import netscape.security.x509.X509CertImpl;
 
 public class PKIRealm extends RealmBase {
     protected ILogger signedAuditLogger = CMS.getSignedAuditLogger();
-    private final static String LOGGING_SIGNED_AUDIT_AUTH_FAIL =
-            "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4";
-    private final static String LOGGING_SIGNED_AUDIT_AUTH_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3";
-
     @Override
     protected String getName() {
         return "PKIRealm";
@@ -66,7 +62,7 @@ public class PKIRealm extends RealmBase {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTH_SUCCESS,
+                        AuditEvent.AUTH_SUCCESS,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID);
@@ -77,7 +73,7 @@ public class PKIRealm extends RealmBase {
         } catch (Throwable e) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                        AuditEvent.AUTH_FAIL,
                         auditSubjectID,
                         ILogger.FAILURE,
                         IAuthSubsystem.PASSWDUSERDB_AUTHMGR_ID,
@@ -126,7 +122,7 @@ public class PKIRealm extends RealmBase {
             CMS.debug("PKIRealm: User ID: " + username);
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTH_SUCCESS,
+                        AuditEvent.AUTH_SUCCESS,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         IAuthSubsystem.CERTUSERDB_AUTHMGR_ID);
@@ -137,7 +133,7 @@ public class PKIRealm extends RealmBase {
         } catch (Throwable e) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                        AuditEvent.AUTH_FAIL,
                         auditSubjectID,
                         ILogger.FAILURE,
                         IAuthSubsystem.CERTUSERDB_AUTHMGR_ID,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
index ab7af9e..0350e38 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
@@ -51,6 +51,7 @@ import com.netscape.certsrv.base.IExtendedPluginInfo;
 import com.netscape.certsrv.base.SessionContext;
 import com.netscape.certsrv.common.Constants;
 import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.IAuditor;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.usrgrp.EUsrGrpException;
@@ -121,14 +122,6 @@ public class AdminServlet extends HttpServlet {
     public static final String CERT_ATTR =
             "javax.servlet.request.X509Certificate";
 
-    private final static String LOGGING_SIGNED_AUDIT_AUTH_FAIL =
-            "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4";
-    private final static String LOGGING_SIGNED_AUDIT_AUTH_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3";
-    private final static String LOGGING_SIGNED_AUDIT_AUTHZ_FAIL =
-            "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4";
-    private final static String LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4";
     private final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME =
             "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3";
     private final static String CERTUSERDB =
@@ -307,7 +300,7 @@ public class AdminServlet extends HttpServlet {
                 if (allCerts == null || allCerts.length == 0) {
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                                AuditEvent.AUTH_FAIL,
                                 ILogger.UNIDENTIFIED,
                                 ILogger.FAILURE,
                                 CERTUSERDB,
@@ -399,7 +392,7 @@ public class AdminServlet extends HttpServlet {
                 if (authType.equals("sslclientauth")) {
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                                AuditEvent.AUTH_FAIL,
                                 ILogger.UNIDENTIFIED,
                                 ILogger.FAILURE,
                                 CERTUSERDB,
@@ -409,7 +402,7 @@ public class AdminServlet extends HttpServlet {
                 } else {
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                                AuditEvent.AUTH_FAIL,
                                 ILogger.UNIDENTIFIED,
                                 ILogger.FAILURE,
                                 PASSWDUSERDB,
@@ -433,7 +426,7 @@ public class AdminServlet extends HttpServlet {
                     if (authType.equals("sslclientauth")) {
                         // store a message in the signed audit log file
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                                    AuditEvent.AUTH_FAIL,
                                     ILogger.UNIDENTIFIED,
                                     ILogger.FAILURE,
                                     CERTUSERDB,
@@ -443,7 +436,7 @@ public class AdminServlet extends HttpServlet {
                     } else {
                         // store a message in the signed audit log file
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                                    AuditEvent.AUTH_FAIL,
                                     ILogger.UNIDENTIFIED,
                                     ILogger.FAILURE,
                                     PASSWDUSERDB,
@@ -469,7 +462,7 @@ public class AdminServlet extends HttpServlet {
                     if (authType.equals("sslclientauth")) {
                         // store a message in the signed audit log file
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                                    AuditEvent.AUTH_FAIL,
                                     ILogger.UNIDENTIFIED,
                                     ILogger.FAILURE,
                                     CERTUSERDB,
@@ -479,7 +472,7 @@ public class AdminServlet extends HttpServlet {
                     } else {
                         // store a message in the signed audit log file
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                                    AuditEvent.AUTH_FAIL,
                                     ILogger.UNIDENTIFIED,
                                     ILogger.FAILURE,
                                     PASSWDUSERDB,
@@ -505,7 +498,7 @@ public class AdminServlet extends HttpServlet {
                 if (authType.equals("sslclientauth")) {
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                                AuditEvent.AUTH_FAIL,
                                 ILogger.UNIDENTIFIED,
                                 ILogger.FAILURE,
                                 CERTUSERDB,
@@ -515,7 +508,7 @@ public class AdminServlet extends HttpServlet {
                 } else {
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                                AuditEvent.AUTH_FAIL,
                                 ILogger.UNIDENTIFIED,
                                 ILogger.FAILURE,
                                 PASSWDUSERDB,
@@ -535,7 +528,7 @@ public class AdminServlet extends HttpServlet {
             if (authType.equals("sslclientauth")) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_AUTH_SUCCESS,
+                            AuditEvent.AUTH_SUCCESS,
                             auditSubjectID(),
                             ILogger.SUCCESS,
                             CERTUSERDB);
@@ -544,7 +537,7 @@ public class AdminServlet extends HttpServlet {
             } else {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_AUTH_SUCCESS,
+                            AuditEvent.AUTH_SUCCESS,
                             auditSubjectID(),
                             ILogger.SUCCESS,
                             PASSWDUSERDB);
@@ -555,7 +548,7 @@ public class AdminServlet extends HttpServlet {
             if (authType.equals("sslclientauth")) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                            AuditEvent.AUTH_FAIL,
                             ILogger.UNIDENTIFIED,
                             ILogger.FAILURE,
                             CERTUSERDB,
@@ -565,7 +558,7 @@ public class AdminServlet extends HttpServlet {
             } else {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                            AuditEvent.AUTH_FAIL,
                             ILogger.UNIDENTIFIED,
                             ILogger.FAILURE,
                             PASSWDUSERDB,
@@ -654,7 +647,7 @@ public class AdminServlet extends HttpServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                        AuditEvent.AUTHZ_FAIL,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditACLResource,
@@ -677,7 +670,7 @@ public class AdminServlet extends HttpServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                        AuditEvent.AUTHZ_FAIL,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditACLResource,
@@ -698,7 +691,7 @@ public class AdminServlet extends HttpServlet {
         } catch (Exception e) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                        AuditEvent.AUTHZ_FAIL,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditACLResource,
@@ -720,7 +713,7 @@ public class AdminServlet extends HttpServlet {
 
         // store a message in the signed audit log file
         auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS,
+                    AuditEvent.AUTHZ_SUCCESS,
                     auditSubjectID,
                     ILogger.SUCCESS,
                     auditACLResource,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
index ab9b936..01f9f07 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
@@ -64,6 +64,7 @@ import com.netscape.certsrv.common.ICMSRequest;
 import com.netscape.certsrv.dbs.certdb.ICertRecord;
 import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
 import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.ra.IRegistrationAuthority;
 import com.netscape.certsrv.request.IRequest;
@@ -244,14 +245,6 @@ public abstract class CMSServlet extends HttpServlet {
     private IUGSubsystem mUG = (IUGSubsystem)
             CMS.getSubsystem(CMS.SUBSYSTEM_UG);
 
-    private final static String LOGGING_SIGNED_AUDIT_AUTH_FAIL =
-            "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4";
-    private final static String LOGGING_SIGNED_AUDIT_AUTH_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3";
-    private final static String LOGGING_SIGNED_AUDIT_AUTHZ_FAIL =
-            "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4";
-    private final static String LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4";
     private final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME =
             "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3";
 
@@ -1801,7 +1794,7 @@ public abstract class CMSServlet extends HttpServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTH_SUCCESS,
+                        AuditEvent.AUTH_SUCCESS,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditAuthMgrID);
@@ -1812,7 +1805,7 @@ public abstract class CMSServlet extends HttpServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                        AuditEvent.AUTH_FAIL,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditAuthMgrID,
@@ -1837,7 +1830,7 @@ public abstract class CMSServlet extends HttpServlet {
             authzToken = mAuthz.authorize(authzMgrName, authToken, exp);
             if (authzToken != null) {
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS,
+                            AuditEvent.AUTHZ_SUCCESS,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditACLResource,
@@ -1855,7 +1848,7 @@ public abstract class CMSServlet extends HttpServlet {
                 audit(auditMessage);
             } else {
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                            AuditEvent.AUTHZ_FAIL,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditACLResource,
@@ -1874,7 +1867,7 @@ public abstract class CMSServlet extends HttpServlet {
             return authzToken;
         } catch (Exception e) {
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                        AuditEvent.AUTHZ_FAIL,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditACLResource,
@@ -1971,7 +1964,7 @@ public abstract class CMSServlet extends HttpServlet {
             if (authzTok != null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS,
+                            AuditEvent.AUTHZ_SUCCESS,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditACLResource,
@@ -1990,7 +1983,7 @@ public abstract class CMSServlet extends HttpServlet {
             } else {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                            AuditEvent.AUTHZ_FAIL,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditACLResource,
@@ -2012,7 +2005,7 @@ public abstract class CMSServlet extends HttpServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                        AuditEvent.AUTHZ_FAIL,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditACLResource,
@@ -2033,7 +2026,7 @@ public abstract class CMSServlet extends HttpServlet {
         } catch (Exception eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                        AuditEvent.AUTHZ_FAIL,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditACLResource,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
index e6dfbc4..014db79 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
@@ -49,6 +49,7 @@ import com.netscape.certsrv.base.SessionContext;
 import com.netscape.certsrv.common.ICMSRequest;
 import com.netscape.certsrv.connector.IPKIMessage;
 import com.netscape.certsrv.connector.IRequestEncoder;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.AuditFormat;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.profile.EProfileException;
@@ -97,8 +98,6 @@ public class ConnectorServlet extends CMSServlet {
 
     protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
     private final static String SIGNED_AUDIT_PROTECTION_METHOD_SSL = "ssl";
-    private final static String LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5";
     private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST =
             "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5";
     private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED =
@@ -479,7 +478,7 @@ public class ConnectorServlet extends CMSServlet {
 
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
+                                AuditEvent.INTER_BOUNDARY,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditProtectionMethod,
@@ -501,7 +500,7 @@ public class ConnectorServlet extends CMSServlet {
 
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
+                                AuditEvent.INTER_BOUNDARY,
                                 auditSubjectID,
                                 ILogger.SUCCESS,
                                 auditProtectionMethod,
@@ -699,7 +698,7 @@ public class ConnectorServlet extends CMSServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
+                            AuditEvent.INTER_BOUNDARY,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditProtectionMethod,
@@ -921,7 +920,7 @@ public class ConnectorServlet extends CMSServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
+                            AuditEvent.INTER_BOUNDARY,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditProtectionMethod,
@@ -934,7 +933,7 @@ public class ConnectorServlet extends CMSServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
+                            AuditEvent.INTER_BOUNDARY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditProtectionMethod,
@@ -947,7 +946,7 @@ public class ConnectorServlet extends CMSServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
+                            AuditEvent.INTER_BOUNDARY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditProtectionMethod,
@@ -960,7 +959,7 @@ public class ConnectorServlet extends CMSServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
+                            AuditEvent.INTER_BOUNDARY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditProtectionMethod,
@@ -980,7 +979,7 @@ public class ConnectorServlet extends CMSServlet {
         } catch (EBaseException e) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS,
+                        AuditEvent.INTER_BOUNDARY,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditProtectionMethod,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
index 62b9a7c..d5a9c4d 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
@@ -51,6 +51,7 @@ import com.netscape.certsrv.base.SessionContext;
 import com.netscape.certsrv.ca.ICertificateAuthority;
 import com.netscape.certsrv.dbs.certdb.ICertRecord;
 import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.profile.IEnrollProfile;
 import com.netscape.certsrv.profile.IProfile;
@@ -118,14 +119,6 @@ public class CAProcessor extends Processor {
 
     public final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED =
             "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5";
-    public final static String LOGGING_SIGNED_AUDIT_AUTH_FAIL =
-            "LOGGING_SIGNED_AUDIT_AUTH_FAIL_4";
-    public final static String LOGGING_SIGNED_AUDIT_AUTH_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_AUTH_SUCCESS_3";
-    public final static String LOGGING_SIGNED_AUDIT_AUTHZ_FAIL =
-            "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_4";
-    public final static String LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4";
     public final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME =
             "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3";
     public final static String SIGNED_AUDIT_CERT_REQUEST_REASON =
@@ -498,7 +491,7 @@ public class CAProcessor extends Processor {
 
                 authSubjectID += " : " + uid_cred;
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                        AuditEvent.AUTH_FAIL,
                         authSubjectID,
                         ILogger.FAILURE,
                         authMgrID,
@@ -512,7 +505,7 @@ public class CAProcessor extends Processor {
 
                 authSubjectID += " : " + uid_cred;
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                        AuditEvent.AUTH_FAIL,
                         authSubjectID,
                         ILogger.FAILURE,
                         authMgrID,
@@ -534,7 +527,7 @@ public class CAProcessor extends Processor {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_AUTH_SUCCESS,
+                    AuditEvent.AUTH_SUCCESS,
                     authSubjectID,
                     ILogger.SUCCESS,
                     authMgrID);
@@ -669,7 +662,7 @@ public class CAProcessor extends Processor {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_AUTH_SUCCESS,
+                    AuditEvent.AUTH_SUCCESS,
                     auditSubjectID,
                     ILogger.SUCCESS,
                     auditAuthMgrID);
@@ -680,7 +673,7 @@ public class CAProcessor extends Processor {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_AUTH_FAIL,
+                    AuditEvent.AUTH_FAIL,
                     auditSubjectID,
                     ILogger.FAILURE,
                     auditAuthMgrID,
@@ -730,7 +723,7 @@ public class CAProcessor extends Processor {
             authzToken = authz.authorize(authzMgrName, authToken, exp);
             if (authzToken != null) {
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS,
+                        AuditEvent.AUTHZ_SUCCESS,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditACLResource,
@@ -748,7 +741,7 @@ public class CAProcessor extends Processor {
                 audit(auditMessage);
             } else {
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                        AuditEvent.AUTHZ_FAIL,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditACLResource,
@@ -767,7 +760,7 @@ public class CAProcessor extends Processor {
             return authzToken;
         } catch (EBaseException e) {
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                    AuditEvent.AUTHZ_FAIL,
                     auditSubjectID,
                     ILogger.FAILURE,
                     auditACLResource,
@@ -863,7 +856,7 @@ public class CAProcessor extends Processor {
             if (authzTok != null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS,
+                        AuditEvent.AUTHZ_SUCCESS,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditACLResource,
@@ -882,7 +875,7 @@ public class CAProcessor extends Processor {
             } else {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                        AuditEvent.AUTHZ_FAIL,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditACLResource,
@@ -904,7 +897,7 @@ public class CAProcessor extends Processor {
         } catch (Exception eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                    AuditEvent.AUTHZ_FAIL,
                     auditSubjectID,
                     ILogger.FAILURE,
                     auditACLResource,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java
index 1da0cf3..70a4a42 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CRMFProcessor.java
@@ -50,6 +50,7 @@ import com.netscape.certsrv.authentication.IAuthToken;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IArgBlock;
 import com.netscape.certsrv.common.ICMSRequest;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.request.IRequest;
 import com.netscape.cms.servlet.base.CMSServlet;
@@ -68,9 +69,6 @@ public class CRMFProcessor extends PKIProcessor {
 
     private boolean enforcePop = false;
 
-    private final static String LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION =
-            "LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_2";
-
     public CRMFProcessor() {
         super();
     }
@@ -118,7 +116,7 @@ public class CRMFProcessor extends PKIProcessor {
 
                         // store a message in the signed audit log file
                         auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION,
+                                AuditEvent.PROOF_OF_POSSESSION,
                                 auditSubjectID,
                                 ILogger.SUCCESS);
 
@@ -131,7 +129,7 @@ public class CRMFProcessor extends PKIProcessor {
 
                         // store a message in the signed audit log file
                         auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION,
+                                AuditEvent.PROOF_OF_POSSESSION,
                                 auditSubjectID,
                                 ILogger.FAILURE);
 
@@ -148,7 +146,7 @@ public class CRMFProcessor extends PKIProcessor {
 
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION,
+                            AuditEvent.PROOF_OF_POSSESSION,
                             auditSubjectID,
                             ILogger.FAILURE);
 
@@ -161,7 +159,7 @@ public class CRMFProcessor extends PKIProcessor {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION,
+                    AuditEvent.PROOF_OF_POSSESSION,
                     auditSubjectID,
                     ILogger.FAILURE);
 
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileApproveServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileApproveServlet.java
index 89ba1bd..f56c378 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileApproveServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileApproveServlet.java
@@ -32,6 +32,7 @@ import com.netscape.certsrv.authority.IAuthority;
 import com.netscape.certsrv.authorization.AuthzToken;
 import com.netscape.certsrv.authorization.EAuthzAccessDenied;
 import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.profile.EProfileException;
 import com.netscape.certsrv.profile.IPolicyConstraint;
@@ -60,8 +61,6 @@ public class ProfileApproveServlet extends ProfileServlet {
     private static final String PROP_AUTHORITY_ID = "authorityId";
     private String mAuthorityId = null;
 
-    private final static String LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL =
-            "LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4";
     private final static String OP_APPROVE = "approve";
     private final static String OP_DISAPPROVE = "disapprove";
 
@@ -134,7 +133,7 @@ public class ProfileApproveServlet extends ProfileServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL,
+                            AuditEvent.CERT_PROFILE_APPROVAL,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditProfileID,
@@ -168,7 +167,7 @@ public class ProfileApproveServlet extends ProfileServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL,
+                            AuditEvent.CERT_PROFILE_APPROVAL,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditProfileID,
@@ -198,7 +197,7 @@ public class ProfileApproveServlet extends ProfileServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL,
+                            AuditEvent.CERT_PROFILE_APPROVAL,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditProfileID,
@@ -222,7 +221,7 @@ public class ProfileApproveServlet extends ProfileServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL,
+                            AuditEvent.CERT_PROFILE_APPROVAL,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditProfileID,
@@ -244,7 +243,7 @@ public class ProfileApproveServlet extends ProfileServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL,
+                            AuditEvent.CERT_PROFILE_APPROVAL,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditProfileID,
@@ -277,7 +276,7 @@ public class ProfileApproveServlet extends ProfileServlet {
 
                             // store a message in the signed audit log file
                             auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL,
+                                    AuditEvent.CERT_PROFILE_APPROVAL,
                                     auditSubjectID,
                                     ILogger.FAILURE,
                                     auditProfileID,
@@ -298,7 +297,7 @@ public class ProfileApproveServlet extends ProfileServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL,
+                            AuditEvent.CERT_PROFILE_APPROVAL,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditProfileID,
@@ -316,7 +315,7 @@ public class ProfileApproveServlet extends ProfileServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL,
+                            AuditEvent.CERT_PROFILE_APPROVAL,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditProfileID,
@@ -329,7 +328,7 @@ public class ProfileApproveServlet extends ProfileServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL,
+                        AuditEvent.CERT_PROFILE_APPROVAL,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditProfileID,
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
index 8e02ec2..86996d5 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
@@ -45,6 +45,7 @@ import com.netscape.certsrv.authorization.EAuthzUnknownRealm;
 import com.netscape.certsrv.authorization.IAuthzSubsystem;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.ForbiddenException;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.cms.realm.PKIPrincipal;
 
@@ -54,11 +55,6 @@ import com.netscape.cms.realm.PKIPrincipal;
 @Provider
 public class ACLInterceptor implements ContainerRequestFilter {
     protected ILogger signedAuditLogger = CMS.getSignedAuditLogger();
-    private final static String LOGGING_SIGNED_AUDIT_AUTHZ_FAIL =
-            "LOGGING_SIGNED_AUDIT_AUTHZ_FAIL_5";
-    private final static String LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_5";
-
     private final static String LOGGING_ACL_PARSING_ERROR = "internal error: ACL parsing error";
     private final static String LOGGING_NO_ACL_ACCESS_ALLOWED = "no ACL configured; OK";
     private final static String LOGGING_MISSING_AUTH_TOKEN = "auth token not found";
@@ -178,7 +174,7 @@ public class ACLInterceptor implements ContainerRequestFilter {
             // store a message in the signed audit log file
             // although if it didn't pass authentication, it should not have gotten here
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                        AuditEvent.AUTHZ_FAIL_INFO,
                         auditSubjectID,
                         ILogger.FAILURE,
                         null, // resource
@@ -195,7 +191,7 @@ public class ACLInterceptor implements ContainerRequestFilter {
             CMS.debug("ACLInterceptor: No ACL mapping; authz not required.");
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS,
+                        AuditEvent.AUTHZ_SUCCESS_INFO,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         null, //resource
@@ -219,7 +215,7 @@ public class ACLInterceptor implements ContainerRequestFilter {
         } catch (IOException e) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                        AuditEvent.AUTHZ_FAIL_INFO,
                         auditSubjectID,
                         ILogger.FAILURE,
                         null, //resource
@@ -236,7 +232,7 @@ public class ACLInterceptor implements ContainerRequestFilter {
             CMS.debug("ACLInterceptor: No ACL configuration.");
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS,
+                    AuditEvent.AUTHZ_SUCCESS_INFO,
                     auditSubjectID,
                     ILogger.SUCCESS,
                     null, //resource
@@ -252,7 +248,7 @@ public class ACLInterceptor implements ContainerRequestFilter {
             CMS.debug("ACLInterceptor: Invalid ACL mapping.");
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                    AuditEvent.AUTHZ_FAIL_INFO,
                     auditSubjectID,
                     ILogger.FAILURE,
                     null, //resource
@@ -279,7 +275,7 @@ public class ACLInterceptor implements ContainerRequestFilter {
                 CMS.debug("ACLInterceptor: " + info);
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                            AuditEvent.AUTHZ_FAIL_INFO,
                             auditSubjectID,
                             ILogger.FAILURE,
                             values[0], // resource
@@ -296,7 +292,7 @@ public class ACLInterceptor implements ContainerRequestFilter {
             CMS.debug("ACLInterceptor: " + info);
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                        AuditEvent.AUTHZ_FAIL_INFO,
                         auditSubjectID,
                         ILogger.FAILURE,
                         values[0], // resource
@@ -309,7 +305,7 @@ public class ACLInterceptor implements ContainerRequestFilter {
             String info = e.getMessage();
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUTHZ_FAIL,
+                        AuditEvent.AUTHZ_FAIL_INFO,
                         auditSubjectID,
                         ILogger.FAILURE,
                         values[0], // resource
@@ -323,7 +319,7 @@ public class ACLInterceptor implements ContainerRequestFilter {
         // Allow request.
         // store a message in the signed audit log file
         auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS,
+                    AuditEvent.AUTHZ_SUCCESS_INFO,
                     auditSubjectID,
                     ILogger.SUCCESS,
                     values[0], // resource
-- 
1.8.3.1


From 6b9aee2d0a37cb7e8b93614b693cda0e6c410d9b Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 12 Apr 2017 04:33:11 +0200
Subject: [PATCH 46/59] Reorganized audit event constants for CA.

Change-Id: I407a7a13c4e428e01632536faa27583e7c6d577e
---
 .../com/netscape/certsrv/logging/AuditEvent.java   | 11 +++
 .../netscape/cms/profile/common/EnrollProfile.java |  8 +-
 .../cms/servlet/cert/CMCRevReqServlet.java         | 26 +++----
 .../netscape/cms/servlet/cert/CertProcessor.java   |  7 +-
 .../com/netscape/cms/servlet/cert/DoRevokeTPS.java | 23 +++---
 .../netscape/cms/servlet/cert/DoUnrevokeTPS.java   | 17 ++---
 .../netscape/cms/servlet/cert/EnrollServlet.java   | 46 ++++++------
 .../cms/servlet/cert/RequestProcessor.java         |  9 ++-
 .../cms/servlet/cert/RevocationProcessor.java      | 10 +--
 .../cms/servlet/cert/scep/CRSEnrollment.java       |  3 +-
 .../cms/servlet/connector/ConnectorServlet.java    | 15 ++--
 .../cms/servlet/processors/CAProcessor.java        |  2 -
 .../servlet/profile/ProfileSubmitCMCServlet.java   | 12 ++-
 .../cms/servlet/request/ProcessCertReq.java        | 85 +++++++++++-----------
 14 files changed, 128 insertions(+), 146 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
index 82cb77f..39314df 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
@@ -35,6 +35,17 @@ import com.netscape.certsrv.base.MessageFormatter;
  */
 public class AuditEvent implements IBundleLogEvent {
 
+    public final static String NON_PROFILE_CERT_REQUEST =
+            "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5";
+    public final static String PROFILE_CERT_REQUEST =
+            "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5";
+    public final static String CERT_REQUEST_PROCESSED =
+            "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5";
+    public final static String CERT_STATUS_CHANGE_REQUEST =
+            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5";
+    public final static String CERT_STATUS_CHANGE_REQUEST_PROCESSED =
+            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7";
+
     public final static String AUTHZ_SUCCESS =
             "LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS_4";
     public final static String AUTHZ_SUCCESS_INFO =
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
index 0ec3c94..370cc33 100644
--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
@@ -120,8 +120,6 @@ import netscape.security.x509.X509Key;
 public abstract class EnrollProfile extends BasicProfile
         implements IEnrollProfile {
 
-    private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST =
-            "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5";
     private PKIData mCMCData;
 
     public EnrollProfile() {
@@ -1915,7 +1913,7 @@ public abstract class EnrollProfile extends BasicProfile
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST,
+                        AuditEvent.PROFILE_CERT_REQUEST,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditRequesterID,
@@ -1928,7 +1926,7 @@ public abstract class EnrollProfile extends BasicProfile
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST,
+                        AuditEvent.PROFILE_CERT_REQUEST,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequesterID,
@@ -1941,7 +1939,7 @@ public abstract class EnrollProfile extends BasicProfile
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST,
+                        AuditEvent.PROFILE_CERT_REQUEST,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequesterID,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java
index 71c10ea..f4d7f8f 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CMCRevReqServlet.java
@@ -53,6 +53,7 @@ import com.netscape.certsrv.common.ICMSRequest;
 import com.netscape.certsrv.dbs.certdb.ICertRecord;
 import com.netscape.certsrv.dbs.certdb.ICertRecordList;
 import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.AuditFormat;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.publish.IPublisherProcessor;
@@ -92,11 +93,6 @@ public class CMCRevReqServlet extends CMSServlet {
     private final static String REVOKE = "revoke";
     private final static String ON_HOLD = "on-hold";
     private final static int ON_HOLD_REASON = 6;
-    private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST =
-            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5";
-    private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED =
-            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7";
-
     // http params
     public static final String SERIAL_NO = TOKEN_CERT_SERIAL;
     public static final String REASON_CODE = "reasonCode";
@@ -546,7 +542,7 @@ public class CMCRevReqServlet extends CMSServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                        AuditEvent.CERT_STATUS_CHANGE_REQUEST,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditRequesterID,
@@ -815,7 +811,7 @@ public class CMCRevReqServlet extends CMSServlet {
                     auditApprovalStatus == RequestStatus.REJECTED ||
                     auditApprovalStatus == RequestStatus.CANCELED) {
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                        AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditRequesterID,
@@ -832,7 +828,7 @@ public class CMCRevReqServlet extends CMSServlet {
                 // store a "CERT_STATUS_CHANGE_REQUEST" failure
                 // message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                        AuditEvent.CERT_STATUS_CHANGE_REQUEST,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequesterID,
@@ -849,7 +845,7 @@ public class CMCRevReqServlet extends CMSServlet {
                         auditApprovalStatus == RequestStatus.REJECTED ||
                         auditApprovalStatus == RequestStatus.CANCELED) {
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                            AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRequesterID,
@@ -870,7 +866,7 @@ public class CMCRevReqServlet extends CMSServlet {
                 // store a "CERT_STATUS_CHANGE_REQUEST" failure
                 // message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                        AuditEvent.CERT_STATUS_CHANGE_REQUEST,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequesterID,
@@ -887,7 +883,7 @@ public class CMCRevReqServlet extends CMSServlet {
                         auditApprovalStatus == RequestStatus.REJECTED ||
                         auditApprovalStatus == RequestStatus.CANCELED) {
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                            AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRequesterID,
@@ -909,7 +905,7 @@ public class CMCRevReqServlet extends CMSServlet {
                 // store a "CERT_STATUS_CHANGE_REQUEST" failure
                 // message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                        AuditEvent.CERT_STATUS_CHANGE_REQUEST,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequesterID,
@@ -926,7 +922,7 @@ public class CMCRevReqServlet extends CMSServlet {
                         auditApprovalStatus == RequestStatus.REJECTED ||
                         auditApprovalStatus == RequestStatus.CANCELED) {
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                            AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRequesterID,
@@ -945,7 +941,7 @@ public class CMCRevReqServlet extends CMSServlet {
                 // store a "CERT_STATUS_CHANGE_REQUEST" failure
                 // message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                        AuditEvent.CERT_STATUS_CHANGE_REQUEST,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequesterID,
@@ -962,7 +958,7 @@ public class CMCRevReqServlet extends CMSServlet {
                         auditApprovalStatus == RequestStatus.REJECTED ||
                         auditApprovalStatus == RequestStatus.CANCELED) {
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                            AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRequesterID,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
index 47b5222..0534f90 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/CertProcessor.java
@@ -30,6 +30,7 @@ import com.netscape.certsrv.authentication.IAuthToken;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.EPropertyNotFound;
 import com.netscape.certsrv.cert.CertEnrollmentRequest;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.profile.EDeferException;
 import com.netscape.certsrv.profile.ERejectException;
@@ -230,7 +231,7 @@ public class CertProcessor extends CAProcessor {
                             ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
                         // store a message in the signed audit log file
                         auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                AuditEvent.CERT_REQUEST_PROCESSED,
                                 auditSubjectID,
                                 ILogger.SUCCESS,
                                 auditRequesterID,
@@ -266,7 +267,7 @@ public class CertProcessor extends CAProcessor {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                        AuditEvent.CERT_REQUEST_PROCESSED,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequesterID,
@@ -284,7 +285,7 @@ public class CertProcessor extends CAProcessor {
                 req.setExtData(IRequest.ERROR_CODE, errorCode);
 
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                        AuditEvent.CERT_REQUEST_PROCESSED,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequesterID,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
index 79eba99..68ac6da 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DoRevokeTPS.java
@@ -46,6 +46,7 @@ import com.netscape.certsrv.ca.ICertificateAuthority;
 import com.netscape.certsrv.common.ICMSRequest;
 import com.netscape.certsrv.dbs.certdb.ICertRecord;
 import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.AuditFormat;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.publish.IPublisherProcessor;
@@ -89,10 +90,6 @@ public class DoRevokeTPS extends CMSServlet {
     private final static String REVOKE = "revoke";
     private final static String ON_HOLD = "on-hold";
     private final static int ON_HOLD_REASON = 6;
-    private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST =
-            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5";
-    private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED =
-            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7";
 
     public DoRevokeTPS() {
         super();
@@ -433,7 +430,7 @@ public class DoRevokeTPS extends CMSServlet {
                     CMS.debug(method + "Only have previously revoked certs in the list.");
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                            AuditEvent.CERT_STATUS_CHANGE_REQUEST,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditRequesterID,
@@ -450,7 +447,7 @@ public class DoRevokeTPS extends CMSServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                            AuditEvent.CERT_STATUS_CHANGE_REQUEST,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRequesterID,
@@ -475,7 +472,7 @@ public class DoRevokeTPS extends CMSServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                        AuditEvent.CERT_STATUS_CHANGE_REQUEST,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditRequesterID,
@@ -561,7 +558,7 @@ public class DoRevokeTPS extends CMSServlet {
                             auditApprovalStatus == RequestStatus.REJECTED ||
                             auditApprovalStatus == RequestStatus.CANCELED) {
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                                    AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
                                     auditSubjectID,
                                     ILogger.FAILURE,
                                     auditRequesterID,
@@ -752,7 +749,7 @@ public class DoRevokeTPS extends CMSServlet {
                     auditApprovalStatus == RequestStatus.REJECTED ||
                     auditApprovalStatus == RequestStatus.CANCELED) {
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                            AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditRequesterID,
@@ -770,7 +767,7 @@ public class DoRevokeTPS extends CMSServlet {
                 // store a "CERT_STATUS_CHANGE_REQUEST" failure
                 // message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                            AuditEvent.CERT_STATUS_CHANGE_REQUEST,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRequesterID,
@@ -787,7 +784,7 @@ public class DoRevokeTPS extends CMSServlet {
                         auditApprovalStatus == RequestStatus.REJECTED ||
                         auditApprovalStatus == RequestStatus.CANCELED) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                                AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -809,7 +806,7 @@ public class DoRevokeTPS extends CMSServlet {
                 // store a "CERT_STATUS_CHANGE_REQUEST" failure
                 // message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                            AuditEvent.CERT_STATUS_CHANGE_REQUEST,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRequesterID,
@@ -826,7 +823,7 @@ public class DoRevokeTPS extends CMSServlet {
                         auditApprovalStatus == RequestStatus.REJECTED ||
                         auditApprovalStatus == RequestStatus.CANCELED) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                                AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java b/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java
index 39ccb49..30bde76 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/DoUnrevokeTPS.java
@@ -30,7 +30,7 @@ import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import netscape.security.x509.X509CertImpl;
+import org.dogtagpki.server.connector.IRemoteRequest;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authentication.AuthToken;
@@ -43,6 +43,7 @@ import com.netscape.certsrv.ca.ICRLIssuingPoint;
 import com.netscape.certsrv.ca.ICertificateAuthority;
 import com.netscape.certsrv.common.ICMSRequest;
 import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.AuditFormat;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.publish.IPublisherProcessor;
@@ -53,7 +54,7 @@ import com.netscape.cms.servlet.base.CMSServlet;
 import com.netscape.cms.servlet.common.CMSRequest;
 import com.netscape.cms.servlet.common.ECMSGWException;
 
-import org.dogtagpki.server.connector.IRemoteRequest;
+import netscape.security.x509.X509CertImpl;
 
 /**
  * 'Unrevoke' a certificate. (For certificates that are on-hold only,
@@ -78,10 +79,6 @@ public class DoUnrevokeTPS extends CMSServlet {
 
     private final static String OFF_HOLD = "off-hold";
     private final static int OFF_HOLD_REASON = 6;
-    private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST =
-            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5";
-    private final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED =
-            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7";
 
     public DoUnrevokeTPS() {
         super();
@@ -268,7 +265,7 @@ public class DoUnrevokeTPS extends CMSServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                        AuditEvent.CERT_STATUS_CHANGE_REQUEST,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditRequesterID,
@@ -465,7 +462,7 @@ public class DoUnrevokeTPS extends CMSServlet {
                     auditApprovalStatus == RequestStatus.REJECTED ||
                     auditApprovalStatus == RequestStatus.CANCELED) {
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                            AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditRequesterID,
@@ -482,7 +479,7 @@ public class DoUnrevokeTPS extends CMSServlet {
                 // store a "CERT_STATUS_CHANGE_REQUEST" failure
                 // message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                            AuditEvent.CERT_STATUS_CHANGE_REQUEST,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRequesterID,
@@ -499,7 +496,7 @@ public class DoUnrevokeTPS extends CMSServlet {
                         auditApprovalStatus == RequestStatus.REJECTED ||
                         auditApprovalStatus == RequestStatus.CANCELED) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                                AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java
index 91caccf..3757967 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/EnrollServlet.java
@@ -58,6 +58,7 @@ import com.netscape.certsrv.common.ICMSRequest;
 import com.netscape.certsrv.dbs.certdb.ICertRecord;
 import com.netscape.certsrv.dbs.certdb.ICertRecordList;
 import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.AuditFormat;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.request.IRequest;
@@ -153,11 +154,6 @@ public class EnrollServlet extends CMSServlet {
             + "indeterminate reason for inability to process "
             + "cert request due to an EBaseException"
         };
-    private final static String LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST =
-            "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5";
-    private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED =
-            "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5";
-
     private static final String HEADER = "-----BEGIN NEW CERTIFICATE REQUEST-----";
     private static final String TRAILER = "-----END NEW CERTIFICATE REQUEST-----";
 
@@ -766,7 +762,7 @@ public class EnrollServlet extends CMSServlet {
                 //  an "agent" cert request for "bulk enrollment", or
                 //  an "EE" standard cert request)
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+                            AuditEvent.NON_PROFILE_CERT_REQUEST,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRequesterID,
@@ -829,7 +825,7 @@ public class EnrollServlet extends CMSServlet {
                 //  an "agent" cert request for "bulk enrollment", or
                 //  an "EE" standard cert request)
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+                            AuditEvent.NON_PROFILE_CERT_REQUEST,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRequesterID,
@@ -872,7 +868,7 @@ public class EnrollServlet extends CMSServlet {
                     //  an "agent" cert request for "bulk enrollment", or
                     //  an "EE" standard cert request)
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+                                AuditEvent.NON_PROFILE_CERT_REQUEST,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -912,7 +908,7 @@ public class EnrollServlet extends CMSServlet {
                     //  an "agent" cert request for "bulk enrollment", or
                     //  an "EE" standard cert request)
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+                                AuditEvent.NON_PROFILE_CERT_REQUEST,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -969,7 +965,7 @@ public class EnrollServlet extends CMSServlet {
                     //  an "agent" cert request for "bulk enrollment", or
                     //  an "EE" standard cert request)
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+                                AuditEvent.NON_PROFILE_CERT_REQUEST,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -1072,7 +1068,7 @@ public class EnrollServlet extends CMSServlet {
                         //  certificate, an "agent" cert request for
                         //  "bulk enrollment", or an "EE" standard cert request)
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+                                    AuditEvent.NON_PROFILE_CERT_REQUEST,
                                     auditSubjectID,
                                     ILogger.FAILURE,
                                     auditRequesterID,
@@ -1102,7 +1098,7 @@ public class EnrollServlet extends CMSServlet {
                         //  certificate, an "agent" cert request for
                         //  "bulk enrollment", or an "EE" standard cert request)
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+                                    AuditEvent.NON_PROFILE_CERT_REQUEST,
                                     auditSubjectID,
                                     ILogger.FAILURE,
                                     auditRequesterID,
@@ -1129,7 +1125,7 @@ public class EnrollServlet extends CMSServlet {
                         //  certificate, an "agent" cert request for
                         //  "bulk enrollment", or an "EE" standard cert request)
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+                                    AuditEvent.NON_PROFILE_CERT_REQUEST,
                                     auditSubjectID,
                                     ILogger.FAILURE,
                                     auditRequesterID,
@@ -1177,7 +1173,7 @@ public class EnrollServlet extends CMSServlet {
                         //  certificate, an "agent" cert request for
                         //  "bulk enrollment", or an "EE" standard cert request)
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+                                    AuditEvent.NON_PROFILE_CERT_REQUEST,
                                     auditSubjectID,
                                     ILogger.FAILURE,
                                     auditRequesterID,
@@ -1230,7 +1226,7 @@ public class EnrollServlet extends CMSServlet {
                         //  certificate, an "agent" cert request for
                         //  "bulk enrollment", or an "EE" standard cert request)
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+                                    AuditEvent.NON_PROFILE_CERT_REQUEST,
                                     auditSubjectID,
                                     ILogger.FAILURE,
                                     auditRequesterID,
@@ -1279,7 +1275,7 @@ public class EnrollServlet extends CMSServlet {
                 //  an "agent" cert request for "bulk enrollment", or
                 //  an "EE" standard cert request)
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+                            AuditEvent.NON_PROFILE_CERT_REQUEST,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRequesterID,
@@ -1322,7 +1318,7 @@ public class EnrollServlet extends CMSServlet {
             //  an "agent" cert request for "bulk enrollment", or
             //  an "EE" standard cert request)
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+                        AuditEvent.NON_PROFILE_CERT_REQUEST,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditRequesterID,
@@ -1337,7 +1333,7 @@ public class EnrollServlet extends CMSServlet {
             //  an "agent" cert request for "bulk enrollment", or
             //  an "EE" standard cert request)
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+                        AuditEvent.NON_PROFILE_CERT_REQUEST,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequesterID,
@@ -1374,7 +1370,7 @@ public class EnrollServlet extends CMSServlet {
                         // (automated "agent" cert request processed
                         //  - "accepted")
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                    AuditEvent.CERT_REQUEST_PROCESSED,
                                     auditSubjectID,
                                     ILogger.SUCCESS,
                                     auditRequesterID,
@@ -1388,7 +1384,7 @@ public class EnrollServlet extends CMSServlet {
 
                     // (automated "agent" cert request processed - "rejected")
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                AuditEvent.CERT_REQUEST_PROCESSED,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -1408,7 +1404,7 @@ public class EnrollServlet extends CMSServlet {
             if (completed == false) {
                 // (automated "agent" cert request processed - "rejected")
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                            AuditEvent.CERT_REQUEST_PROCESSED,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRequesterID,
@@ -1464,7 +1460,7 @@ public class EnrollServlet extends CMSServlet {
                 for (int i = 0; i < issuedCerts.length; i++) {
                     // (automated "agent" cert request processed - "accepted")
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                AuditEvent.CERT_REQUEST_PROCESSED,
                                 auditSubjectID,
                                 ILogger.SUCCESS,
                                 auditRequesterID,
@@ -1487,7 +1483,7 @@ public class EnrollServlet extends CMSServlet {
                 for (int i = 0; i < issuedCerts.length; i++) {
                     // (automated "agent" cert request processed - "accepted")
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                AuditEvent.CERT_REQUEST_PROCESSED,
                                 auditSubjectID,
                                 ILogger.SUCCESS,
                                 auditRequesterID,
@@ -1504,7 +1500,7 @@ public class EnrollServlet extends CMSServlet {
 
                 // (automated "agent" cert request processed - "rejected")
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                            AuditEvent.CERT_REQUEST_PROCESSED,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRequesterID,
@@ -1520,7 +1516,7 @@ public class EnrollServlet extends CMSServlet {
             // store a message in the signed audit log file
             // (automated "agent" cert request processed - "rejected")
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                        AuditEvent.CERT_REQUEST_PROCESSED,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequesterID,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java
index 436e7a9..474a2e5 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RequestProcessor.java
@@ -40,6 +40,7 @@ import com.netscape.certsrv.ca.AuthorityID;
 import com.netscape.certsrv.ca.CANotFoundException;
 import com.netscape.certsrv.ca.ICertificateAuthority;
 import com.netscape.certsrv.cert.CertReviewResponse;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.profile.EDeferException;
 import com.netscape.certsrv.profile.EProfileException;
@@ -283,7 +284,7 @@ public class RequestProcessor extends CertProcessor {
 
         // store a message in the signed audit log file
         auditMessage = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                AuditEvent.CERT_REQUEST_PROCESSED,
                 auditSubjectID,
                 ILogger.SUCCESS,
                 auditRequesterID,
@@ -319,7 +320,7 @@ public class RequestProcessor extends CertProcessor {
 
         // store a message in the signed audit log file
         auditMessage = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                AuditEvent.CERT_REQUEST_PROCESSED,
                 auditSubjectID,
                 ILogger.SUCCESS,
                 auditRequesterID,
@@ -399,7 +400,7 @@ public class RequestProcessor extends CertProcessor {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                    AuditEvent.CERT_REQUEST_PROCESSED,
                     auditSubjectID,
                     ILogger.SUCCESS,
                     auditRequesterID,
@@ -411,7 +412,7 @@ public class RequestProcessor extends CertProcessor {
         } catch (EProfileException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                    AuditEvent.CERT_REQUEST_PROCESSED,
                     auditSubjectID,
                     ILogger.FAILURE,
                     auditRequesterID,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java
index ffcda63..b90966e 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/RevocationProcessor.java
@@ -36,6 +36,7 @@ import com.netscape.certsrv.ca.ICertificateAuthority;
 import com.netscape.certsrv.dbs.certdb.CertId;
 import com.netscape.certsrv.dbs.certdb.ICertRecord;
 import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.AuditFormat;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.publish.IPublisherProcessor;
@@ -62,11 +63,6 @@ public class RevocationProcessor extends CertProcessor {
     public final static String ON_HOLD = "on-hold";
     public final static String OFF_HOLD = "off-hold";
 
-    public final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST =
-            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_5";
-    public final static String LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED =
-            "LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED_7";
-
     long startTime;
 
     ICertificateAuthority authority;
@@ -486,7 +482,7 @@ public class RevocationProcessor extends CertProcessor {
             return;
 
         String auditMessage = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST,
+                AuditEvent.CERT_STATUS_CHANGE_REQUEST,
                 auditor.getSubjectID(),
                 status,
                 requestID == null ? ILogger.UNIDENTIFIED : requestID.toString(),
@@ -510,7 +506,7 @@ public class RevocationProcessor extends CertProcessor {
                 || requestStatus == RequestStatus.CANCELED)) return;
 
         String auditMessage = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED,
+                AuditEvent.CERT_STATUS_CHANGE_REQUEST_PROCESSED,
                 auditor.getSubjectID(),
                 status,
                 requestID == null ? ILogger.UNIDENTIFIED : requestID.toString(),
diff --git a/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java b/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
index c2c6cde..150c36f 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/cert/scep/CRSEnrollment.java
@@ -73,6 +73,7 @@ import com.netscape.certsrv.base.ISubsystem;
 import com.netscape.certsrv.base.SessionContext;
 import com.netscape.certsrv.ca.ICertificateAuthority;
 import com.netscape.certsrv.ldap.ILdapConnFactory;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.AuditFormat;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.profile.EProfileException;
@@ -1495,7 +1496,7 @@ public class CRSEnrollment extends HttpServlet {
 
                 // perform audit log
                 String auditMessage = CMS.getLogMessage(
-                            "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5",
+                            AuditEvent.NON_PROFILE_CERT_REQUEST,
                             httpReq.getRemoteAddr(),
                             ILogger.FAILURE,
                             req.getTransactionID(),
diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
index 014db79..2299e60 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
@@ -98,11 +98,6 @@ public class ConnectorServlet extends CMSServlet {
 
     protected ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
     private final static String SIGNED_AUDIT_PROTECTION_METHOD_SSL = "ssl";
-    private final static String LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST =
-            "LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5";
-    private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED =
-            "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5";
-
     private final static byte EOL[] = { Character.LINE_SEPARATOR };
 
     public ConnectorServlet() {
@@ -554,7 +549,7 @@ public class ConnectorServlet extends CMSServlet {
 
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST,
+                            AuditEvent.PROFILE_CERT_REQUEST,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditRequesterID,
@@ -568,7 +563,7 @@ public class ConnectorServlet extends CMSServlet {
 
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST,
+                            AuditEvent.PROFILE_CERT_REQUEST,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRequesterID,
@@ -582,7 +577,7 @@ public class ConnectorServlet extends CMSServlet {
 
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST,
+                            AuditEvent.PROFILE_CERT_REQUEST,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRequesterID,
@@ -636,7 +631,7 @@ public class ConnectorServlet extends CMSServlet {
                                    ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
                             // store a message in the signed audit log file
                             auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                    AuditEvent.CERT_REQUEST_PROCESSED,
                                     auditSubjectID,
                                     ILogger.SUCCESS,
                                     auditRequesterID,
@@ -657,7 +652,7 @@ public class ConnectorServlet extends CMSServlet {
                                    ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
                             // store a message in the signed audit log file
                             auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                    AuditEvent.CERT_REQUEST_PROCESSED,
                                     auditSubjectID,
                                     ILogger.FAILURE,
                                     auditRequesterID,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
index d5a9c4d..5669233 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
@@ -117,8 +117,6 @@ public class CAProcessor extends Processor {
     public static final String ACL_INFO = "ACLinfo";
     public static final String PROFILE_SUB_ID = "profileSubId";
 
-    public final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED =
-            "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5";
     public final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME =
             "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3";
     public final static String SIGNED_AUDIT_CERT_REQUEST_REASON =
diff --git a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
index c233e41..fd155a6 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/profile/ProfileSubmitCMCServlet.java
@@ -44,6 +44,7 @@ import com.netscape.certsrv.authentication.IAuthToken;
 import com.netscape.certsrv.authorization.AuthzToken;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.profile.EDeferException;
 import com.netscape.certsrv.profile.EProfileException;
@@ -83,9 +84,6 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
     private String mProfileSubId = null;
     private String requestB64 = null;
 
-    private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED =
-            "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5";
-
     public ProfileSubmitCMCServlet() {
     }
 
@@ -682,7 +680,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
                                     ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
                             // store a message in the signed audit log file
                             auditMessage = CMS.getLogMessage(
-                                        LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                        AuditEvent.CERT_REQUEST_PROCESSED,
                                         auditSubjectID,
                                         ILogger.SUCCESS,
                                         auditRequesterID,
@@ -738,7 +736,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
                     if (errorCode.equals("1")) {
                         // store a message in the signed audit log file
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                    AuditEvent.CERT_REQUEST_PROCESSED,
                                     auditSubjectID,
                                     ILogger.FAILURE,
                                     auditRequesterID,
@@ -753,7 +751,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
                     } else if (errorCode.equals("3")) {
                         // store a message in the signed audit log file
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                    AuditEvent.CERT_REQUEST_PROCESSED,
                                     auditSubjectID,
                                     ILogger.FAILURE,
                                     auditRequesterID,
@@ -787,7 +785,7 @@ public class ProfileSubmitCMCServlet extends ProfileServlet {
                                 ILogger.SIGNED_AUDIT_EMPTY_VALUE))) {
                             // store a message in the signed audit log file
                             auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                    AuditEvent.CERT_REQUEST_PROCESSED,
                                     auditSubjectID,
                                     ILogger.SUCCESS,
                                     auditRequesterID,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java
index 367c558..d15774e 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/request/ProcessCertReq.java
@@ -35,21 +35,6 @@ import javax.servlet.ServletOutputStream;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
-import netscape.security.extensions.NSCertTypeExtension;
-import netscape.security.extensions.PresenceServerExtension;
-import netscape.security.util.DerValue;
-import netscape.security.x509.AlgorithmId;
-import netscape.security.x509.BasicConstraintsExtension;
-import netscape.security.x509.CertificateAlgorithmId;
-import netscape.security.x509.CertificateExtensions;
-import netscape.security.x509.CertificateSubjectName;
-import netscape.security.x509.CertificateValidity;
-import netscape.security.x509.CertificateVersion;
-import netscape.security.x509.Extension;
-import netscape.security.x509.X500Name;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509CertInfo;
-
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authentication.AuthToken;
 import com.netscape.certsrv.authentication.IAuthToken;
@@ -62,6 +47,7 @@ import com.netscape.certsrv.base.IArgBlock;
 import com.netscape.certsrv.base.SessionContext;
 import com.netscape.certsrv.common.Constants;
 import com.netscape.certsrv.common.ICMSRequest;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.AuditFormat;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.publish.IPublisherProcessor;
@@ -80,6 +66,21 @@ import com.netscape.cms.servlet.common.CMSTemplateParams;
 import com.netscape.cms.servlet.common.ECMSGWException;
 import com.netscape.cmsutil.util.Utils;
 
+import netscape.security.extensions.NSCertTypeExtension;
+import netscape.security.extensions.PresenceServerExtension;
+import netscape.security.util.DerValue;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.BasicConstraintsExtension;
+import netscape.security.x509.CertificateAlgorithmId;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.CertificateVersion;
+import netscape.security.x509.Extension;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+
 /**
  * Agent operations on Certificate requests. This servlet is used
  * by an Agent to approve, reject, reassign, or change a certificate
@@ -170,10 +171,6 @@ public class ProcessCertReq extends CMSServlet {
             + "indeterminate reason for inability to process "
             + "cert request due to a NoSuchAlgorithmException"
         };
-    private final static String LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST =
-            "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5";
-    private final static String LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED =
-            "LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED_5";
 
     /**
      * Process request.
@@ -457,7 +454,7 @@ public class ProcessCertReq extends CMSServlet {
                     if (toDo.equals(SIGNED_AUDIT_CLONING)) {
                         // ("agent" cert request for "cloning")
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+                                    AuditEvent.NON_PROFILE_CERT_REQUEST,
                                     auditSubjectID,
                                     ILogger.FAILURE,
                                     auditRequesterID,
@@ -468,7 +465,7 @@ public class ProcessCertReq extends CMSServlet {
                     } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) {
                         // (manual "agent" cert request processed - "accepted")
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                    AuditEvent.CERT_REQUEST_PROCESSED,
                                     auditSubjectID,
                                     ILogger.FAILURE,
                                     auditRequesterID,
@@ -479,7 +476,7 @@ public class ProcessCertReq extends CMSServlet {
                     } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) {
                         // (manual "agent" cert request processed - "cancelled")
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                    AuditEvent.CERT_REQUEST_PROCESSED,
                                     auditSubjectID,
                                     ILogger.FAILURE,
                                     auditRequesterID,
@@ -490,7 +487,7 @@ public class ProcessCertReq extends CMSServlet {
                     } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) {
                         // (manual "agent" cert request processed - "rejected")
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                    AuditEvent.CERT_REQUEST_PROCESSED,
                                     auditSubjectID,
                                     ILogger.FAILURE,
                                     auditRequesterID,
@@ -940,7 +937,7 @@ public class ProcessCertReq extends CMSServlet {
                                 // (one for each manual "agent"
                                 //  cert request processed - "accepted")
                                 auditMessage = CMS.getLogMessage(
-                                            LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                            AuditEvent.CERT_REQUEST_PROCESSED,
                                             auditSubjectID,
                                             ILogger.SUCCESS,
                                             auditRequesterID,
@@ -984,7 +981,7 @@ public class ProcessCertReq extends CMSServlet {
                             // (manual "agent" cert request processed
                             //  - "accepted")
                             auditMessage = CMS.getLogMessage(
-                                        LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                        AuditEvent.CERT_REQUEST_PROCESSED,
                                         auditSubjectID,
                                         ILogger.SUCCESS,
                                         auditRequesterID,
@@ -1109,7 +1106,7 @@ public class ProcessCertReq extends CMSServlet {
                     // store a message in the signed audit log file
                     // (manual "agent" cert request processed - "rejected")
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                AuditEvent.CERT_REQUEST_PROCESSED,
                                 auditSubjectID,
                                 ILogger.SUCCESS,
                                 auditRequesterID,
@@ -1171,7 +1168,7 @@ public class ProcessCertReq extends CMSServlet {
                     // store a message in the signed audit log file
                     // (manual "agent" cert request processed - "cancelled")
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                AuditEvent.CERT_REQUEST_PROCESSED,
                                 auditSubjectID,
                                 ILogger.SUCCESS,
                                 auditRequesterID,
@@ -1238,7 +1235,7 @@ public class ProcessCertReq extends CMSServlet {
                     // store a message in the signed audit log file
                     // ("agent" cert request for "cloning")
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+                                AuditEvent.NON_PROFILE_CERT_REQUEST,
                                 auditSubjectID,
                                 ILogger.SUCCESS,
                                 auditRequesterID,
@@ -1271,7 +1268,7 @@ public class ProcessCertReq extends CMSServlet {
                 if (toDo.equals(SIGNED_AUDIT_CLONING)) {
                     // ("agent" cert request for "cloning")
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+                                AuditEvent.NON_PROFILE_CERT_REQUEST,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -1282,7 +1279,7 @@ public class ProcessCertReq extends CMSServlet {
                 } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) {
                     // (manual "agent" cert request processed - "accepted")
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                AuditEvent.CERT_REQUEST_PROCESSED,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -1293,7 +1290,7 @@ public class ProcessCertReq extends CMSServlet {
                 } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) {
                     // (manual "agent" cert request processed - "cancelled")
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                AuditEvent.CERT_REQUEST_PROCESSED,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -1304,7 +1301,7 @@ public class ProcessCertReq extends CMSServlet {
                 } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) {
                     // (manual "agent" cert request processed - "rejected")
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                AuditEvent.CERT_REQUEST_PROCESSED,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -1324,7 +1321,7 @@ public class ProcessCertReq extends CMSServlet {
                 if (toDo.equals(SIGNED_AUDIT_CLONING)) {
                     // ("agent" cert request for "cloning")
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+                                AuditEvent.NON_PROFILE_CERT_REQUEST,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -1335,7 +1332,7 @@ public class ProcessCertReq extends CMSServlet {
                 } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) {
                     // (manual "agent" cert request processed - "accepted")
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                AuditEvent.CERT_REQUEST_PROCESSED,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -1346,7 +1343,7 @@ public class ProcessCertReq extends CMSServlet {
                 } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) {
                     // (manual "agent" cert request processed - "cancelled")
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                AuditEvent.CERT_REQUEST_PROCESSED,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -1357,7 +1354,7 @@ public class ProcessCertReq extends CMSServlet {
                 } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) {
                     // (manual "agent" cert request processed - "rejected")
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                AuditEvent.CERT_REQUEST_PROCESSED,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -1378,7 +1375,7 @@ public class ProcessCertReq extends CMSServlet {
                 if (toDo.equals(SIGNED_AUDIT_CLONING)) {
                     // ("agent" cert request for "cloning")
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+                                AuditEvent.NON_PROFILE_CERT_REQUEST,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -1389,7 +1386,7 @@ public class ProcessCertReq extends CMSServlet {
                 } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) {
                     // (manual "agent" cert request processed - "accepted")
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                AuditEvent.CERT_REQUEST_PROCESSED,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -1400,7 +1397,7 @@ public class ProcessCertReq extends CMSServlet {
                 } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) {
                     // (manual "agent" cert request processed - "cancelled")
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                AuditEvent.CERT_REQUEST_PROCESSED,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -1411,7 +1408,7 @@ public class ProcessCertReq extends CMSServlet {
                 } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) {
                     // (manual "agent" cert request processed - "rejected")
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                AuditEvent.CERT_REQUEST_PROCESSED,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -1432,7 +1429,7 @@ public class ProcessCertReq extends CMSServlet {
                 if (toDo.equals(SIGNED_AUDIT_CLONING)) {
                     // ("agent" cert request for "cloning")
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST,
+                                AuditEvent.NON_PROFILE_CERT_REQUEST,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -1443,7 +1440,7 @@ public class ProcessCertReq extends CMSServlet {
                 } else if (toDo.equals(SIGNED_AUDIT_ACCEPTANCE)) {
                     // (manual "agent" cert request processed - "accepted")
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                AuditEvent.CERT_REQUEST_PROCESSED,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -1454,7 +1451,7 @@ public class ProcessCertReq extends CMSServlet {
                 } else if (toDo.equals(SIGNED_AUDIT_CANCELLATION)) {
                     // (manual "agent" cert request processed - "cancelled")
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                AuditEvent.CERT_REQUEST_PROCESSED,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -1465,7 +1462,7 @@ public class ProcessCertReq extends CMSServlet {
                 } else if (toDo.equals(SIGNED_AUDIT_REJECTION)) {
                     // (manual "agent" cert request processed - "rejected")
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED,
+                                AuditEvent.CERT_REQUEST_PROCESSED,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
-- 
1.8.3.1


From e0b3e36b6737e872e479624780497373765600f4 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 12 Apr 2017 04:58:25 +0200
Subject: [PATCH 47/59] Reorganized additional audit event constants for KRA.

Change-Id: Ib4586443f7e6f759d227975f9736cdd30b8f32e8
---
 base/ca/src/com/netscape/ca/CAService.java         | 67 +++++++++++-----------
 .../com/netscape/certsrv/logging/AuditEvent.java   | 27 +++++++++
 .../src/com/netscape/kra/EnrollmentService.java    | 32 +++++------
 .../src/com/netscape/kra/KeyRecoveryAuthority.java | 42 +++++---------
 .../src/com/netscape/kra/NetkeyKeygenService.java  | 31 +++-------
 .../com/netscape/kra/TokenKeyRecoveryService.java  | 36 ++++++------
 .../cms/profile/common/CAEnrollProfile.java        | 12 ++--
 .../cms/servlet/admin/CMSAdminServlet.java         | 11 ++--
 .../com/netscape/cms/servlet/key/GetAsyncPk12.java | 11 +---
 .../src/com/netscape/cms/servlet/key/GetPk12.java  | 11 +---
 .../cms/servlet/key/GrantAsyncRecovery.java        | 10 ++--
 .../netscape/cms/servlet/key/GrantRecovery.java    | 12 ++--
 12 files changed, 138 insertions(+), 164 deletions(-)

diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java
index 31df153..5b364b8 100644
--- a/base/ca/src/com/netscape/ca/CAService.java
+++ b/base/ca/src/com/netscape/ca/CAService.java
@@ -31,33 +31,6 @@ import java.util.Enumeration;
 import java.util.Hashtable;
 import java.util.Vector;
 
-import netscape.security.extensions.CertInfo;
-import netscape.security.util.BigInt;
-import netscape.security.util.DerValue;
-import netscape.security.x509.AlgorithmId;
-import netscape.security.x509.BasicConstraintsExtension;
-import netscape.security.x509.CRLExtensions;
-import netscape.security.x509.CRLReasonExtension;
-import netscape.security.x509.CertificateAlgorithmId;
-import netscape.security.x509.CertificateChain;
-import netscape.security.x509.CertificateExtensions;
-import netscape.security.x509.CertificateIssuerName;
-import netscape.security.x509.CertificateSerialNumber;
-import netscape.security.x509.CertificateSubjectName;
-import netscape.security.x509.CertificateValidity;
-import netscape.security.x509.Extension;
-import netscape.security.x509.LdapV3DNStrConverter;
-import netscape.security.x509.PKIXExtensions;
-import netscape.security.x509.RevocationReason;
-import netscape.security.x509.RevokedCertImpl;
-import netscape.security.x509.SerialNumber;
-import netscape.security.x509.X500Name;
-import netscape.security.x509.X500NameAttrMap;
-import netscape.security.x509.X509CRLImpl;
-import netscape.security.x509.X509CertImpl;
-import netscape.security.x509.X509CertInfo;
-import netscape.security.x509.X509ExtensionException;
-
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authority.IAuthority;
 import com.netscape.certsrv.authority.ICertAuthority;
@@ -77,6 +50,7 @@ import com.netscape.certsrv.dbs.ModificationSet;
 import com.netscape.certsrv.dbs.certdb.ICertRecord;
 import com.netscape.certsrv.dbs.certdb.ICertRecordList;
 import com.netscape.certsrv.dbs.crldb.ICRLIssuingPointRecord;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.profile.EProfileException;
 import com.netscape.certsrv.profile.IProfile;
@@ -95,6 +69,33 @@ import com.netscape.cmscore.dbs.RevocationInfo;
 import com.netscape.cmscore.util.Debug;
 import com.netscape.cmsutil.util.Utils;
 
+import netscape.security.extensions.CertInfo;
+import netscape.security.util.BigInt;
+import netscape.security.util.DerValue;
+import netscape.security.x509.AlgorithmId;
+import netscape.security.x509.BasicConstraintsExtension;
+import netscape.security.x509.CRLExtensions;
+import netscape.security.x509.CRLReasonExtension;
+import netscape.security.x509.CertificateAlgorithmId;
+import netscape.security.x509.CertificateChain;
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateIssuerName;
+import netscape.security.x509.CertificateSerialNumber;
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.Extension;
+import netscape.security.x509.LdapV3DNStrConverter;
+import netscape.security.x509.PKIXExtensions;
+import netscape.security.x509.RevocationReason;
+import netscape.security.x509.RevokedCertImpl;
+import netscape.security.x509.SerialNumber;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X500NameAttrMap;
+import netscape.security.x509.X509CRLImpl;
+import netscape.security.x509.X509CertImpl;
+import netscape.security.x509.X509CertInfo;
+import netscape.security.x509.X509ExtensionException;
+
 /**
  * Request Service for CertificateAuthority.
  */
@@ -115,8 +116,6 @@ public class CAService implements ICAService, IService {
     private Hashtable<String, ICRLIssuingPoint> mCRLIssuingPoints = new Hashtable<String, ICRLIssuingPoint>();
 
     private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST =
-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4";
 
     public CAService(ICertificateAuthority ca) {
         mCA = ca;
@@ -422,7 +421,7 @@ public class CAService implements ICAService, IService {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditRequesterID,
@@ -441,7 +440,7 @@ public class CAService implements ICAService, IService {
 
                         // store a message in the signed audit log file
                         auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                                AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -459,7 +458,7 @@ public class CAService implements ICAService, IService {
                     if (request.getExtDataInString(IRequest.ERROR) != null) {
                         // store a message in the signed audit log file
                         auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                                AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -486,7 +485,7 @@ public class CAService implements ICAService, IService {
             if (!(type.equals(IRequest.REVOCATION_REQUEST) ||
                     type.equals(IRequest.UNREVOCATION_REQUEST) || type.equals(IRequest.CMCREVOKE_REQUEST))) {
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequesterID,
@@ -506,7 +505,7 @@ public class CAService implements ICAService, IService {
                 type.equals(IRequest.UNREVOCATION_REQUEST) || type.equals(IRequest.CMCREVOKE_REQUEST))) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                    AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                     auditSubjectID,
                     ILogger.SUCCESS,
                     auditRequesterID,
diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
index 39314df..dc434fa 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
@@ -35,6 +35,33 @@ import com.netscape.certsrv.base.MessageFormatter;
  */
 public class AuditEvent implements IBundleLogEvent {
 
+    public final static String PRIVATE_KEY_ARCHIVE_REQUEST =
+            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4";
+    public final static String PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED =
+            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3";
+    public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4";
+    public final static String PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE =
+            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4";
+    public final static String SERVER_SIDE_KEYGEN_REQUEST =
+            "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3";
+    public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS =
+            "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4";
+    public final static String SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE =
+            "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3";
+    public final static String KEY_RECOVERY_REQUEST =
+            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4";
+    public final static String KEY_RECOVERY_REQUEST_ASYNC =
+            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4";
+    public final static String KEY_RECOVERY_AGENT_LOGIN =
+            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4";
+    public final static String KEY_RECOVERY_REQUEST_PROCESSED =
+            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4";
+    public final static String KEY_RECOVERY_REQUEST_PROCESSED_ASYNC =
+            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4";
+    public final static String KEY_GEN_ASYMMETRIC =
+            "LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3";
+
     public final static String NON_PROFILE_CERT_REQUEST =
             "LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5";
     public final static String PROFILE_CERT_REQUEST =
diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
index 36a809b..d2748a2 100644
--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
@@ -48,6 +48,7 @@ import com.netscape.certsrv.dbs.keydb.IKeyRepository;
 import com.netscape.certsrv.kra.EKRAException;
 import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
 import com.netscape.certsrv.kra.ProofOfArchival;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.AuditFormat;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.profile.IEnrollProfile;
@@ -102,11 +103,6 @@ public class EnrollmentService implements IService {
     private IStorageKeyUnit mStorageUnit = null;
     private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
 
-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST =
-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4";
-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED =
-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3";
-
     /**
      * Constructs request processor.
      * <P>
@@ -205,7 +201,7 @@ public class EnrollmentService implements IService {
             } catch (IOException e) {
 
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequesterID,
@@ -253,7 +249,7 @@ public class EnrollmentService implements IService {
                     mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_UNWRAP_USER_KEY"));
 
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                            AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRequesterID,
@@ -289,7 +285,7 @@ public class EnrollmentService implements IService {
                         CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"));
 
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequesterID,
@@ -331,7 +327,7 @@ public class EnrollmentService implements IService {
                     mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY"));
 
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                            AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRequesterID,
@@ -352,7 +348,7 @@ public class EnrollmentService implements IService {
                         CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"));
 
                     auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequesterID,
@@ -377,7 +373,7 @@ public class EnrollmentService implements IService {
                 mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_OWNER_NAME_NOT_FOUND"));
 
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequesterID,
@@ -412,7 +408,7 @@ public class EnrollmentService implements IService {
                 mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_WRAP_USER_KEY"));
 
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequesterID,
@@ -439,7 +435,7 @@ public class EnrollmentService implements IService {
                 } catch (InvalidKeyException e) {
 
                     auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequesterID,
@@ -489,7 +485,7 @@ public class EnrollmentService implements IService {
                                 rec.getSerialNumber().toString()));
 
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequesterID,
@@ -511,7 +507,7 @@ public class EnrollmentService implements IService {
                 mKRA.log(ILogger.LL_FAILURE, "Failed to store wrapping parameters");
                 // TODO(alee) Set correct audit message here
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequesterID,
@@ -529,7 +525,7 @@ public class EnrollmentService implements IService {
                         CMS.getLogMessage("CMSCORE_KRA_GET_NEXT_SERIAL"));
 
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequesterID,
@@ -586,7 +582,7 @@ public class EnrollmentService implements IService {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditRequesterID,
@@ -597,7 +593,7 @@ public class EnrollmentService implements IService {
             // store a message in the signed audit log file
             auditPublicKey = auditPublicKey(rec);
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
+                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditPublicKey);
diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
index 64680ed..b6e4376 100644
--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
@@ -46,6 +46,7 @@ import com.netscape.certsrv.dbs.replicadb.IReplicaIDRepository;
 import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
 import com.netscape.certsrv.kra.IKeyService;
 import com.netscape.certsrv.listeners.EListenersException;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.request.ARequestNotifier;
 import com.netscape.certsrv.request.IPolicy;
@@ -137,19 +138,6 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
     private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
     private final static byte EOL[] = { Character.LINE_SEPARATOR };
     private final static String SIGNED_AUDIT_AGENT_DELIMITER = ", ";
-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST =
-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4";
-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED =
-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3";
-    private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST =
-            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4";
-    private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC =
-            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC_4";
-    private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED =
-            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4";
-    private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC =
-            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC_4";
-
     /**
      * Constructs an escrow authority.
      * <P>
@@ -777,7 +765,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditRequesterID,
@@ -787,7 +775,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequesterID,
@@ -808,7 +796,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
+                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditPublicKey);
@@ -817,7 +805,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
+                        AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditPublicKey);
@@ -859,7 +847,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC,
+                        AuditEvent.KEY_RECOVERY_REQUEST_ASYNC,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditRecoveryID,
@@ -869,7 +857,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_ASYNC,
+                        AuditEvent.KEY_RECOVERY_REQUEST_ASYNC,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRecoveryID,
@@ -1049,7 +1037,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST,
+                        AuditEvent.KEY_RECOVERY_REQUEST,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditRecoveryID,
@@ -1059,7 +1047,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST,
+                        AuditEvent.KEY_RECOVERY_REQUEST,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRecoveryID,
@@ -1083,7 +1071,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+                            AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditRecoveryID,
@@ -1097,7 +1085,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
             } else {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+                            AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRecoveryID,
@@ -1110,7 +1098,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRecoveryID,
@@ -1178,7 +1166,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,
+                            AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditRecoveryID,
@@ -1192,7 +1180,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
             } else {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,
+                            AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRecoveryID,
@@ -1205,7 +1193,7 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,
+                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRecoveryID,
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
index 3f5e32f..665ff19 100644
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
@@ -55,6 +55,7 @@ import com.netscape.certsrv.base.SessionContext;
 import com.netscape.certsrv.dbs.keydb.IKeyRecord;
 import com.netscape.certsrv.dbs.keydb.IKeyRepository;
 import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.request.IRequest;
 import com.netscape.certsrv.request.IService;
@@ -91,22 +92,6 @@ public class NetkeyKeygenService implements IService {
     public final static String ATTR_PROOF_OF_ARCHIVAL =
             "proofOfArchival";
 
-    // private
-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST =
-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4";
-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED =
-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED_3";
-    // these need to be defined in LogMessages_en.properties later when we do this
-    private final static String LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST =
-            "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_3";
-    private final static String LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS_4";
-    private final static String LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE =
-            "LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE_3";
-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4";
-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE =
-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4";
     private IKeyRecoveryAuthority mKRA = null;
     private ITransportKeyUnit mTransportUnit = null;
     private IStorageKeyUnit mStorageUnit = null;
@@ -384,7 +369,7 @@ public class NetkeyKeygenService implements IService {
         }
 
         auditMessage = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST,
+                AuditEvent.SERVER_SIDE_KEYGEN_REQUEST,
                 agentId,
                 ILogger.SUCCESS,
                 auditSubjectID);
@@ -455,7 +440,7 @@ public class NetkeyKeygenService implements IService {
                 request.setExtData(IRequest.RESULT, Integer.valueOf(4));
 
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,
+                        AuditEvent.SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,
                         agentId,
                         ILogger.FAILURE,
                         auditSubjectID);
@@ -487,7 +472,7 @@ public class NetkeyKeygenService implements IService {
                 }
 
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,
+                        AuditEvent.SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,
                         agentId,
                         ILogger.SUCCESS,
                         auditSubjectID,
@@ -550,7 +535,7 @@ public class NetkeyKeygenService implements IService {
                     request.setExtData(IRequest.RESULT, Integer.valueOf(4));
                     CMS.debug("NetkeyKeygenService: failed generating wrapped private key");
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,
+                            AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,
                             agentId,
                             ILogger.FAILURE,
                             auditSubjectID,
@@ -561,7 +546,7 @@ public class NetkeyKeygenService implements IService {
                 } else {
                     request.setExtData("wrappedUserPrivate", wrappedPrivKeyString);
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,
+                            AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,
                             agentId,
                             ILogger.SUCCESS,
                             auditSubjectID,
@@ -586,7 +571,7 @@ public class NetkeyKeygenService implements IService {
                     //            mKRA.log(ILogger.LL_INFO, "KRA encrypts internal private");
 
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                            AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                             agentId,
                             ILogger.SUCCESS,
                             auditSubjectID,
@@ -680,7 +665,7 @@ public class NetkeyKeygenService implements IService {
                     CMS.debug("NetkeyKeygenService: key archived for " + rCUID + ":" + rUserid);
 
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
+                            AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,
                             agentId,
                             ILogger.SUCCESS,
                             PubKey);
diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
index b084964..b710291 100644
--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
@@ -45,6 +45,7 @@ import com.netscape.certsrv.base.SessionContext;
 import com.netscape.certsrv.dbs.keydb.IKeyRepository;
 import com.netscape.certsrv.kra.EKRAException;
 import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.request.IRequest;
 import com.netscape.certsrv.request.IService;
@@ -89,11 +90,6 @@ public class TokenKeyRecoveryService implements IService {
     private IStorageKeyUnit mStorageUnit = null;
     private ITransportKeyUnit mTransportUnit = null;
 
-    private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST =
-            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4";
-
-    private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED =
-            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED_4";
     private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
 
     /**
@@ -271,7 +267,7 @@ public class TokenKeyRecoveryService implements IService {
             CMS.debug("TokenKeyRecoveryService: not receive des key");
             request.setExtData(IRequest.RESULT, Integer.valueOf(4));
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRecoveryID,
@@ -289,7 +285,7 @@ public class TokenKeyRecoveryService implements IService {
             CMS.debug("TokenKeyRecoveryService: not receive cert or keyid");
             request.setExtData(IRequest.RESULT, Integer.valueOf(3));
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRecoveryID,
@@ -310,7 +306,7 @@ public class TokenKeyRecoveryService implements IService {
                     CMS.debug("cert mapping failed");
                     request.setExtData(IRequest.RESULT, Integer.valueOf(5));
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+                            AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRecoveryID,
@@ -323,7 +319,7 @@ public class TokenKeyRecoveryService implements IService {
                 CMS.debug("TokenKeyRecoveryService: mapCert failed");
                 request.setExtData(IRequest.RESULT, Integer.valueOf(6));
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRecoveryID,
@@ -362,7 +358,7 @@ public class TokenKeyRecoveryService implements IService {
                     CMS.debug("key record not found");
                     request.setExtData(IRequest.RESULT, Integer.valueOf(8));
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+                            AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRecoveryID,
@@ -375,7 +371,7 @@ public class TokenKeyRecoveryService implements IService {
                 com.netscape.cmscore.util.Debug.printStackTrace(e);
                 request.setExtData(IRequest.RESULT, Integer.valueOf(9));
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRecoveryID,
@@ -409,7 +405,7 @@ public class TokenKeyRecoveryService implements IService {
                 if (inputPubData.length != pubData.length) {
                     mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN"));
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+                            AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRecoveryID,
@@ -424,7 +420,7 @@ public class TokenKeyRecoveryService implements IService {
                     if (pubData[i] != inputPubData[i]) {
                         mKRA.log(ILogger.LL_FAILURE, CMS.getLogMessage("CMSCORE_KRA_PUBLIC_KEY_LEN"));
                         auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+                                AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRecoveryID,
@@ -447,7 +443,7 @@ public class TokenKeyRecoveryService implements IService {
                     request.setExtData(IRequest.RESULT, Integer.valueOf(4));
                     CMS.debug("TokenKeyRecoveryService: failed getting private key");
                     auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRecoveryID,
@@ -477,7 +473,7 @@ public class TokenKeyRecoveryService implements IService {
                     mKRA.log(ILogger.LL_FAILURE,
                         CMS.getLogMessage("CMSCORE_KRA_PUBLIC_NOT_FOUND"));
                     auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRecoveryID,
@@ -503,7 +499,7 @@ public class TokenKeyRecoveryService implements IService {
                     request.setExtData(IRequest.RESULT, Integer.valueOf(4));
                     CMS.debug("TokenKeyRecoveryService: failed getting private key");
                     auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRecoveryID,
@@ -533,7 +529,7 @@ public class TokenKeyRecoveryService implements IService {
                 request.setExtData(IRequest.RESULT, Integer.valueOf(4));
                 CMS.debug("TokenKeyRecoveryService: failed generating wrapped private key");
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRecoveryID,
@@ -561,7 +557,7 @@ public class TokenKeyRecoveryService implements IService {
             }
 
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST,
+                    AuditEvent.KEY_RECOVERY_REQUEST,
                     auditSubjectID,
                         ILogger.SUCCESS,
                     auditRecoveryID,
@@ -573,7 +569,7 @@ public class TokenKeyRecoveryService implements IService {
                 request.setExtData(IRequest.RESULT, Integer.valueOf(4));
                 CMS.debug("TokenKeyRecoveryService: failed getting publickey encoded");
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+                        AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRecoveryID,
@@ -588,7 +584,7 @@ public class TokenKeyRecoveryService implements IService {
             }
             request.setExtData("public_key", PubKey);
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_PROCESSED,
+                    AuditEvent.KEY_RECOVERY_REQUEST_PROCESSED,
                     auditSubjectID,
                     ILogger.SUCCESS,
                     auditRecoveryID,
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
index 44c1245..02aa8c8 100644
--- a/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
+++ b/base/server/cms/src/com/netscape/cms/profile/common/CAEnrollProfile.java
@@ -29,6 +29,7 @@ import com.netscape.certsrv.ca.AuthorityID;
 import com.netscape.certsrv.ca.ICAService;
 import com.netscape.certsrv.ca.ICertificateAuthority;
 import com.netscape.certsrv.connector.IConnector;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.AuditFormat;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.profile.EProfileException;
@@ -49,9 +50,6 @@ import netscape.security.x509.X509CertInfo;
  */
 public class CAEnrollProfile extends EnrollProfile {
 
-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST =
-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4";
-
     public CAEnrollProfile() {
     }
 
@@ -120,7 +118,7 @@ public class CAEnrollProfile extends EnrollProfile {
                                 "not configured");
 
                         auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                                AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditRequesterID,
@@ -135,7 +133,7 @@ public class CAEnrollProfile extends EnrollProfile {
                         // check response
                         if (!request.isSuccess()) {
                             auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                                    AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                                     auditSubjectID,
                                     ILogger.FAILURE,
                                     auditRequesterID,
@@ -153,7 +151,7 @@ public class CAEnrollProfile extends EnrollProfile {
                         }
 
                         auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                                AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                                 auditSubjectID,
                                 ILogger.SUCCESS,
                                 auditRequesterID,
@@ -170,7 +168,7 @@ public class CAEnrollProfile extends EnrollProfile {
                     CMS.debug(e);
 
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST,
+                            AuditEvent.PRIVATE_KEY_ARCHIVE_REQUEST,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRequesterID,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
index 2c3c6be..3e73dc6 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
@@ -60,6 +60,7 @@ import com.netscape.certsrv.common.ScopeDef;
 import com.netscape.certsrv.dbs.certdb.ICertRecord;
 import com.netscape.certsrv.dbs.certdb.ICertificateRepository;
 import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.ocsp.IOCSPAuthority;
 import com.netscape.certsrv.ra.IRegistrationAuthority;
@@ -109,8 +110,6 @@ public final class CMSAdminServlet extends AdminServlet {
             "LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3";
     private final static String LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY =
             "LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY_3";
-    private final static String LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC =
-            "LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3";
     private final static String LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION =
             "LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2";
     private final static String LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION =
@@ -1142,7 +1141,7 @@ public final class CMSAdminServlet extends AdminServlet {
                 if (nickname.equals("")) {
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC,
+                                AuditEvent.KEY_GEN_ASYMMETRIC,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditPublicKey);
@@ -1205,7 +1204,7 @@ public final class CMSAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC,
+                        AuditEvent.KEY_GEN_ASYMMETRIC,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditPublicKey);
@@ -1217,7 +1216,7 @@ public final class CMSAdminServlet extends AdminServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC,
+                        AuditEvent.KEY_GEN_ASYMMETRIC,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditPublicKey);
@@ -1229,7 +1228,7 @@ public final class CMSAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC,
+                        AuditEvent.KEY_GEN_ASYMMETRIC,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditPublicKey);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java b/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java
index 773b91e..f0065e1 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/key/GetAsyncPk12.java
@@ -35,6 +35,7 @@ import com.netscape.certsrv.base.IArgBlock;
 import com.netscape.certsrv.base.SessionContext;
 import com.netscape.certsrv.common.ICMSRequest;
 import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.cms.servlet.base.CMSServlet;
 import com.netscape.cms.servlet.common.CMSRequest;
@@ -64,12 +65,6 @@ public class GetAsyncPk12 extends CMSServlet {
 
     private com.netscape.certsrv.kra.IKeyService mService = null;
 
-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4";
-
-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE =
-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4";
-
     private String mFormPath = null;
 
     /**
@@ -213,7 +208,7 @@ public class GetAsyncPk12 extends CMSServlet {
                     mRenderResult = false;
 
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,
+                            AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,
                             agent,
                             ILogger.SUCCESS,
                             reqID,
@@ -239,7 +234,7 @@ public class GetAsyncPk12 extends CMSServlet {
 
         if ((agent != null) && (reqID != null)) {
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,
+                    AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,
                     agent,
                     ILogger.FAILURE,
                     reqID,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java b/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java
index c79a82f..9bb52cd 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/key/GetPk12.java
@@ -36,6 +36,7 @@ import com.netscape.certsrv.base.IArgBlock;
 import com.netscape.certsrv.base.SessionContext;
 import com.netscape.certsrv.common.ICMSRequest;
 import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.cms.servlet.base.CMSServlet;
 import com.netscape.cms.servlet.common.CMSRequest;
@@ -63,12 +64,6 @@ public class GetPk12 extends CMSServlet {
 
     private com.netscape.certsrv.kra.IKeyService mService = null;
 
-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS_4";
-
-    private final static String LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE =
-            "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE_4";
-
     private String mFormPath = null;
 
     /**
@@ -207,7 +202,7 @@ public class GetPk12 extends CMSServlet {
                     mRenderResult = false;
 
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,
+                            AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,
                             agent,
                             ILogger.SUCCESS,
                             recoveryID,
@@ -233,7 +228,7 @@ public class GetPk12 extends CMSServlet {
 
         if ((agent != null) && (recoveryID != null)) {
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,
+                    AuditEvent.PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,
                     agent,
                     ILogger.FAILURE,
                     recoveryID,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java b/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java
index 4100391..c410525 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/key/GrantAsyncRecovery.java
@@ -34,6 +34,7 @@ import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IArgBlock;
 import com.netscape.certsrv.common.ICMSRequest;
 import com.netscape.certsrv.kra.IKeyService;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.cms.servlet.base.CMSServlet;
 import com.netscape.cms.servlet.common.CMSRequest;
@@ -61,9 +62,6 @@ public class GrantAsyncRecovery extends CMSServlet {
     private IKeyService mService = null;
     private String mFormPath = null;
 
-    private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN =
-            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4";
-
     /**
      * Constructs EA servlet.
      */
@@ -237,7 +235,7 @@ public class GrantAsyncRecovery extends CMSServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN,
+                        AuditEvent.KEY_RECOVERY_AGENT_LOGIN,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditRequestID,
@@ -250,7 +248,7 @@ public class GrantAsyncRecovery extends CMSServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN,
+                        AuditEvent.KEY_RECOVERY_AGENT_LOGIN,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequestID,
@@ -262,7 +260,7 @@ public class GrantAsyncRecovery extends CMSServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN,
+                        AuditEvent.KEY_RECOVERY_AGENT_LOGIN,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRequestID,
diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/GrantRecovery.java b/base/server/cms/src/com/netscape/cms/servlet/key/GrantRecovery.java
index 9d57fbe..47054d9 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/key/GrantRecovery.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/key/GrantRecovery.java
@@ -36,6 +36,7 @@ import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IArgBlock;
 import com.netscape.certsrv.common.ICMSRequest;
 import com.netscape.certsrv.kra.IKeyService;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.cms.servlet.base.CMSServlet;
 import com.netscape.cms.servlet.common.CMSRequest;
@@ -64,9 +65,6 @@ public class GrantRecovery extends CMSServlet {
     private IKeyService mService = null;
     private String mFormPath = null;
 
-    private final static String LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN =
-            "LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4";
-
     /**
      * Constructs EA servlet.
      */
@@ -243,7 +241,7 @@ public class GrantRecovery extends CMSServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN,
+                            AuditEvent.KEY_RECOVERY_AGENT_LOGIN,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditRecoveryID,
@@ -266,7 +264,7 @@ public class GrantRecovery extends CMSServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN,
+                        AuditEvent.KEY_RECOVERY_AGENT_LOGIN,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditRecoveryID,
@@ -279,7 +277,7 @@ public class GrantRecovery extends CMSServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN,
+                        AuditEvent.KEY_RECOVERY_AGENT_LOGIN,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRecoveryID,
@@ -291,7 +289,7 @@ public class GrantRecovery extends CMSServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN,
+                        AuditEvent.KEY_RECOVERY_AGENT_LOGIN,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditRecoveryID,
-- 
1.8.3.1


From 20a307e4683e62b033f7662ed4aa2f18dfad6226 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 12 Apr 2017 05:23:15 +0200
Subject: [PATCH 48/59] Reorganized audit event constants for configuration.

Change-Id: Ie05572677de0e8eb1244dc6caf2b4a48514a2542
---
 .../dogtagpki/server/ca/rest/ProfileService.java   |   5 +-
 .../com/netscape/certsrv/logging/AuditEvent.java   |  37 ++++++
 .../src/com/netscape/certsrv/logging/IAuditor.java |   3 -
 .../cms/src/com/netscape/cms/logging/LogFile.java  |  10 +-
 .../com/netscape/cms/logging/RollingLogFile.java   |   8 +-
 .../cms/profile/updater/SubsystemGroupUpdater.java |  14 +--
 .../cms/servlet/admin/ACLAdminServlet.java         |  38 +++----
 .../netscape/cms/servlet/admin/AdminServlet.java   |  10 +-
 .../cms/servlet/admin/AuthAdminServlet.java        |  96 ++++++++--------
 .../netscape/cms/servlet/admin/CAAdminServlet.java |  50 ++++-----
 .../cms/servlet/admin/CMSAdminServlet.java         |  86 +++++++-------
 .../cms/servlet/admin/GroupMemberProcessor.java    |   4 +-
 .../cms/servlet/admin/KRAAdminServlet.java         |   8 +-
 .../cms/servlet/admin/LogAdminServlet.java         | 113 +++++++++----------
 .../cms/servlet/admin/OCSPAdminServlet.java        |  22 ++--
 .../cms/servlet/admin/PolicyAdminServlet.java      |  62 +++++------
 .../cms/servlet/admin/ProfileAdminServlet.java     | 124 ++++++++++-----------
 .../cms/servlet/admin/UsrGrpAdminServlet.java      | 120 ++++++++++----------
 .../com/netscape/cms/servlet/base/CMSServlet.java  |  17 ++-
 .../netscape/cms/servlet/csadmin/RegisterUser.java |  14 +--
 .../servlet/csadmin/SecurityDomainProcessor.java   |   4 +-
 .../cms/servlet/csadmin/UpdateDomainXML.java       |  11 +-
 .../cms/servlet/processors/CAProcessor.java        |  14 +--
 .../org/dogtagpki/server/rest/AuditService.java    |   3 +-
 .../org/dogtagpki/server/rest/GroupService.java    |   4 +-
 .../src/org/dogtagpki/server/rest/UserService.java |   6 +-
 .../src/com/netscape/cmscore/cert/CertUtils.java   |  18 ++-
 .../cmscore/selftests/SelfTestSubsystem.java       |   9 +-
 28 files changed, 445 insertions(+), 465 deletions(-)

diff --git a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
index eae68ef..be61892 100644
--- a/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
+++ b/base/ca/src/org/dogtagpki/server/ca/rest/ProfileService.java
@@ -90,9 +90,6 @@ public class ProfileService extends SubsystemService implements ProfileResource
     private IProfileSubsystem ps = (IProfileSubsystem) CMS.getSubsystem(IProfileSubsystem.ID);
     private IPluginRegistry registry = (IPluginRegistry) CMS.getSubsystem(CMS.SUBSYSTEM_REGISTRY);
 
-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE =
-            "LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3";
-
     @Override
     public Response listProfiles(Integer start, Integer size) {
 
@@ -1198,7 +1195,7 @@ public class ProfileService extends SubsystemService implements ProfileResource
 
     public void auditProfileChange(String scope, String type, String id, String status, Map<String, String> params) {
         String msg = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                AuditEvent.CONFIG_CERT_PROFILE,
                 auditor.getSubjectID(),
                 status,
                 auditor.getParamString(scope, type, id, params));
diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
index dc434fa..716e0d4 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
@@ -35,6 +35,43 @@ import com.netscape.certsrv.base.MessageFormatter;
  */
 public class AuditEvent implements IBundleLogEvent {
 
+    public final static String AUDIT_LOG_STARTUP =
+            "LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2";
+    public final static String AUDIT_LOG_SHUTDOWN =
+            "LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2";
+    public final static String CIMC_CERT_VERIFICATION =
+            "LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3";
+    public final static String ROLE_ASSUME =
+            "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3";
+    public final static String CONFIG_CERT_POLICY =
+            "LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3";
+    public final static String CONFIG_CERT_PROFILE =
+            "LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3";
+    public final static String CONFIG_CRL_PROFILE =
+            "LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3";
+    public final static String CONFIG_OCSP_PROFILE =
+            "LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3";
+    public final static String CONFIG_AUTH =
+            "LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3";
+    public final static String CONFIG_ROLE =
+            "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3";
+    public final static String CONFIG_ACL =
+            "LOGGING_SIGNED_AUDIT_CONFIG_ACL_3";
+    public final static String CONFIG_SIGNED_AUDIT =
+            "LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT_3";
+    public final static String CONFIG_ENCRYPTION =
+            "LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3";
+    public final static String CONFIG_TRUSTED_PUBLIC_KEY =
+            "LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY_3";
+    public final static String CONFIG_DRM =
+            "LOGGING_SIGNED_AUDIT_CONFIG_DRM_3";
+    public final static String SELFTESTS_EXECUTION =
+            "LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2";
+    public final static String AUDIT_LOG_DELETE =
+            "LOGGING_SIGNED_AUDIT_LOG_DELETE_3";
+    public final static String LOG_PATH_CHANGE =
+            "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4";
+
     public final static String PRIVATE_KEY_ARCHIVE_REQUEST =
             "LOGGING_SIGNED_AUDIT_PRIVATE_KEY_ARCHIVE_REQUEST_4";
     public final static String PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED =
diff --git a/base/common/src/com/netscape/certsrv/logging/IAuditor.java b/base/common/src/com/netscape/certsrv/logging/IAuditor.java
index 1d31a8c..216015f 100644
--- a/base/common/src/com/netscape/certsrv/logging/IAuditor.java
+++ b/base/common/src/com/netscape/certsrv/logging/IAuditor.java
@@ -25,9 +25,6 @@ import java.util.Map;
  */
 public interface IAuditor {
 
-    public final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE =
-            "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3";
-
     public final static String SIGNED_AUDIT_SCOPE = "Scope";
     public final static String SIGNED_AUDIT_OPERATION = "Operation";
     public final static String SIGNED_AUDIT_RESOURCE = "Resource";
diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
index fdf3f83..989fece 100644
--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java
+++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
@@ -102,10 +102,6 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
     static final String PROP_BUFFER_SIZE = "bufferSize";
     static final String PROP_FLUSH_INTERVAL = "flushInterval";
 
-    private final static String LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP =
-                               "LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2";
-    private final static String LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN =
-                               "LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2";
     private final static String LOG_SIGNED_AUDIT_EXCEPTION =
                                "LOG_SIGNED_AUDIT_EXCEPTION_1";
 
@@ -647,12 +643,12 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
             try {
                 setupSigning();
                 audit(CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP,
+                        AuditEvent.AUDIT_LOG_STARTUP,
                         ILogger.SYSTEM_UID,
                         ILogger.SUCCESS));
             } catch (EBaseException e) {
                 audit(CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP,
+                        AuditEvent.AUDIT_LOG_STARTUP,
                         ILogger.SYSTEM_UID,
                         ILogger.FAILURE));
                 throw e;
@@ -872,7 +868,7 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
 
         // log signed audit shutdown success
         auditMessage = CMS.getLogMessage(
-                           LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN,
+                           AuditEvent.AUDIT_LOG_SHUTDOWN,
                            ILogger.SYSTEM_UID,
                            ILogger.SUCCESS);
 
diff --git a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
index fb70f46..5d2cdd9 100644
--- a/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
+++ b/base/server/cms/src/com/netscape/cms/logging/RollingLogFile.java
@@ -34,6 +34,7 @@ import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.IExtendedPluginInfo;
 import com.netscape.certsrv.common.Constants;
 import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ConsoleError;
 import com.netscape.certsrv.logging.ELogException;
 import com.netscape.certsrv.logging.ILogEvent;
@@ -95,9 +96,6 @@ public class RollingLogFile extends LogFile {
      */
     private Object mExpLock = new Object();
 
-    private final static String LOGGING_SIGNED_AUDIT_LOG_DELETE =
-            "LOGGING_SIGNED_AUDIT_LOG_DELETE_3";
-
     /**
      * Construct a RollingLogFile
      */
@@ -351,14 +349,14 @@ public class RollingLogFile extends LogFile {
                 if (file.exists()) {
                     // log failure in deleting an expired signed audit log file
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_LOG_DELETE,
+                                AuditEvent.AUDIT_LOG_DELETE,
                                 ILogger.SYSTEM_UID,
                                 ILogger.FAILURE,
                                 fullname);
                 } else {
                     // log success in deleting an expired signed audit log file
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_LOG_DELETE,
+                                AuditEvent.AUDIT_LOG_DELETE,
                                 ILogger.SYSTEM_UID,
                                 ILogger.SUCCESS,
                                 fullname);
diff --git a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java
index b1da188..2f47efa 100644
--- a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java
+++ b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java
@@ -28,6 +28,7 @@ import com.netscape.certsrv.base.ConflictingOperationException;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.SessionContext;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.profile.EProfileException;
 import com.netscape.certsrv.profile.IEnrollProfile;
@@ -55,9 +56,6 @@ public class SubsystemGroupUpdater implements IProfileUpdater {
     private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
     private Vector<String> mConfigNames = new Vector<String>();
 
-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE =
-            "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3";
-
     public SubsystemGroupUpdater() {
     }
 
@@ -166,7 +164,7 @@ public class SubsystemGroupUpdater implements IProfileUpdater {
             system.addUser(user);
             CMS.debug("SubsystemGroupUpdater update: successfully add the user");
             auditMessage = CMS.getLogMessage(
-                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                               AuditEvent.CONFIG_ROLE,
                                auditSubjectID,
                                ILogger.SUCCESS,
                                auditParams);
@@ -196,7 +194,7 @@ public class SubsystemGroupUpdater implements IProfileUpdater {
             system.addUserCert(user);
             CMS.debug("SubsystemGroupUpdater update: successfully add the user certificate");
             auditMessage = CMS.getLogMessage(
-                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                               AuditEvent.CONFIG_ROLE,
                                auditSubjectID,
                                ILogger.SUCCESS,
                                auditParams);
@@ -209,7 +207,7 @@ public class SubsystemGroupUpdater implements IProfileUpdater {
         } catch (Exception e) {
             CMS.debug("UpdateSubsystemGroup: update addUser " + e.toString());
             auditMessage = CMS.getLogMessage(
-                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                               AuditEvent.CONFIG_ROLE,
                                auditSubjectID,
                                ILogger.FAILURE,
                                auditParams);
@@ -240,7 +238,7 @@ public class SubsystemGroupUpdater implements IProfileUpdater {
                 system.modifyGroup(group);
 
                 auditMessage = CMS.getLogMessage(
-                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                               AuditEvent.CONFIG_ROLE,
                                auditSubjectID,
                                ILogger.SUCCESS,
                                auditParams);
@@ -253,7 +251,7 @@ public class SubsystemGroupUpdater implements IProfileUpdater {
         } catch (Exception e) {
             CMS.debug("UpdateSubsystemGroup update: modifyGroup " + e.toString());
             auditMessage = CMS.getLogMessage(
-                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                               AuditEvent.CONFIG_ROLE,
                                auditSubjectID,
                                ILogger.FAILURE,
                                auditParams);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java
index 1244da1..8c5da18 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/ACLAdminServlet.java
@@ -38,6 +38,7 @@ import com.netscape.certsrv.common.NameValuePairs;
 import com.netscape.certsrv.common.OpDef;
 import com.netscape.certsrv.common.ScopeDef;
 import com.netscape.certsrv.evaluators.IAccessEvaluator;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 
 /**
@@ -55,9 +56,6 @@ public class ACLAdminServlet extends AdminServlet {
     private final static String INFO = "ACLAdminServlet";
     private IAuthzManager mAuthzMgr = null;
 
-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_ACL =
-            "LOGGING_SIGNED_AUDIT_CONFIG_ACL_3";
-
     /**
      * initialize the servlet.
      * <ul>
@@ -338,7 +336,7 @@ public class ACLAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                            AuditEvent.CONFIG_ACL,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -363,7 +361,7 @@ public class ACLAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                            AuditEvent.CONFIG_ACL,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditParams(req));
@@ -377,7 +375,7 @@ public class ACLAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                            AuditEvent.CONFIG_ACL,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -404,7 +402,7 @@ public class ACLAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                        AuditEvent.CONFIG_ACL,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -502,7 +500,7 @@ public class ACLAdminServlet extends AdminServlet {
             if (type == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                            AuditEvent.CONFIG_ACL,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -544,7 +542,7 @@ public class ACLAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                            AuditEvent.CONFIG_ACL,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -567,7 +565,7 @@ public class ACLAdminServlet extends AdminServlet {
 
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                                AuditEvent.CONFIG_ACL,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -587,7 +585,7 @@ public class ACLAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                            AuditEvent.CONFIG_ACL,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -612,7 +610,7 @@ public class ACLAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                            AuditEvent.CONFIG_ACL,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -635,7 +633,7 @@ public class ACLAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                            AuditEvent.CONFIG_ACL,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -660,7 +658,7 @@ public class ACLAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                        AuditEvent.CONFIG_ACL,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -683,7 +681,7 @@ public class ACLAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                        AuditEvent.CONFIG_ACL,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -741,7 +739,7 @@ public class ACLAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                            AuditEvent.CONFIG_ACL,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -762,7 +760,7 @@ public class ACLAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                            AuditEvent.CONFIG_ACL,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -797,7 +795,7 @@ public class ACLAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                            AuditEvent.CONFIG_ACL,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -812,7 +810,7 @@ public class ACLAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                        AuditEvent.CONFIG_ACL,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -836,7 +834,7 @@ public class ACLAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ACL,
+                        AuditEvent.CONFIG_ACL,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
index 0350e38..089fcbe 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AdminServlet.java
@@ -122,8 +122,6 @@ public class AdminServlet extends HttpServlet {
     public static final String CERT_ATTR =
             "javax.servlet.request.X509Certificate";
 
-    private final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME =
-            "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3";
     private final static String CERTUSERDB =
             IAuthSubsystem.CERTUSERDB_AUTHMGR_ID;
     private final static String PASSWDUSERDB =
@@ -657,7 +655,7 @@ public class AdminServlet extends HttpServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                        AuditEvent.ROLE_ASSUME,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditGroups(auditSubjectID));
@@ -680,7 +678,7 @@ public class AdminServlet extends HttpServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                        AuditEvent.ROLE_ASSUME,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditGroups(auditSubjectID));
@@ -701,7 +699,7 @@ public class AdminServlet extends HttpServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                        AuditEvent.ROLE_ASSUME,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditGroups(auditSubjectID));
@@ -723,7 +721,7 @@ public class AdminServlet extends HttpServlet {
 
         // store a message in the signed audit log file
         auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                    AuditEvent.ROLE_ASSUME,
                     auditSubjectID,
                     ILogger.SUCCESS,
                     auditGroups(auditSubjectID));
diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java
index 71cf8a2..253a9cd 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/AuthAdminServlet.java
@@ -43,6 +43,7 @@ import com.netscape.certsrv.common.NameValuePairs;
 import com.netscape.certsrv.common.OpDef;
 import com.netscape.certsrv.common.ScopeDef;
 import com.netscape.certsrv.ldap.ILdapAuthInfo;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 
 /**
@@ -66,9 +67,6 @@ public class AuthAdminServlet extends AdminServlet {
             "PASSWORD_CACHE_ADD";
     private final static String EDIT = ";" + Constants.EDIT;
 
-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_AUTH =
-            "LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3";
-
     public AuthAdminServlet() {
         super();
     }
@@ -382,7 +380,7 @@ public class AuthAdminServlet extends AdminServlet {
             if (id == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -399,7 +397,7 @@ public class AuthAdminServlet extends AdminServlet {
             if (mAuths.getPlugins().containsKey(id)) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -419,7 +417,7 @@ public class AuthAdminServlet extends AdminServlet {
             if (classPath == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -436,7 +434,7 @@ public class AuthAdminServlet extends AdminServlet {
                     classPath.equals("com.netscape.cmscore.authentication.CertUserDBAuthentication")) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -464,7 +462,7 @@ public class AuthAdminServlet extends AdminServlet {
             } catch (ClassNotFoundException e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -478,7 +476,7 @@ public class AuthAdminServlet extends AdminServlet {
             } catch (IllegalArgumentException e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -496,7 +494,7 @@ public class AuthAdminServlet extends AdminServlet {
                 if (IAuthManager.class.isAssignableFrom(newImpl) == false) {
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                                AuditEvent.CONFIG_AUTH,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -511,7 +509,7 @@ public class AuthAdminServlet extends AdminServlet {
             } catch (NullPointerException e) { // unlikely, only if newImpl null.
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -534,7 +532,7 @@ public class AuthAdminServlet extends AdminServlet {
             } catch (EBaseException e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -559,7 +557,7 @@ public class AuthAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        AuditEvent.CONFIG_AUTH,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -583,7 +581,7 @@ public class AuthAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        AuditEvent.CONFIG_AUTH,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -638,7 +636,7 @@ public class AuthAdminServlet extends AdminServlet {
             if (id == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -655,7 +653,7 @@ public class AuthAdminServlet extends AdminServlet {
             if (mAuths.getInstances().containsKey(id)) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -676,7 +674,7 @@ public class AuthAdminServlet extends AdminServlet {
             if (implname == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -703,7 +701,7 @@ public class AuthAdminServlet extends AdminServlet {
             if (plugin == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -756,7 +754,7 @@ public class AuthAdminServlet extends AdminServlet {
             } catch (ClassNotFoundException e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -774,7 +772,7 @@ public class AuthAdminServlet extends AdminServlet {
             } catch (InstantiationException e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -791,7 +789,7 @@ public class AuthAdminServlet extends AdminServlet {
             } catch (IllegalAccessException e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -813,7 +811,7 @@ public class AuthAdminServlet extends AdminServlet {
             } catch (EBaseException e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -832,7 +830,7 @@ public class AuthAdminServlet extends AdminServlet {
             } catch (EBaseException e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -859,7 +857,7 @@ public class AuthAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        AuditEvent.CONFIG_AUTH,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -871,7 +869,7 @@ public class AuthAdminServlet extends AdminServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        AuditEvent.CONFIG_AUTH,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -883,7 +881,7 @@ public class AuthAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        AuditEvent.CONFIG_AUTH,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -986,7 +984,7 @@ public class AuthAdminServlet extends AdminServlet {
             if (id == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1011,7 +1009,7 @@ public class AuthAdminServlet extends AdminServlet {
             if (mAuths.getPlugins().containsKey(id) == false) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1034,7 +1032,7 @@ public class AuthAdminServlet extends AdminServlet {
                 if (authMgr.getImplName() == id) {
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                                AuditEvent.CONFIG_AUTH,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -1063,7 +1061,7 @@ public class AuthAdminServlet extends AdminServlet {
             } catch (EBaseException e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1078,7 +1076,7 @@ public class AuthAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        AuditEvent.CONFIG_AUTH,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -1102,7 +1100,7 @@ public class AuthAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        AuditEvent.CONFIG_AUTH,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1158,7 +1156,7 @@ public class AuthAdminServlet extends AdminServlet {
             if (id == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1183,7 +1181,7 @@ public class AuthAdminServlet extends AdminServlet {
             if (mAuths.getInstances().containsKey(id) == false) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1216,7 +1214,7 @@ public class AuthAdminServlet extends AdminServlet {
             } catch (EBaseException e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1238,7 +1236,7 @@ public class AuthAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        AuditEvent.CONFIG_AUTH,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -1262,7 +1260,7 @@ public class AuthAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        AuditEvent.CONFIG_AUTH,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1409,7 +1407,7 @@ public class AuthAdminServlet extends AdminServlet {
             if (id == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1434,7 +1432,7 @@ public class AuthAdminServlet extends AdminServlet {
             if (!mAuths.getInstances().containsKey(id)) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1453,7 +1451,7 @@ public class AuthAdminServlet extends AdminServlet {
             if (implname == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1472,7 +1470,7 @@ public class AuthAdminServlet extends AdminServlet {
             if (plugin == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1548,7 +1546,7 @@ public class AuthAdminServlet extends AdminServlet {
             } catch (ClassNotFoundException e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1566,7 +1564,7 @@ public class AuthAdminServlet extends AdminServlet {
             } catch (InstantiationException e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1583,7 +1581,7 @@ public class AuthAdminServlet extends AdminServlet {
             } catch (IllegalAccessException e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1606,7 +1604,7 @@ public class AuthAdminServlet extends AdminServlet {
             } catch (EBaseException e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1625,7 +1623,7 @@ public class AuthAdminServlet extends AdminServlet {
             } catch (EBaseException e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                            AuditEvent.CONFIG_AUTH,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1652,7 +1650,7 @@ public class AuthAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        AuditEvent.CONFIG_AUTH,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -1664,7 +1662,7 @@ public class AuthAdminServlet extends AdminServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        AuditEvent.CONFIG_AUTH,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1676,7 +1674,7 @@ public class AuthAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_AUTH,
+                        AuditEvent.CONFIG_AUTH,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CAAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CAAdminServlet.java
index 09c77e5..5ece2c8 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/admin/CAAdminServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CAAdminServlet.java
@@ -39,6 +39,7 @@ import com.netscape.certsrv.common.Constants;
 import com.netscape.certsrv.common.NameValuePairs;
 import com.netscape.certsrv.common.OpDef;
 import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.request.IRequestListener;
 import com.netscape.cmsutil.util.Utils;
@@ -62,9 +63,6 @@ public class CAAdminServlet extends AdminServlet {
 
     private final static String INFO = "CAAdminServlet";
 
-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE =
-            "LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3";
-
     private ICertificateAuthority mCA = null;
     protected static final String PROP_ENABLED = "enabled";
 
@@ -537,7 +535,7 @@ public class CAAdminServlet extends AdminServlet {
             if (ipId == null || ipId.length() == 0) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                            AuditEvent.CONFIG_CRL_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -554,7 +552,7 @@ public class CAAdminServlet extends AdminServlet {
             if (desc == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                            AuditEvent.CONFIG_CRL_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -587,7 +585,7 @@ public class CAAdminServlet extends AdminServlet {
                 if (ipId.equals(name)) {
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                                AuditEvent.CONFIG_CRL_PROFILE,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -601,7 +599,7 @@ public class CAAdminServlet extends AdminServlet {
             if (!mCA.addCRLIssuingPoint(crlSubStore, ipId, enable, desc)) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                            AuditEvent.CONFIG_CRL_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -615,7 +613,7 @@ public class CAAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        AuditEvent.CONFIG_CRL_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -626,7 +624,7 @@ public class CAAdminServlet extends AdminServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        AuditEvent.CONFIG_CRL_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -638,7 +636,7 @@ public class CAAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        AuditEvent.CONFIG_CRL_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -693,7 +691,7 @@ public class CAAdminServlet extends AdminServlet {
             if (ipId == null || ipId.length() == 0) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                            AuditEvent.CONFIG_CRL_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -710,7 +708,7 @@ public class CAAdminServlet extends AdminServlet {
             if (desc == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                            AuditEvent.CONFIG_CRL_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -762,7 +760,7 @@ public class CAAdminServlet extends AdminServlet {
             if (!done) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                            AuditEvent.CONFIG_CRL_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -776,7 +774,7 @@ public class CAAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        AuditEvent.CONFIG_CRL_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -787,7 +785,7 @@ public class CAAdminServlet extends AdminServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        AuditEvent.CONFIG_CRL_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -799,7 +797,7 @@ public class CAAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        AuditEvent.CONFIG_CRL_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -869,7 +867,7 @@ public class CAAdminServlet extends AdminServlet {
                 if (!done) {
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                                AuditEvent.CONFIG_CRL_PROFILE,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -884,7 +882,7 @@ public class CAAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        AuditEvent.CONFIG_CRL_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -895,7 +893,7 @@ public class CAAdminServlet extends AdminServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        AuditEvent.CONFIG_CRL_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -907,7 +905,7 @@ public class CAAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        AuditEvent.CONFIG_CRL_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1039,7 +1037,7 @@ public class CAAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        AuditEvent.CONFIG_CRL_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -1050,7 +1048,7 @@ public class CAAdminServlet extends AdminServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        AuditEvent.CONFIG_CRL_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1062,7 +1060,7 @@ public class CAAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        AuditEvent.CONFIG_CRL_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1246,7 +1244,7 @@ public class CAAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        AuditEvent.CONFIG_CRL_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -1260,7 +1258,7 @@ public class CAAdminServlet extends AdminServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        AuditEvent.CONFIG_CRL_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1272,7 +1270,7 @@ public class CAAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE,
+                        AuditEvent.CONFIG_CRL_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
index 3e73dc6..229c377 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/CMSAdminServlet.java
@@ -106,14 +106,6 @@ public final class CMSAdminServlet extends AdminServlet {
 
     private ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
     private final static byte EOL[] = { Character.LINE_SEPARATOR };
-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION =
-            "LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3";
-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY =
-            "LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY_3";
-    private final static String LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION =
-            "LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2";
-    private final static String LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION =
-            "LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3";
 
     // CMS must be instantiated before this admin servlet.
 
@@ -574,7 +566,7 @@ public final class CMSAdminServlet extends AdminServlet {
                         if (tokenizer.countTokens() != 2) {
                             // store a message in the signed audit log file
                             auditMessage = CMS.getLogMessage(
-                                        LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION,
+                                        AuditEvent.CONFIG_ENCRYPTION,
                                         auditSubjectID,
                                         ILogger.FAILURE,
                                         auditParams(req));
@@ -599,7 +591,7 @@ public final class CMSAdminServlet extends AdminServlet {
                         } else
                             // store a message in the signed audit log file
                             auditMessage = CMS.getLogMessage(
-                                        LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION,
+                                        AuditEvent.CONFIG_ENCRYPTION,
                                         auditSubjectID,
                                         ILogger.FAILURE,
                                         auditParams(req));
@@ -636,7 +628,7 @@ public final class CMSAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION,
+                        AuditEvent.CONFIG_ENCRYPTION,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -648,7 +640,7 @@ public final class CMSAdminServlet extends AdminServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION,
+                        AuditEvent.CONFIG_ENCRYPTION,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -660,7 +652,7 @@ public final class CMSAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION,
+                        AuditEvent.CONFIG_ENCRYPTION,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1494,7 +1486,7 @@ public final class CMSAdminServlet extends AdminServlet {
             } else {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1514,7 +1506,7 @@ public final class CMSAdminServlet extends AdminServlet {
             } else {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1534,7 +1526,7 @@ public final class CMSAdminServlet extends AdminServlet {
             if (nickname.equals("")) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1781,7 +1773,7 @@ public final class CMSAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -1794,7 +1786,7 @@ public final class CMSAdminServlet extends AdminServlet {
             CMS.debug("CMSAdminServlet: issueImportCert: EBaseException thrown: " + eAudit1.toString());
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1807,7 +1799,7 @@ public final class CMSAdminServlet extends AdminServlet {
             CMS.debug("CMSAdminServlet: issueImportCert: IOException thrown: " + eAudit2.toString());
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1900,7 +1892,7 @@ public final class CMSAdminServlet extends AdminServlet {
                     if (certpath == null || certpath.equals("")) {
                         // store a message in the signed audit log file
                         auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                                AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -1934,7 +1926,7 @@ public final class CMSAdminServlet extends AdminServlet {
             } catch (IOException ee) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1964,7 +1956,7 @@ public final class CMSAdminServlet extends AdminServlet {
             } else {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -2193,7 +2185,7 @@ public final class CMSAdminServlet extends AdminServlet {
                 verified = true;
 
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
+                        AuditEvent.CIMC_CERT_VERIFICATION,
                         auditSubjectID,
                         ILogger.SUCCESS,
                                 nickname);
@@ -2203,7 +2195,7 @@ public final class CMSAdminServlet extends AdminServlet {
             } catch (Exception e) {
                 CMS.debug(e);
                 auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
+                                AuditEvent.CIMC_CERT_VERIFICATION,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 nickname);
@@ -2213,7 +2205,7 @@ public final class CMSAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -2230,7 +2222,7 @@ public final class CMSAdminServlet extends AdminServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -2242,7 +2234,7 @@ public final class CMSAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -2319,7 +2311,7 @@ public final class CMSAdminServlet extends AdminServlet {
                     if (certpath == null || certpath.equals("")) {
                         // store a message in the signed audit log file
                         auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                                AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -2352,7 +2344,7 @@ public final class CMSAdminServlet extends AdminServlet {
             } catch (IOException ee) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -2386,7 +2378,7 @@ public final class CMSAdminServlet extends AdminServlet {
             } catch (Exception e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -2405,7 +2397,7 @@ public final class CMSAdminServlet extends AdminServlet {
             } catch (EBaseException e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                            AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -2426,7 +2418,7 @@ public final class CMSAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -2437,7 +2429,7 @@ public final class CMSAdminServlet extends AdminServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -2449,7 +2441,7 @@ public final class CMSAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -2952,7 +2944,7 @@ public final class CMSAdminServlet extends AdminServlet {
             jssSubSystem.setRootCertTrust(nickname, serialno, issuername, trust);
         } catch (EBaseException e) {
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -2964,7 +2956,7 @@ public final class CMSAdminServlet extends AdminServlet {
 
         // store a message in the signed audit log file
         auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                    AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                     auditSubjectID,
                     ILogger.SUCCESS,
                     auditParams(req));
@@ -3020,7 +3012,7 @@ public final class CMSAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -3032,7 +3024,7 @@ public final class CMSAdminServlet extends AdminServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -3044,7 +3036,7 @@ public final class CMSAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY,
+                        AuditEvent.CONFIG_TRUSTED_PUBLIC_KEY,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -3132,7 +3124,7 @@ public final class CMSAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
+                            AuditEvent.SELFTESTS_EXECUTION,
                             auditSubjectID,
                             ILogger.FAILURE);
 
@@ -3185,7 +3177,7 @@ public final class CMSAdminServlet extends AdminServlet {
 
                         // store a message in the signed audit log file
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
+                                    AuditEvent.SELFTESTS_EXECUTION,
                                     auditSubjectID,
                                     ILogger.FAILURE);
 
@@ -3215,7 +3207,7 @@ public final class CMSAdminServlet extends AdminServlet {
 
                         // store a message in the signed audit log file
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
+                                    AuditEvent.SELFTESTS_EXECUTION,
                                     auditSubjectID,
                                     ILogger.FAILURE);
 
@@ -3268,7 +3260,7 @@ public final class CMSAdminServlet extends AdminServlet {
 
                             // store a message in the signed audit log file
                             auditMessage = CMS.getLogMessage(
-                                        LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
+                                        AuditEvent.SELFTESTS_EXECUTION,
                                         auditSubjectID,
                                         ILogger.FAILURE);
 
@@ -3316,7 +3308,7 @@ public final class CMSAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
+                        AuditEvent.SELFTESTS_EXECUTION,
                         auditSubjectID,
                         ILogger.SUCCESS);
 
@@ -3336,7 +3328,7 @@ public final class CMSAdminServlet extends AdminServlet {
         } catch (EMissingSelfTestException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
+                        AuditEvent.SELFTESTS_EXECUTION,
                         auditSubjectID,
                         ILogger.FAILURE);
 
@@ -3347,7 +3339,7 @@ public final class CMSAdminServlet extends AdminServlet {
         } catch (ESelfTestException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
+                        AuditEvent.SELFTESTS_EXECUTION,
                         auditSubjectID,
                         ILogger.FAILURE);
 
@@ -3358,7 +3350,7 @@ public final class CMSAdminServlet extends AdminServlet {
         } catch (IOException eAudit3) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
+                        AuditEvent.SELFTESTS_EXECUTION,
                         auditSubjectID,
                         ILogger.FAILURE);
 
diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java
index f974db4..00f960e 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/GroupMemberProcessor.java
@@ -43,8 +43,8 @@ import com.netscape.certsrv.group.GroupMemberCollection;
 import com.netscape.certsrv.group.GroupMemberData;
 import com.netscape.certsrv.group.GroupNotFoundException;
 import com.netscape.certsrv.group.GroupResource;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.AuditFormat;
-import com.netscape.certsrv.logging.IAuditor;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.usrgrp.IGroup;
 import com.netscape.certsrv.usrgrp.IUGSubsystem;
@@ -388,6 +388,6 @@ public class GroupMemberProcessor extends Processor {
     }
 
     public void audit(String type, String id, Map<String, String> params, String status) {
-        audit(IAuditor.LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ScopeDef.SC_GROUP_MEMBERS, type, id, params, status);
+        audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_GROUP_MEMBERS, type, id, params, status);
     }
 }
diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java
index 3f9f558..5583d12 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/KRAAdminServlet.java
@@ -32,6 +32,7 @@ import com.netscape.certsrv.common.NameValuePairs;
 import com.netscape.certsrv.common.OpDef;
 import com.netscape.certsrv.common.ScopeDef;
 import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 
 /**
@@ -54,9 +55,6 @@ public class KRAAdminServlet extends AdminServlet {
 
     private IKeyRecoveryAuthority mKRA = null;
 
-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_DRM =
-            "LOGGING_SIGNED_AUDIT_CONFIG_DRM_3";
-
     /**
      * Constructs KRA servlet.
      */
@@ -204,7 +202,7 @@ public class KRAAdminServlet extends AdminServlet {
                     mKRA.setNoOfRequiredAgents(number);
                 } catch (NumberFormatException e) {
                     auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_DRM,
+                            AuditEvent.CONFIG_DRM,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -218,7 +216,7 @@ public class KRAAdminServlet extends AdminServlet {
         commit(true);
 
         auditMessage = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_CONFIG_DRM,
+                AuditEvent.CONFIG_DRM,
                 auditSubjectID,
                 ILogger.SUCCESS,
                 auditParams(req));
diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
index 13ba52c..c424520 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/LogAdminServlet.java
@@ -36,6 +36,7 @@ import com.netscape.certsrv.common.Constants;
 import com.netscape.certsrv.common.NameValuePairs;
 import com.netscape.certsrv.common.OpDef;
 import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ELogException;
 import com.netscape.certsrv.logging.ELogNotFound;
 import com.netscape.certsrv.logging.ELogPluginNotFound;
@@ -64,10 +65,6 @@ public class LogAdminServlet extends AdminServlet {
     private ILogSubsystem mSys = null;
 
     private final static String SIGNED_AUDIT_LOG_TYPE = "SignedAudit";
-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT =
-            "LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT_3";
-    private final static String LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE =
-            "LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4";
 
     /**
      * Constructs Log servlet.
@@ -439,7 +436,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -458,7 +455,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -479,7 +476,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -508,7 +505,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -524,7 +521,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -544,7 +541,7 @@ public class LogAdminServlet extends AdminServlet {
                     // store a message in the signed audit log file
                     if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                    AuditEvent.CONFIG_SIGNED_AUDIT,
                                     auditSubjectID,
                                     ILogger.FAILURE,
                                     auditParams(req));
@@ -561,7 +558,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -588,7 +585,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -612,7 +609,7 @@ public class LogAdminServlet extends AdminServlet {
             // store a message in the signed audit log file
             if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                            AuditEvent.CONFIG_SIGNED_AUDIT,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditParams(req));
@@ -637,7 +634,7 @@ public class LogAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                        AuditEvent.CONFIG_SIGNED_AUDIT,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -709,7 +706,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -727,7 +724,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -744,7 +741,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -766,7 +763,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -789,7 +786,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -849,7 +846,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -868,7 +865,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -887,7 +884,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -912,7 +909,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -928,7 +925,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -950,7 +947,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -974,7 +971,7 @@ public class LogAdminServlet extends AdminServlet {
             // store a message in the signed audit log file
             if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                            AuditEvent.CONFIG_SIGNED_AUDIT,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditParams(req));
@@ -999,7 +996,7 @@ public class LogAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                        AuditEvent.CONFIG_SIGNED_AUDIT,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1103,7 +1100,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -1122,7 +1119,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -1158,7 +1155,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -1175,7 +1172,7 @@ public class LogAdminServlet extends AdminServlet {
             // store a message in the signed audit log file
             if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                            AuditEvent.CONFIG_SIGNED_AUDIT,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditParams(req));
@@ -1200,7 +1197,7 @@ public class LogAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                        AuditEvent.CONFIG_SIGNED_AUDIT,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1265,7 +1262,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -1283,7 +1280,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -1308,7 +1305,7 @@ public class LogAdminServlet extends AdminServlet {
                     // store a message in the signed audit log file
                     if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                    AuditEvent.CONFIG_SIGNED_AUDIT,
                                     auditSubjectID,
                                     ILogger.FAILURE,
                                     auditParams(req));
@@ -1339,7 +1336,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -1356,7 +1353,7 @@ public class LogAdminServlet extends AdminServlet {
             // store a message in the signed audit log file
             if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                            AuditEvent.CONFIG_SIGNED_AUDIT,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditParams(req));
@@ -1381,7 +1378,7 @@ public class LogAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                        AuditEvent.CONFIG_SIGNED_AUDIT,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1472,7 +1469,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -1491,7 +1488,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -1512,7 +1509,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -1534,7 +1531,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -1673,7 +1670,7 @@ public class LogAdminServlet extends AdminServlet {
                                     // file (regardless of logType)
                                     if (!(newLogPath.equals(origLogPath))) {
                                         auditMessage = CMS.getLogMessage(
-                                                    LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
+                                                    AuditEvent.LOG_PATH_CHANGE,
                                                     auditSubjectID,
                                                     ILogger.FAILURE,
                                                     logType,
@@ -1686,7 +1683,7 @@ public class LogAdminServlet extends AdminServlet {
                                     // file
                                     if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                                         auditMessage = CMS.getLogMessage(
-                                                    LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                                    AuditEvent.CONFIG_SIGNED_AUDIT,
                                                     auditSubjectID,
                                                     ILogger.FAILURE,
                                                     auditParams(req));
@@ -1775,7 +1772,7 @@ public class LogAdminServlet extends AdminServlet {
                 // (regardless of logType)
                 if (!(newLogPath.equals(origLogPath))) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
+                                AuditEvent.LOG_PATH_CHANGE,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 logType,
@@ -1801,7 +1798,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -1827,7 +1824,7 @@ public class LogAdminServlet extends AdminServlet {
                 // (regardless of logType)
                 if (!(newLogPath.equals(origLogPath))) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
+                                AuditEvent.LOG_PATH_CHANGE,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 logType,
@@ -1852,7 +1849,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -1878,7 +1875,7 @@ public class LogAdminServlet extends AdminServlet {
                 // (regardless of logType)
                 if (!(newLogPath.equals(origLogPath))) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
+                                AuditEvent.LOG_PATH_CHANGE,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 logType,
@@ -1903,7 +1900,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -1937,7 +1934,7 @@ public class LogAdminServlet extends AdminServlet {
                 // (regardless of logType)
                 if (!(newLogPath.equals(origLogPath))) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
+                                AuditEvent.LOG_PATH_CHANGE,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 logType,
@@ -1962,7 +1959,7 @@ public class LogAdminServlet extends AdminServlet {
                 // store a message in the signed audit log file
                 if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                                AuditEvent.CONFIG_SIGNED_AUDIT,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -1996,7 +1993,7 @@ public class LogAdminServlet extends AdminServlet {
             // (regardless of logType)
             if (!(newLogPath.equals(origLogPath))) {
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
+                            AuditEvent.LOG_PATH_CHANGE,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             logType,
@@ -2021,7 +2018,7 @@ public class LogAdminServlet extends AdminServlet {
             // store a message in the signed audit log file
             if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                            AuditEvent.CONFIG_SIGNED_AUDIT,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditParams(req));
@@ -2042,7 +2039,7 @@ public class LogAdminServlet extends AdminServlet {
             // (regardless of logType)
             if (!(newLogPath.equals(origLogPath))) {
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
+                            AuditEvent.LOG_PATH_CHANGE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             logType,
@@ -2067,7 +2064,7 @@ public class LogAdminServlet extends AdminServlet {
             // store a message in the signed audit log file
             if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                            AuditEvent.CONFIG_SIGNED_AUDIT,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -2088,7 +2085,7 @@ public class LogAdminServlet extends AdminServlet {
             // (regardless of logType)
             if (!(newLogPath.equals(origLogPath))) {
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE,
+                            AuditEvent.LOG_PATH_CHANGE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             logType,
@@ -2113,7 +2110,7 @@ public class LogAdminServlet extends AdminServlet {
             // store a message in the signed audit log file
             if (logType.equals(SIGNED_AUDIT_LOG_TYPE)) {
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT,
+                            AuditEvent.CONFIG_SIGNED_AUDIT,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java
index a7ff922..ee1c3a2 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/OCSPAdminServlet.java
@@ -34,6 +34,7 @@ import com.netscape.certsrv.common.Constants;
 import com.netscape.certsrv.common.NameValuePairs;
 import com.netscape.certsrv.common.OpDef;
 import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.ocsp.IOCSPAuthority;
 import com.netscape.certsrv.ocsp.IOCSPStore;
@@ -57,9 +58,6 @@ public class OCSPAdminServlet extends AdminServlet {
 
     private final static String INFO = "OCSPAdminServlet";
 
-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE =
-            "LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3";
-
     private IOCSPAuthority mOCSP = null;
 
     public OCSPAdminServlet() {
@@ -256,7 +254,7 @@ public class OCSPAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
+                        AuditEvent.CONFIG_OCSP_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -267,7 +265,7 @@ public class OCSPAdminServlet extends AdminServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
+                        AuditEvent.CONFIG_OCSP_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -279,7 +277,7 @@ public class OCSPAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
+                        AuditEvent.CONFIG_OCSP_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -368,7 +366,7 @@ public class OCSPAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
+                        AuditEvent.CONFIG_OCSP_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -379,7 +377,7 @@ public class OCSPAdminServlet extends AdminServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
+                        AuditEvent.CONFIG_OCSP_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -391,7 +389,7 @@ public class OCSPAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
+                        AuditEvent.CONFIG_OCSP_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -503,7 +501,7 @@ public class OCSPAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
+                        AuditEvent.CONFIG_OCSP_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -514,7 +512,7 @@ public class OCSPAdminServlet extends AdminServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
+                        AuditEvent.CONFIG_OCSP_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -526,7 +524,7 @@ public class OCSPAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE,
+                        AuditEvent.CONFIG_OCSP_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java
index 1fe9c87..7a09e83 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/PolicyAdminServlet.java
@@ -41,6 +41,7 @@ import com.netscape.certsrv.common.NameValuePairs;
 import com.netscape.certsrv.common.OpDef;
 import com.netscape.certsrv.common.ScopeDef;
 import com.netscape.certsrv.kra.IKeyRecoveryAuthority;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.ra.IRegistrationAuthority;
 
@@ -83,9 +84,6 @@ public class PolicyAdminServlet extends AdminServlet {
     public static String COMMA = ",";
     public static String MISSING_POLICY_ORDERING = "Missing policy ordering";
 
-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY =
-            "LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3";
-
     /**
      * Constructs administration servlet.
      */
@@ -506,7 +504,7 @@ public class PolicyAdminServlet extends AdminServlet {
             if (id == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -522,7 +520,7 @@ public class PolicyAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditParams(req));
@@ -535,7 +533,7 @@ public class PolicyAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -547,7 +545,7 @@ public class PolicyAdminServlet extends AdminServlet {
         } catch (IOException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                        AuditEvent.CONFIG_CERT_POLICY,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -628,7 +626,7 @@ public class PolicyAdminServlet extends AdminServlet {
             if (id == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -644,7 +642,7 @@ public class PolicyAdminServlet extends AdminServlet {
             if (classPath == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -659,7 +657,7 @@ public class PolicyAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditParams(req));
@@ -670,7 +668,7 @@ public class PolicyAdminServlet extends AdminServlet {
             } catch (Exception e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -682,7 +680,7 @@ public class PolicyAdminServlet extends AdminServlet {
         } catch (IOException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                        AuditEvent.CONFIG_CERT_POLICY,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -735,7 +733,7 @@ public class PolicyAdminServlet extends AdminServlet {
             if (id == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -751,7 +749,7 @@ public class PolicyAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditParams(req));
@@ -764,7 +762,7 @@ public class PolicyAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -776,7 +774,7 @@ public class PolicyAdminServlet extends AdminServlet {
         } catch (IOException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                        AuditEvent.CONFIG_CERT_POLICY,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -875,7 +873,7 @@ public class PolicyAdminServlet extends AdminServlet {
             if (id == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -892,7 +890,7 @@ public class PolicyAdminServlet extends AdminServlet {
             if (implName == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -925,7 +923,7 @@ public class PolicyAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -956,7 +954,7 @@ public class PolicyAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditParams(req));
@@ -967,7 +965,7 @@ public class PolicyAdminServlet extends AdminServlet {
             } catch (Exception e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -979,7 +977,7 @@ public class PolicyAdminServlet extends AdminServlet {
         } catch (IOException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                        AuditEvent.CONFIG_CERT_POLICY,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1032,7 +1030,7 @@ public class PolicyAdminServlet extends AdminServlet {
             if (policyOrder == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1047,7 +1045,7 @@ public class PolicyAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditParams(req));
@@ -1058,7 +1056,7 @@ public class PolicyAdminServlet extends AdminServlet {
             } catch (Exception e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1070,7 +1068,7 @@ public class PolicyAdminServlet extends AdminServlet {
         } catch (IOException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                        AuditEvent.CONFIG_CERT_POLICY,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1123,7 +1121,7 @@ public class PolicyAdminServlet extends AdminServlet {
             if (id == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1140,7 +1138,7 @@ public class PolicyAdminServlet extends AdminServlet {
             if (implName == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1172,7 +1170,7 @@ public class PolicyAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1208,7 +1206,7 @@ public class PolicyAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditParams(req));
@@ -1219,7 +1217,7 @@ public class PolicyAdminServlet extends AdminServlet {
             } catch (Exception e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                            AuditEvent.CONFIG_CERT_POLICY,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1231,7 +1229,7 @@ public class PolicyAdminServlet extends AdminServlet {
         } catch (IOException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY,
+                        AuditEvent.CONFIG_CERT_POLICY,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java
index b418baf..c4b40c0 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/ProfileAdminServlet.java
@@ -34,6 +34,7 @@ import com.netscape.certsrv.common.Constants;
 import com.netscape.certsrv.common.NameValuePairs;
 import com.netscape.certsrv.common.OpDef;
 import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.profile.EProfileException;
 import com.netscape.certsrv.profile.IPolicyConstraint;
@@ -88,9 +89,6 @@ public class ProfileAdminServlet extends AdminServlet {
     public static String MISSING_POLICY_ORDERING = "Missing policy ordering";
     public static String BAD_CONFIGURATION_VAL = "Invalid configuration value.";
 
-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE =
-            "LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3";
-
     /**
      * Constructs administration servlet.
      */
@@ -425,7 +423,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -475,7 +473,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -492,7 +490,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -503,7 +501,7 @@ public class ProfileAdminServlet extends AdminServlet {
         } catch (IOException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -566,7 +564,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -599,7 +597,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -617,7 +615,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -628,7 +626,7 @@ public class ProfileAdminServlet extends AdminServlet {
         } catch (IOException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -691,7 +689,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -725,7 +723,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -743,7 +741,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -754,7 +752,7 @@ public class ProfileAdminServlet extends AdminServlet {
         } catch (IOException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -826,7 +824,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -848,7 +846,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -863,7 +861,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -874,7 +872,7 @@ public class ProfileAdminServlet extends AdminServlet {
         } catch (IOException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -948,7 +946,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -965,7 +963,7 @@ public class ProfileAdminServlet extends AdminServlet {
             } catch (EBaseException e1) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -980,7 +978,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -991,7 +989,7 @@ public class ProfileAdminServlet extends AdminServlet {
         } catch (IOException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1065,7 +1063,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1082,7 +1080,7 @@ public class ProfileAdminServlet extends AdminServlet {
             } catch (EBaseException e1) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1097,7 +1095,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -1108,7 +1106,7 @@ public class ProfileAdminServlet extends AdminServlet {
         } catch (IOException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1170,7 +1168,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1219,7 +1217,7 @@ public class ProfileAdminServlet extends AdminServlet {
             } catch (Exception e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1233,7 +1231,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -1244,7 +1242,7 @@ public class ProfileAdminServlet extends AdminServlet {
         } catch (IOException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1306,7 +1304,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1356,7 +1354,7 @@ public class ProfileAdminServlet extends AdminServlet {
             } catch (Exception e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1371,7 +1369,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -1382,7 +1380,7 @@ public class ProfileAdminServlet extends AdminServlet {
         } catch (IOException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1444,7 +1442,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1488,7 +1486,7 @@ public class ProfileAdminServlet extends AdminServlet {
             } catch (Exception e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1502,7 +1500,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -1513,7 +1511,7 @@ public class ProfileAdminServlet extends AdminServlet {
         } catch (IOException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1575,7 +1573,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1607,7 +1605,7 @@ public class ProfileAdminServlet extends AdminServlet {
             } catch (Exception e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1621,7 +1619,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -1632,7 +1630,7 @@ public class ProfileAdminServlet extends AdminServlet {
         } catch (IOException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1694,7 +1692,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1727,7 +1725,7 @@ public class ProfileAdminServlet extends AdminServlet {
             } catch (Exception e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1741,7 +1739,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -1752,7 +1750,7 @@ public class ProfileAdminServlet extends AdminServlet {
         } catch (IOException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1814,7 +1812,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1861,7 +1859,7 @@ public class ProfileAdminServlet extends AdminServlet {
             } catch (Exception e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1876,7 +1874,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -1887,7 +1885,7 @@ public class ProfileAdminServlet extends AdminServlet {
         } catch (IOException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -2278,7 +2276,7 @@ public class ProfileAdminServlet extends AdminServlet {
             if (id == null) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -2294,7 +2292,7 @@ public class ProfileAdminServlet extends AdminServlet {
             } catch (EProfileException e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -2307,7 +2305,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -2318,7 +2316,7 @@ public class ProfileAdminServlet extends AdminServlet {
         } catch (IOException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -2391,7 +2389,7 @@ public class ProfileAdminServlet extends AdminServlet {
             if (id == null || id.trim().equals("") || !isValidId(id)) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -2441,7 +2439,7 @@ public class ProfileAdminServlet extends AdminServlet {
             } catch (EBaseException e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -2480,7 +2478,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -2493,7 +2491,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -2504,7 +2502,7 @@ public class ProfileAdminServlet extends AdminServlet {
         } catch (IOException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -2563,7 +2561,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                            AuditEvent.CONFIG_CERT_PROFILE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -2591,7 +2589,7 @@ public class ProfileAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -2607,7 +2605,7 @@ public class ProfileAdminServlet extends AdminServlet {
         } catch (IOException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE,
+                        AuditEvent.CONFIG_CERT_PROFILE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
diff --git a/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java b/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java
index cce1ce3..1c38b88 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/admin/UsrGrpAdminServlet.java
@@ -48,6 +48,7 @@ import com.netscape.certsrv.common.Constants;
 import com.netscape.certsrv.common.NameValuePairs;
 import com.netscape.certsrv.common.OpDef;
 import com.netscape.certsrv.common.ScopeDef;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.AuditFormat;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.password.IPasswordCheck;
@@ -87,9 +88,6 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
     private final static String BACK_SLASH = "\\";
 
-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE =
-            "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3";
-
     private IUGSubsystem mMgr = null;
 
     private static String[] mMultiRoleGroupEnforceList = null;
@@ -682,7 +680,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -701,7 +699,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -720,7 +718,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -743,7 +741,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -770,7 +768,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
                 if (!passwdCheck.isGoodPassword(pword)) {
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                AuditEvent.CONFIG_ROLE,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -823,7 +821,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                         // store a message in the signed audit log file
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                    AuditEvent.CONFIG_ROLE,
                                     auditSubjectID,
                                     ILogger.FAILURE,
                                     auditParams(req));
@@ -846,7 +844,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                             // store a message in the signed audit log file
                             auditMessage = CMS.getLogMessage(
-                                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                        AuditEvent.CONFIG_ROLE,
                                         auditSubjectID,
                                         ILogger.FAILURE,
                                         auditParams(req));
@@ -872,7 +870,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditParams(req));
@@ -886,7 +884,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -907,7 +905,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -921,7 +919,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        AuditEvent.CONFIG_ROLE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -933,7 +931,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        AuditEvent.CONFIG_ROLE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -993,7 +991,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1016,7 +1014,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditParams(req));
@@ -1056,7 +1054,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
                     if (p7certs.length == 0) {
                         // store a message in the signed audit log file
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                    AuditEvent.CONFIG_ROLE,
                                     auditSubjectID,
                                     ILogger.FAILURE,
                                     auditParams(req));
@@ -1091,7 +1089,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                         // store a message in the signed audit log file
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                    AuditEvent.CONFIG_ROLE,
                                     auditSubjectID,
                                     ILogger.FAILURE,
                                     auditParams(req));
@@ -1157,7 +1155,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                AuditEvent.CONFIG_ROLE,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -1173,7 +1171,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1195,7 +1193,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditParams(req));
@@ -1211,7 +1209,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1227,7 +1225,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1241,7 +1239,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
             } catch (ConflictingOperationException e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1257,7 +1255,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1283,7 +1281,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        AuditEvent.CONFIG_ROLE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1346,7 +1344,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1368,7 +1366,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditParams(req));
@@ -1386,7 +1384,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditParams(req));
@@ -1400,7 +1398,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1426,7 +1424,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        AuditEvent.CONFIG_ROLE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1497,7 +1495,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1519,7 +1517,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1539,7 +1537,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
                     } else {
                         // store a message in the signed audit log file
                         auditMessage = CMS.getLogMessage(
-                                    LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                    AuditEvent.CONFIG_ROLE,
                                     auditSubjectID,
                                     ILogger.FAILURE,
                                     auditParams(req));
@@ -1561,7 +1559,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditParams(req));
@@ -1573,7 +1571,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
             } catch (Exception ex) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1587,7 +1585,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        AuditEvent.CONFIG_ROLE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1599,7 +1597,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        AuditEvent.CONFIG_ROLE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1660,7 +1658,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1698,7 +1696,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditParams(req));
@@ -1710,7 +1708,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
             } catch (Exception e) {
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1725,7 +1723,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        AuditEvent.CONFIG_ROLE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1737,7 +1735,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        AuditEvent.CONFIG_ROLE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1798,7 +1796,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1817,7 +1815,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        AuditEvent.CONFIG_ROLE,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditParams(req));
@@ -1828,7 +1826,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        AuditEvent.CONFIG_ROLE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1840,7 +1838,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        AuditEvent.CONFIG_ROLE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -1903,7 +1901,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -1956,7 +1954,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
                             } else {
                                 // store a message in the signed audit log file
                                 auditMessage = CMS.getLogMessage(
-                                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                            AuditEvent.CONFIG_ROLE,
                                             auditSubjectID,
                                             ILogger.FAILURE,
                                             auditParams(req));
@@ -1980,7 +1978,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditParams(req));
@@ -1993,7 +1991,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -2008,7 +2006,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        AuditEvent.CONFIG_ROLE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -2020,7 +2018,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        AuditEvent.CONFIG_ROLE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -2152,7 +2150,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -2176,7 +2174,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -2201,7 +2199,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
                 if (!passwdCheck.isGoodPassword(pword)) {
                     // store a message in the signed audit log file
                     auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                AuditEvent.CONFIG_ROLE,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams(req));
@@ -2232,7 +2230,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditParams(req));
@@ -2246,7 +2244,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                            AuditEvent.CONFIG_ROLE,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditParams(req));
@@ -2260,7 +2258,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
         } catch (EBaseException eAudit1) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        AuditEvent.CONFIG_ROLE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
@@ -2272,7 +2270,7 @@ public class UsrGrpAdminServlet extends AdminServlet {
         } catch (IOException eAudit2) {
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                        AuditEvent.CONFIG_ROLE,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditParams(req));
diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
index 01f9f07..c7fc03b 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
@@ -245,9 +245,6 @@ public abstract class CMSServlet extends HttpServlet {
     private IUGSubsystem mUG = (IUGSubsystem)
             CMS.getSubsystem(CMS.SUBSYSTEM_UG);
 
-    private final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME =
-            "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3";
-
     public CMSServlet() {
     }
 
@@ -1840,7 +1837,7 @@ public abstract class CMSServlet extends HttpServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                            AuditEvent.ROLE_ASSUME,
                             auditSubjectID,
                             ILogger.SUCCESS,
                             auditGroupID);
@@ -1857,7 +1854,7 @@ public abstract class CMSServlet extends HttpServlet {
                 audit(auditMessage);
 
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                            AuditEvent.ROLE_ASSUME,
                             auditSubjectID,
                             ILogger.FAILURE,
                             auditGroupID);
@@ -1876,7 +1873,7 @@ public abstract class CMSServlet extends HttpServlet {
             audit(auditMessage);
 
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                        AuditEvent.ROLE_ASSUME,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditGroupID);
@@ -1974,7 +1971,7 @@ public abstract class CMSServlet extends HttpServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                            AuditEvent.ROLE_ASSUME,
                             auditID,
                             ILogger.SUCCESS,
                             auditGroups(auditSubjectID));
@@ -1993,7 +1990,7 @@ public abstract class CMSServlet extends HttpServlet {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                            AuditEvent.ROLE_ASSUME,
                             auditID,
                             ILogger.FAILURE,
                             auditGroups(auditSubjectID));
@@ -2015,7 +2012,7 @@ public abstract class CMSServlet extends HttpServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                        AuditEvent.ROLE_ASSUME,
                         auditID,
                         ILogger.FAILURE,
                         auditGroups(auditSubjectID));
@@ -2036,7 +2033,7 @@ public abstract class CMSServlet extends HttpServlet {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                        AuditEvent.ROLE_ASSUME,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditGroups(auditSubjectID));
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java
index 74197a4..f02932e 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/RegisterUser.java
@@ -36,6 +36,7 @@ import com.netscape.certsrv.authentication.IAuthToken;
 import com.netscape.certsrv.authorization.AuthzToken;
 import com.netscape.certsrv.authorization.EAuthzAccessDenied;
 import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.usrgrp.ICertUserLocator;
 import com.netscape.certsrv.usrgrp.IGroup;
@@ -65,9 +66,6 @@ public class RegisterUser extends CMSServlet {
     private final static String SUCCESS = "0";
     private final static String AUTH_FAILURE = "2";
     private String mGroupName = null;
-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE =
-            "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3";
-
     public RegisterUser() {
         super();
     }
@@ -202,7 +200,7 @@ public class RegisterUser extends CMSServlet {
                 ugsys.addUser(user);
                 CMS.debug("RegisterUser created user " + uid);
                 auditMessage = CMS.getLogMessage(
-                              LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                              AuditEvent.CONFIG_ROLE,
                               auditSubjectID,
                               ILogger.SUCCESS,
                               auditParams);
@@ -227,7 +225,7 @@ public class RegisterUser extends CMSServlet {
                 ugsys.addUserCert(user);
                 CMS.debug("RegisterUser added user certificate");
                 auditMessage = CMS.getLogMessage(
-                              LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                              AuditEvent.CONFIG_ROLE,
                               auditSubjectID,
                               ILogger.SUCCESS,
                               auditParams);
@@ -237,7 +235,7 @@ public class RegisterUser extends CMSServlet {
         } catch (Exception eee) {
             CMS.debug("RegisterUser error " + eee.toString());
             auditMessage = CMS.getLogMessage(
-                                LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                AuditEvent.CONFIG_ROLE,
                                 auditSubjectID,
                                 ILogger.FAILURE,
                                 auditParams);
@@ -270,7 +268,7 @@ public class RegisterUser extends CMSServlet {
                 CMS.debug("RegisterUser modified group");
 
                 auditMessage = CMS.getLogMessage(
-                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                               AuditEvent.CONFIG_ROLE,
                                auditSubjectID,
                                ILogger.SUCCESS,
                                auditParams);
@@ -279,7 +277,7 @@ public class RegisterUser extends CMSServlet {
             }
         } catch (Exception e) {
             auditMessage = CMS.getLogMessage(
-                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                               AuditEvent.CONFIG_ROLE,
                                auditSubjectID,
                                ILogger.FAILURE,
                                auditParams);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
index 69e76fc..cd769db 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
@@ -90,7 +90,7 @@ public class SecurityDomainProcessor extends CAProcessor {
 
         if (!ugSubsystem.isMemberOf(user, group)) {
             String message = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                    AuditEvent.ROLE_ASSUME,
                     user,
                     ILogger.FAILURE,
                     group);
@@ -100,7 +100,7 @@ public class SecurityDomainProcessor extends CAProcessor {
         }
 
         String message = CMS.getLogMessage(
-                LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                AuditEvent.ROLE_ASSUME,
                 user,
                 ILogger.SUCCESS,
                 group);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
index bed4357..5872ab0 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/csadmin/UpdateDomainXML.java
@@ -63,9 +63,6 @@ public class UpdateDomainXML extends CMSServlet {
     private static final long serialVersionUID = 4059169588555717548L;
     private final static String SUCCESS = "0";
     private final static String FAILED = "1";
-    private final static String LOGGING_SIGNED_AUDIT_CONFIG_ROLE =
-            "LOGGING_SIGNED_AUDIT_CONFIG_ROLE_3";
-
     public UpdateDomainXML() {
         super();
     }
@@ -372,7 +369,7 @@ public class UpdateDomainXML extends CMSServlet {
                     status2 = remove_from_ldap(adminUserDN);
                     if (status2.equals(SUCCESS)) {
                         auditMessage = CMS.getLogMessage(
-                                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                               AuditEvent.CONFIG_ROLE,
                                                auditSubjectID,
                                                ILogger.SUCCESS,
                                                userAuditParams);
@@ -388,13 +385,13 @@ public class UpdateDomainXML extends CMSServlet {
                         status2 = modify_ldap(dn, mod);
                         if (status2.equals(SUCCESS)) {
                             auditMessage = CMS.getLogMessage(
-                                                   LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                                   AuditEvent.CONFIG_ROLE,
                                                    auditSubjectID,
                                                    ILogger.SUCCESS,
                                                    userAuditParams);
                         } else {
                             auditMessage = CMS.getLogMessage(
-                                                   LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                                   AuditEvent.CONFIG_ROLE,
                                                    auditSubjectID,
                                                    ILogger.FAILURE,
                                                    userAuditParams);
@@ -402,7 +399,7 @@ public class UpdateDomainXML extends CMSServlet {
                         audit(auditMessage);
                     } else { // error deleting user
                         auditMessage = CMS.getLogMessage(
-                                               LOGGING_SIGNED_AUDIT_CONFIG_ROLE,
+                                               AuditEvent.CONFIG_ROLE,
                                                auditSubjectID,
                                                ILogger.FAILURE,
                                                userAuditParams);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
index 5669233..ad79cbb 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
@@ -117,8 +117,6 @@ public class CAProcessor extends Processor {
     public static final String ACL_INFO = "ACLinfo";
     public static final String PROFILE_SUB_ID = "profileSubId";
 
-    public final static String LOGGING_SIGNED_AUDIT_ROLE_ASSUME =
-            "LOGGING_SIGNED_AUDIT_ROLE_ASSUME_3";
     public final static String SIGNED_AUDIT_CERT_REQUEST_REASON =
             "requestNotes";
 
@@ -731,7 +729,7 @@ public class CAProcessor extends Processor {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                        AuditEvent.ROLE_ASSUME,
                         auditSubjectID,
                         ILogger.SUCCESS,
                         auditGroupID);
@@ -748,7 +746,7 @@ public class CAProcessor extends Processor {
                 audit(auditMessage);
 
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                        AuditEvent.ROLE_ASSUME,
                         auditSubjectID,
                         ILogger.FAILURE,
                         auditGroupID);
@@ -767,7 +765,7 @@ public class CAProcessor extends Processor {
             audit(auditMessage);
 
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                    AuditEvent.ROLE_ASSUME,
                     auditSubjectID,
                     ILogger.FAILURE,
                     auditGroupID);
@@ -864,7 +862,7 @@ public class CAProcessor extends Processor {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                        AuditEvent.ROLE_ASSUME,
                         auditID,
                         ILogger.SUCCESS,
                         auditGroups(auditSubjectID));
@@ -883,7 +881,7 @@ public class CAProcessor extends Processor {
 
                 // store a message in the signed audit log file
                 auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                        AuditEvent.ROLE_ASSUME,
                         auditID,
                         ILogger.FAILURE,
                         auditGroups(auditSubjectID));
@@ -905,7 +903,7 @@ public class CAProcessor extends Processor {
 
             // store a message in the signed audit log file
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_ROLE_ASSUME,
+                    AuditEvent.ROLE_ASSUME,
                     auditID,
                     ILogger.FAILURE,
                     auditGroups(auditSubjectID));
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
index 7bb048f..2d5b371 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
@@ -49,6 +49,7 @@ import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.PKIException;
 import com.netscape.certsrv.base.ResourceNotFoundException;
 import com.netscape.certsrv.logging.AuditConfig;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.AuditFile;
 import com.netscape.certsrv.logging.AuditFileCollection;
 import com.netscape.certsrv.logging.AuditResource;
@@ -412,7 +413,7 @@ public class AuditService extends SubsystemService implements AuditResource {
     public void auditTPSConfigSignedAudit(String status, Map<String, String> params) {
 
         String msg = CMS.getLogMessage(
-                "LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT_3",
+                AuditEvent.CONFIG_SIGNED_AUDIT,
                 servletRequest.getUserPrincipal().getName(),
                 status,
                 auditor.getParamString(null, params));
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java b/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java
index 4ee2810..4aa0209 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/GroupService.java
@@ -40,7 +40,7 @@ import com.netscape.certsrv.group.GroupData;
 import com.netscape.certsrv.group.GroupMemberData;
 import com.netscape.certsrv.group.GroupNotFoundException;
 import com.netscape.certsrv.group.GroupResource;
-import com.netscape.certsrv.logging.IAuditor;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.usrgrp.IGroup;
 import com.netscape.certsrv.usrgrp.IGroupConstants;
@@ -432,6 +432,6 @@ public class GroupService extends SubsystemService implements GroupResource {
     }
 
     public void audit(String type, String id, Map<String, String> params, String status) {
-        audit(IAuditor.LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ScopeDef.SC_GROUPS, type, id, params, status);
+        audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_GROUPS, type, id, params, status);
     }
 }
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
index eeadba5..e10c4f5 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/UserService.java
@@ -52,7 +52,7 @@ import com.netscape.certsrv.common.OpDef;
 import com.netscape.certsrv.common.ScopeDef;
 import com.netscape.certsrv.dbs.certdb.CertId;
 import com.netscape.certsrv.group.GroupMemberData;
-import com.netscape.certsrv.logging.IAuditor;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.password.IPasswordCheck;
 import com.netscape.certsrv.user.UserCertCollection;
@@ -1227,10 +1227,10 @@ public class UserService extends SubsystemService implements UserResource {
     }
 
     public void auditUser(String type, String id, Map<String, String> params, String status) {
-        audit(IAuditor.LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ScopeDef.SC_USERS, type, id, params, status);
+        audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_USERS, type, id, params, status);
     }
 
     public void auditUserCert(String type, String id, Map<String, String> params, String status) {
-        audit(IAuditor.LOGGING_SIGNED_AUDIT_CONFIG_ROLE, ScopeDef.SC_USER_CERTS, type, id, params, status);
+        audit(AuditEvent.CONFIG_ROLE, ScopeDef.SC_USER_CERTS, type, id, params, status);
     }
 }
diff --git a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
index 400ad0c..e1c4c76 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
@@ -41,6 +41,7 @@ import org.mozilla.jss.CryptoManager.CertificateUsage;
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.cmsutil.util.Utils;
 
@@ -84,9 +85,6 @@ public class CertUtils {
             "-----END CERTIFICATE REVOCATION LIST-----";
 
     protected static ILogger mSignedAuditLogger = CMS.getSignedAuditLogger();
-    private final static String LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION =
-            "LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3";
-
     /**
      * Remove the header and footer in the PKCS10 request.
      */
@@ -911,7 +909,7 @@ public class CertUtils {
             if (subsysType == null) {
                 CMS.debug("CertUtils: verifySystemCerts() invalid cs.type in CS.cfg. System certificates verification not done");
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
+                            AuditEvent.CIMC_CERT_VERIFICATION,
                             ILogger.SYSTEM_UID,
                             ILogger.FAILURE,
                             "");
@@ -936,7 +934,7 @@ public class CertUtils {
             verifySystemCertByNickname(nickname, certusage);
 
             auditMessage = CMS.getLogMessage(
-                    LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
+                    AuditEvent.CIMC_CERT_VERIFICATION,
                     ILogger.SYSTEM_UID,
                     ILogger.SUCCESS,
                         nickname);
@@ -947,7 +945,7 @@ public class CertUtils {
             CMS.debug("CertUtils: verifySystemCertsByTag() failed: " +
                     e.toString());
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
+                        AuditEvent.CIMC_CERT_VERIFICATION,
                         ILogger.SYSTEM_UID,
                         ILogger.FAILURE,
                         "");
@@ -1009,7 +1007,7 @@ public class CertUtils {
             if (subsysType.equals("")) {
                 CMS.debug("CertUtils: verifySystemCerts() cs.type not defined in CS.cfg. System certificates verification not done");
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
+                            AuditEvent.CIMC_CERT_VERIFICATION,
                             ILogger.SYSTEM_UID,
                             ILogger.FAILURE,
                             "");
@@ -1022,7 +1020,7 @@ public class CertUtils {
             if (subsysType == null) {
                 CMS.debug("CertUtils: verifySystemCerts() invalid cs.type in CS.cfg. System certificates verification not done");
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
+                            AuditEvent.CIMC_CERT_VERIFICATION,
                             ILogger.SYSTEM_UID,
                             ILogger.FAILURE,
                             "");
@@ -1036,7 +1034,7 @@ public class CertUtils {
                 CMS.debug("CertUtils: verifySystemCerts() "
                         + subsysType + ".cert.list not defined in CS.cfg. System certificates verification not done");
                 auditMessage = CMS.getLogMessage(
-                            LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
+                            AuditEvent.CIMC_CERT_VERIFICATION,
                             ILogger.SYSTEM_UID,
                             ILogger.FAILURE,
                             "");
@@ -1056,7 +1054,7 @@ public class CertUtils {
         } catch (Exception e) {
             // audit here
             auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION,
+                        AuditEvent.CIMC_CERT_VERIFICATION,
                         ILogger.SYSTEM_UID,
                         ILogger.FAILURE,
                         "");
diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
index 4ddb42c..95556b9 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
@@ -96,9 +96,6 @@ public class SelfTestSubsystem
     private static final String ELEMENT_DELIMITER = ":";
     private static final String CRITICAL = "critical";
 
-    private static final String LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION =
-            "LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2";
-
     /////////////////////
     // default methods //
     /////////////////////
@@ -1809,7 +1806,7 @@ public class SelfTestSubsystem
 
             // store a message in the signed audit log file
             String auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
+                        AuditEvent.SELFTESTS_EXECUTION,
                         ILogger.SYSTEM_UID,
                         ILogger.SUCCESS);
 
@@ -1819,7 +1816,7 @@ public class SelfTestSubsystem
 
             // store a message in the signed audit log file
             String auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
+                        AuditEvent.SELFTESTS_EXECUTION,
                         ILogger.SYSTEM_UID,
                         ILogger.FAILURE);
 
@@ -1832,7 +1829,7 @@ public class SelfTestSubsystem
 
             // store a message in the signed audit log file
             String auditMessage = CMS.getLogMessage(
-                        LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION,
+                        AuditEvent.SELFTESTS_EXECUTION,
                         ILogger.SYSTEM_UID,
                         ILogger.FAILURE);
 
-- 
1.8.3.1


From eb7c9139c1ab017a8749d87e163e9dcc42037fb2 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Tue, 11 Apr 2017 14:18:32 -0400
Subject: [PATCH 49/59] Modified CRMFPopClient to use correct wrapping for
 encrypt case

When the server cannot do key wrapping using the AES KeyWrap,
probably because the backend HSM cannot do key wrapping, then
there is a setting to allow it to use encrypt/decrypt instead.

If the key wrap algorithm is something simple like 3DES or AES-CBC,
then the client can just use key wrapping to wrap the key on its
token, and the server can use an encryption algorithm to decrypt.
The client does not need to know that the server cannot handle a
key wrap, because keywrapping and encryption are pretty much the
same mechanism - just either in server memory or not.

When we do key wrapping using AES KeyWrap though, there is no
corresponding encryption algorithm used to decrypt.  So the server
cannot simply decrypt a message wrapped with AES Keywrap (or at least
not in any obvious way).  So in this case, the client needs to know
if the server can handle keywrap.

The patch therefore does the following:
1. For CRMFPopClient, adds a command line option to specify if key
   wrapping or encryption is required.
2. Reads an environment variable if no option is provided.
3. If encryption is specified, uses key wrapping using AES-CBC
   which can be decrypted on the server side.
4. For cert-client, contacts the server to determine from the
   CAInfoResource if keywrapping is supported.

Change-Id: If66f51c929cfde1c0ff3b9f39cb57b92fcdc150c
---
 .../src/com/netscape/certsrv/key/KeyClient.java    |  3 ++
 .../netscape/certsrv/util/NSSCryptoProvider.java   |  2 +-
 .../src/com/netscape/cmstools/CRMFPopClient.java   | 43 +++++++++++++++++++---
 .../cmstools/client/ClientCertRequestCLI.java      | 28 ++++++++++++--
 .../com/netscape/cmsutil/crypto/CryptoUtil.java    | 16 +-------
 5 files changed, 69 insertions(+), 23 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/key/KeyClient.java b/base/common/src/com/netscape/certsrv/key/KeyClient.java
index 750d270..dea44b1 100644
--- a/base/common/src/com/netscape/certsrv/key/KeyClient.java
+++ b/base/common/src/com/netscape/certsrv/key/KeyClient.java
@@ -27,6 +27,7 @@ import java.util.List;
 import javax.ws.rs.core.Response;
 
 import org.dogtagpki.common.Info;
+import org.dogtagpki.common.KRAInfoResource;
 import org.dogtagpki.common.Version;
 import org.mozilla.jss.crypto.EncryptionAlgorithm;
 import org.mozilla.jss.crypto.KeyWrapAlgorithm;
@@ -49,6 +50,7 @@ public class KeyClient extends Client {
 
     public KeyResource keyClient;
     public KeyRequestResource keyRequestClient;
+    public KRAInfoResource kraInfoClient;
 
     private CryptoProvider crypto;
     private String transportCert;
@@ -92,6 +94,7 @@ public class KeyClient extends Client {
     public void init() throws URISyntaxException {
         keyClient = createProxy(KeyResource.class);
         keyRequestClient = createProxy(KeyRequestResource.class);
+        kraInfoClient = createProxy(KRAInfoResource.class);
     }
 
     public CryptoProvider getCrypto() {
diff --git a/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java b/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java
index 1d2edbc..be8dd24 100644
--- a/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java
+++ b/base/common/src/com/netscape/certsrv/util/NSSCryptoProvider.java
@@ -140,7 +140,7 @@ public class NSSCryptoProvider extends CryptoProvider {
         if (token == null) {
             throw new NotInitializedException();
         }
-        return CryptoUtil.wrapPassphrase(token, passphrase, new IVParameterSpec(iv), key, encryptionAlgorithm);
+        return CryptoUtil.encryptPassphrase(token, passphrase, new IVParameterSpec(iv), key, encryptionAlgorithm);
     }
 
     @Override
diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
index 9d81a72..c5da9cf 100644
--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
@@ -40,6 +40,7 @@ import org.apache.http.HttpResponse;
 import org.apache.http.client.methods.HttpGet;
 import org.apache.http.impl.client.DefaultHttpClient;
 import org.apache.http.util.EntityUtils;
+import org.dogtagpki.common.KRAInfoResource;
 import org.mozilla.jss.CryptoManager;
 import org.mozilla.jss.asn1.ASN1Util;
 import org.mozilla.jss.asn1.BIT_STRING;
@@ -182,6 +183,10 @@ public class CRMFPopClient {
         option.setArgName("extractable");
         options.addOption(option);
 
+        option = new Option("g", true, "KeyWrap");
+        option.setArgName("keyWrap");
+        options.addOption(option);
+
         options.addOption("v", "verbose", false, "Run in verbose mode.");
         options.addOption(null, "help", false, "Show help message.");
 
@@ -210,6 +215,9 @@ public class CRMFPopClient {
         System.out.println("                               - POP_NONE: without POP");
         System.out.println("                               - POP_SUCCESS: with valid POP");
         System.out.println("                               - POP_FAIL: with invalid POP (for testing)");
+        System.out.println("  -g <true|false>              Use KeyWrapping to wrap private key (default: true)");
+        System.out.println("                               - true: use a key wrapping algorithm");
+        System.out.println("                               - false: use an encryption algorithm");
         System.out.println("  -b <transport cert>          PEM transport certificate (default: transport.txt)");
         System.out.println("  -v, --verbose                Run in verbose mode.");
         System.out.println("      --help                   Show help message.");
@@ -302,6 +310,16 @@ public class CRMFPopClient {
         int sensitive = Integer.parseInt(cmd.getOptionValue("s", "-1"));
         int extractable = Integer.parseInt(cmd.getOptionValue("e", "-1"));
 
+        boolean keyWrap = true;
+        if (cmd.hasOption("g")) {
+            keyWrap = Boolean.parseBoolean(cmd.getOptionValue("g"));
+        } else {
+            String useKeyWrap = System.getenv("KEY_ARCHIVAL_USE_KEY_WRAPPING");
+            if (useKeyWrap != null) {
+                keyWrap = Boolean.parseBoolean(useKeyWrap);
+            }
+        }
+
         String output = cmd.getOptionValue("o");
 
         String hostPort = cmd.getOptionValue("m");
@@ -440,8 +458,11 @@ public class CRMFPopClient {
             String kid = CryptoUtil.byte2string(id);
             System.out.println("Keypair private key id: " + kid);
 
+            String archivalMechanism = keyWrap ? KRAInfoResource.KEYWRAP_MECHANISM :
+                KRAInfoResource.ENCRYPT_MECHANISM;
             if (verbose) System.out.println("Creating certificate request");
-            CertRequest certRequest = client.createCertRequest(token, transportCert, algorithm, keyPair, subject);
+            CertRequest certRequest = client.createCertRequest(
+                    token, transportCert, algorithm, keyPair, subject, archivalMechanism);
 
             ProofOfPossession pop = null;
 
@@ -550,7 +571,8 @@ public class CRMFPopClient {
             X509Certificate transportCert,
             String algorithm,
             KeyPair keyPair,
-            Name subject) throws Exception {
+            Name subject,
+            String archivalMechanism) throws Exception {
         EncryptionAlgorithm encryptAlg = null;
         String keyset = System.getenv("KEY_WRAP_PARAMETER_SET");
 
@@ -563,7 +585,7 @@ public class CRMFPopClient {
 
         byte[] iv = CryptoUtil.getNonceData(encryptAlg.getIVLength());
         AlgorithmIdentifier aid = new AlgorithmIdentifier(encryptAlg.toOID(), new OCTET_STRING(iv));
-        WrappingParams params = getWrappingParams(encryptAlg, iv);
+        WrappingParams params = getWrappingParams(encryptAlg, iv, archivalMechanism);
 
         PKIArchiveOptions opts = CryptoUtil.createPKIArchiveOptions(
                 token,
@@ -583,12 +605,23 @@ public class CRMFPopClient {
         return new CertRequest(new INTEGER(1), certTemplate, seq);
     }
 
-    private WrappingParams getWrappingParams(EncryptionAlgorithm encryptAlg, byte[] wrapIV) throws Exception {
+    private WrappingParams getWrappingParams(EncryptionAlgorithm encryptAlg, byte[] wrapIV,
+            String archivalMechanism) throws Exception {
         if (encryptAlg.getAlg().toString().equalsIgnoreCase("AES")) {
+            KeyWrapAlgorithm wrapAlg = null;
+            IVParameterSpec wrapIVS = null;
+            if (archivalMechanism.equals(KRAInfoResource.ENCRYPT_MECHANISM)) {
+                // We will use AES_CBC_PAD as the a key wrap mechanism.  This
+                // can be decrypted using the same mechanism on the server.
+                wrapAlg = KeyWrapAlgorithm.AES_CBC_PAD;
+                wrapIVS = new IVParameterSpec(wrapIV);
+            } else {
+                wrapAlg = KeyWrapAlgorithm.AES_KEY_WRAP_PAD;
+            }
             return new WrappingParams(
                 SymmetricKey.AES, KeyGenAlgorithm.AES, 128,
                 KeyWrapAlgorithm.RSA, encryptAlg,
-                KeyWrapAlgorithm.AES_KEY_WRAP_PAD, null, null);
+                wrapAlg, wrapIVS, wrapIVS);
         } else if (encryptAlg.getAlg().toString().equalsIgnoreCase("DESede")) {
             return new WrappingParams(
                     SymmetricKey.DES3, KeyGenAlgorithm.DES3, 168,
diff --git a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
index 6562699..8ca857b 100644
--- a/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
+++ b/base/java-tools/src/com/netscape/cmstools/client/ClientCertRequestCLI.java
@@ -29,6 +29,8 @@ import java.util.Vector;
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.Option;
 import org.apache.commons.io.FileUtils;
+import org.dogtagpki.common.CAInfoClient;
+import org.dogtagpki.common.KRAInfoResource;
 import org.mozilla.jss.CryptoManager;
 import org.mozilla.jss.crypto.CryptoToken;
 import org.mozilla.jss.crypto.Signature;
@@ -245,8 +247,26 @@ public class ClientCertRequestCLI extends CLI {
             CryptoManager manager = CryptoManager.getInstance();
             X509Certificate transportCert = manager.importCACertPackage(transportCertData);
 
+            // get archival mechanism
+            CAInfoClient infoClient = new CAInfoClient(client, "ca");
+            String archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM;
+            try {
+                archivalMechanism = infoClient.getInfo().getArchivalMechanism();
+            } catch (Exception e) {
+                // this could be an older server, check for environment variable.
+                String useKeyWrapping = System.getenv("KEY_ARCHIVAL_USE_KEY_WRAPPING");
+                if (useKeyWrapping != null) {
+                    if (Boolean.parseBoolean(useKeyWrapping)) {
+                        archivalMechanism = KRAInfoResource.KEYWRAP_MECHANISM;
+                    } else {
+                        archivalMechanism = KRAInfoResource.ENCRYPT_MECHANISM;
+                    }
+                }
+            }
+
             csr = generateCrmfRequest(transportCert, subjectDN, attributeEncoding,
-                    algorithm, length, curve, sslECDH, temporary, sensitive, extractable, withPop);
+                    algorithm, length, curve, sslECDH, temporary, sensitive, extractable, withPop,
+                    archivalMechanism);
 
         } else {
             throw new Exception("Unknown request type: " + requestType);
@@ -387,7 +407,8 @@ public class ClientCertRequestCLI extends CLI {
             boolean temporary,
             int sensitive,
             int extractable,
-            boolean withPop
+            boolean withPop,
+            String archivalMechanism
             ) throws Exception {
 
         CryptoManager manager = CryptoManager.getInstance();
@@ -408,7 +429,8 @@ public class ClientCertRequestCLI extends CLI {
             throw new Exception("Unknown algorithm: " + algorithm);
         }
 
-        CertRequest certRequest = client.createCertRequest(token, transportCert, algorithm, keyPair, subject);
+        CertRequest certRequest = client.createCertRequest(
+                token, transportCert, algorithm, keyPair, subject, archivalMechanism);
 
         ProofOfPossession pop = null;
         if (withPop) {
diff --git a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
index 3588852..d22856d 100644
--- a/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
+++ b/base/util/src/com/netscape/cmsutil/crypto/CryptoUtil.java
@@ -1962,7 +1962,7 @@ public class CryptoUtil {
         return decodedData;
     }
 
-    public static byte[] wrapPassphrase(CryptoToken token, String passphrase, IVParameterSpec IV, SymmetricKey sk,
+    public static byte[] encryptPassphrase(CryptoToken token, String passphrase, IVParameterSpec IV, SymmetricKey sk,
             EncryptionAlgorithm alg)
             throws NoSuchAlgorithmException, TokenException, InvalidKeyException,
             InvalidAlgorithmParameterException, IllegalBlockSizeException, BadPaddingException, IOException {
@@ -2010,17 +2010,6 @@ public class CryptoUtil {
         return encodePKIArchiveOptions(opts);
     }
 
-    /* Used to create PKIArchiveOptions for wrapped symmetric key */
-    public static PKIArchiveOptions createPKIArchiveOptions(
-            CryptoToken token,
-            PublicKey wrappingKey,
-            SymmetricKey data,
-            WrappingParams params,
-            AlgorithmIdentifier aid) throws Exception {
-         return createPKIArchiveOptionsInternal(
-                 token, wrappingKey, null, null, data, params, aid);
-    }
-
     public static byte[] createEncodedPKIArchiveOptions(
             CryptoToken token,
             PublicKey wrappingKey,
@@ -2068,10 +2057,9 @@ public class CryptoUtil {
                 params.getSkLength(),
                 null,
                 false);
-
         byte[] key_data;
         if (passphraseData != null) {
-            key_data = wrapPassphrase(
+            key_data = encryptPassphrase(
                     token,
                     passphraseData,
                     params.getPayloadEncryptionIV(),
-- 
1.8.3.1


From d9d8b19bef7c91c2e3d33618869ea6426ecb4a36 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 12 Apr 2017 21:44:31 +0200
Subject: [PATCH 50/59] Updated CMS.getLogMessage().

The CMS.getLogMessage() has been generalized to take an array of
Objects instead of Strings.

Change-Id: Ifcb96d47983a67961efa27325b8ae0a88d9e0231
---
 base/common/src/com/netscape/certsrv/apps/CMS.java                  | 2 +-
 base/common/src/com/netscape/certsrv/apps/ICMSEngine.java           | 2 +-
 base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java    | 2 +-
 base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java
index d2210df..8f1d648 100644
--- a/base/common/src/com/netscape/certsrv/apps/CMS.java
+++ b/base/common/src/com/netscape/certsrv/apps/CMS.java
@@ -701,7 +701,7 @@ public final class CMS {
      * @param p an array of parameters
      * @return localized log message
      */
-    public static String getLogMessage(String msgID, String p[]) {
+    public static String getLogMessage(String msgID, Object p[]) {
         return _engine.getLogMessage(msgID, p);
     }
 
diff --git a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
index 97fc467..3655b03 100644
--- a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
+++ b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
@@ -334,7 +334,7 @@ public interface ICMSEngine extends ISubsystem {
      * @param p an array of parameters
      * @return localized log message
      */
-    public String getLogMessage(String msgID, String p[]);
+    public String getLogMessage(String msgID, Object p[]);
 
     /**
      * Retrieves the centralized log message from LogMessages.properties.
diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
index 90ee8b9..ef9a6a2 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -1583,7 +1583,7 @@ public class CMSEngine implements ICMSEngine {
         return getUserMessage(locale, msgID, params);
     }
 
-    public String getLogMessage(String msgID, String params[]) {
+    public String getLogMessage(String msgID, Object params[]) {
         ResourceBundle rb = ResourceBundle.getBundle(
                 "LogMessages");
         String msg = rb.getString(msgID);
diff --git a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
index d6305cb..dd28adb 100644
--- a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
+++ b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
@@ -211,7 +211,7 @@ public class CMSEngineDefaultStub implements ICMSEngine {
         return null;
     }
 
-    public String getLogMessage(String msgID, String p[]) {
+    public String getLogMessage(String msgID, Object p[]) {
         return null;
     }
 
-- 
1.8.3.1


From 92b68d7ab3f58ad80a545f550f0598de2c43da2c Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 13 Apr 2017 01:45:37 +0200
Subject: [PATCH 51/59] Added methods to log AuditEvent object.

New audit(AuditEvent) methods have been added alongside the
existing audit(String) methods.

Change-Id: Ia02a7daa8b9e8693208fe34309d8d727cc32ce54
---
 base/ca/src/com/netscape/ca/CAService.java         | 10 ++++++++++
 .../src/com/netscape/kra/AsymKeyGenService.java    | 10 ++++++++++
 .../src/com/netscape/kra/EnrollmentService.java    | 10 ++++++++++
 .../src/com/netscape/kra/KeyRecoveryAuthority.java | 10 ++++++++++
 .../src/com/netscape/kra/NetkeyKeygenService.java  | 10 ++++++++++
 .../com/netscape/kra/SecurityDataProcessor.java    | 10 ++++++++++
 .../kra/src/com/netscape/kra/SymKeyGenService.java | 10 ++++++++++
 .../com/netscape/kra/TokenKeyRecoveryService.java  |  9 +++++++++
 .../com/netscape/cms/authentication/CMCAuth.java   | 10 ++++++++++
 .../cms/src/com/netscape/cms/logging/LogFile.java  | 10 ++++++++++
 .../netscape/cms/profile/common/BasicProfile.java  | 11 +++++++++++
 .../netscape/cms/profile/input/EnrollInput.java    | 10 ++++++++++
 .../cms/profile/updater/SubsystemGroupUpdater.java | 14 +++++++++++--
 .../cms/src/com/netscape/cms/realm/PKIRealm.java   | 10 ++++++++++
 .../com/netscape/cms/servlet/base/CMSServlet.java  | 10 ++++++++++
 .../cms/servlet/connector/ConnectorServlet.java    | 10 ++++++++++
 .../cms/servlet/processors/CAProcessor.java        | 10 ++++++++++
 .../cms/servlet/processors/PKIProcessor.java       | 23 ++++++++++++++++------
 .../org/dogtagpki/server/rest/ACLInterceptor.java  | 10 ++++++++++
 .../src/com/netscape/cmscore/cert/CertUtils.java   | 10 ++++++++++
 .../src/com/netscape/cmscore/logging/Auditor.java  | 11 +++++++++++
 .../cmscore/selftests/SelfTestSubsystem.java       | 10 ++++++++++
 .../server/tps/processor/TPSProcessor.java         | 10 ++++++++++
 23 files changed, 240 insertions(+), 8 deletions(-)

diff --git a/base/ca/src/com/netscape/ca/CAService.java b/base/ca/src/com/netscape/ca/CAService.java
index 5b364b8..2ad1967 100644
--- a/base/ca/src/com/netscape/ca/CAService.java
+++ b/base/ca/src/com/netscape/ca/CAService.java
@@ -1177,6 +1177,16 @@ public class CAService implements ICAService, IService {
                 msg);
     }
 
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
+
     /**
      * Signed Audit Log Subject ID
      *
diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
index 75e340c..bd2be70 100644
--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java
+++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
@@ -228,6 +228,16 @@ public class AsymKeyGenService implements IService {
                 msg);
     }
 
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
+
     private void auditAsymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID,
             String clientKeyID,
             String keyID, String reason) {
diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
index d2748a2..7c179d4 100644
--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
@@ -1034,4 +1034,14 @@ public class EnrollmentService implements IService {
                 ILogger.LL_SECURITY,
                 msg);
     }
+
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
 }
diff --git a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
index b6e4376..1df04db 100644
--- a/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
+++ b/base/kra/src/com/netscape/kra/KeyRecoveryAuthority.java
@@ -1570,6 +1570,16 @@ public class KeyRecoveryAuthority implements IAuthority, IKeyService, IKeyRecove
                 msg);
     }
 
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
+
     /**
      * Signed Audit Log Subject ID
      *
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
index 665ff19..4926873 100644
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
@@ -708,4 +708,14 @@ public class NetkeyKeygenService implements IService {
                 ILogger.LL_SECURITY,
                 msg);
     }
+
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
 }
diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
index 78d64c5..05dccb9 100644
--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
@@ -770,6 +770,16 @@ public class SecurityDataProcessor {
                 msg);
     }
 
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
+
     private void auditRecoveryRequestProcessed(String subjectID, String status, RequestId requestID,
             String keyID, String reason) {
         String auditMessage = CMS.getLogMessage(
diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java
index f700a79..0dfd3a2 100644
--- a/base/kra/src/com/netscape/kra/SymKeyGenService.java
+++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java
@@ -247,6 +247,16 @@ public class SymKeyGenService implements IService {
                 msg);
     }
 
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
+
     private void auditSymKeyGenRequestProcessed(String subjectID, String status, RequestId requestID, String clientKeyID,
             String keyID, String reason) {
         String auditMessage = CMS.getLogMessage(
diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
index b710291..67f4dc6 100644
--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
@@ -733,4 +733,13 @@ public class TokenKeyRecoveryService implements IService {
                 msg);
     }
 
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
 }
diff --git a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
index 02aceb4..b898353 100644
--- a/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
+++ b/base/server/cms/src/com/netscape/cms/authentication/CMCAuth.java
@@ -1073,6 +1073,16 @@ public class CMCAuth implements IAuthManager, IExtendedPluginInfo,
                 msg);
     }
 
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
+
     /**
      * Signed Audit Log Subject ID
      *
diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
index 989fece..772607e 100644
--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java
+++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
@@ -1541,4 +1541,14 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
                                 ILogger.LL_SECURITY,
                                 msg);
     }
+
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
 }
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java
index ff97bfa..e6fc045 100644
--- a/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java
+++ b/base/server/cms/src/com/netscape/cms/profile/common/BasicProfile.java
@@ -30,6 +30,7 @@ import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.base.SessionContext;
 import com.netscape.certsrv.common.NameValuePairs;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.profile.EProfileException;
 import com.netscape.certsrv.profile.ERejectException;
@@ -1173,6 +1174,16 @@ public abstract class BasicProfile implements IProfile {
                 msg);
     }
 
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
+
     /**
      * Signed Audit Log Subject ID
      *
diff --git a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java
index 81e71c4..84a6398 100644
--- a/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java
+++ b/base/server/cms/src/com/netscape/cms/profile/input/EnrollInput.java
@@ -263,6 +263,16 @@ public abstract class EnrollInput implements IProfileInput {
                 msg);
     }
 
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
+
     /**
      * Signed Audit Log Subject ID
      *
diff --git a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java
index 2f47efa..7daa8e4 100644
--- a/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java
+++ b/base/server/cms/src/com/netscape/cms/profile/updater/SubsystemGroupUpdater.java
@@ -21,8 +21,6 @@ import java.util.Enumeration;
 import java.util.Locale;
 import java.util.Vector;
 
-import netscape.security.x509.X509CertImpl;
-
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.ConflictingOperationException;
 import com.netscape.certsrv.base.EBaseException;
@@ -42,6 +40,8 @@ import com.netscape.certsrv.usrgrp.IGroup;
 import com.netscape.certsrv.usrgrp.IUGSubsystem;
 import com.netscape.certsrv.usrgrp.IUser;
 
+import netscape.security.x509.X509CertImpl;
+
 /**
  * This updater class will create the new user to the subsystem group and
  * then add the subsystem certificate to the user.
@@ -279,6 +279,16 @@ public class SubsystemGroupUpdater implements IProfileUpdater {
                 msg);
     }
 
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
+
     private String auditSubjectID() {
         if (mSignedAuditLogger == null) {
             return null;
diff --git a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
index 28fb0b9..bcd3ff8 100644
--- a/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
+++ b/base/server/cms/src/com/netscape/cms/realm/PKIRealm.java
@@ -227,4 +227,14 @@ public class PKIRealm extends RealmBase {
                 ILogger.LL_SECURITY,
                 msg);
     }
+
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
 }
diff --git a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
index c7fc03b..a007a00 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/base/CMSServlet.java
@@ -2068,6 +2068,16 @@ public abstract class CMSServlet extends HttpServlet {
                 msg);
     }
 
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
+
     /**
      * Signed Audit Log Subject ID
      *
diff --git a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
index 2299e60..13c732b 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/connector/ConnectorServlet.java
@@ -1025,6 +1025,16 @@ public class ConnectorServlet extends CMSServlet {
                 msg);
     }
 
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
+
     /**
      * Signed Audit Log Profile ID
      *
diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
index ad79cbb..8c4fef1 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/CAProcessor.java
@@ -945,6 +945,16 @@ public class CAProcessor extends Processor {
                 msg);
     }
 
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
+
     /**
      * Signed Audit Log Requester ID
      *
diff --git a/base/server/cms/src/com/netscape/cms/servlet/processors/PKIProcessor.java b/base/server/cms/src/com/netscape/cms/servlet/processors/PKIProcessor.java
index bea8993..e6ee2db 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/processors/PKIProcessor.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/processors/PKIProcessor.java
@@ -23,12 +23,6 @@ import java.util.Date;
 
 import javax.servlet.http.HttpServletRequest;
 
-import netscape.security.x509.CertificateExtensions;
-import netscape.security.x509.CertificateSubjectName;
-import netscape.security.x509.CertificateValidity;
-import netscape.security.x509.X500Name;
-import netscape.security.x509.X509CertInfo;
-
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.authentication.AuthToken;
 import com.netscape.certsrv.authentication.IAuthToken;
@@ -36,11 +30,18 @@ import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.IArgBlock;
 import com.netscape.certsrv.base.SessionContext;
 import com.netscape.certsrv.common.ICMSRequest;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.request.IRequest;
 import com.netscape.cms.servlet.base.CMSServlet;
 import com.netscape.cms.servlet.common.ECMSGWException;
 
+import netscape.security.x509.CertificateExtensions;
+import netscape.security.x509.CertificateSubjectName;
+import netscape.security.x509.CertificateValidity;
+import netscape.security.x509.X500Name;
+import netscape.security.x509.X509CertInfo;
+
 /**
  * Process Certificate Requests
  *
@@ -316,6 +317,16 @@ public class PKIProcessor implements IPKIProcessor {
                 msg);
     }
 
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
+
     /**
      * Signed Audit Log Subject ID
      *
diff --git a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
index 86996d5..331bae1 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/ACLInterceptor.java
@@ -351,4 +351,14 @@ public class ACLInterceptor implements ContainerRequestFilter {
                 ILogger.LL_SECURITY,
                 msg);
     }
+
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
 }
diff --git a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
index e1c4c76..6691f7a 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/cert/CertUtils.java
@@ -1102,4 +1102,14 @@ public class CertUtils {
                 msg);
     }
 
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
+
 }
diff --git a/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java b/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java
index 8c99e67..48dfe3a 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/logging/Auditor.java
@@ -24,6 +24,7 @@ import java.util.Map;
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.SessionContext;
 import com.netscape.certsrv.common.Constants;
+import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.IAuditor;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.usrgrp.IGroup;
@@ -218,4 +219,14 @@ public class Auditor implements IAuditor {
                 ILogger.LL_SECURITY,
                 message);
     }
+
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        log(message);
+    }
 }
diff --git a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
index 95556b9..6ee3176 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/selftests/SelfTestSubsystem.java
@@ -127,6 +127,16 @@ public class SelfTestSubsystem
                 msg);
     }
 
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
+
     /**
      * This helper method returns the "full" property name (the corresponding
      * substore name prepended in front of the plugin/parameter name). This
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
index 910a263..0cfac59 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
@@ -4264,6 +4264,16 @@ public class TPSProcessor {
                 msg);
     }
 
+    protected void audit(AuditEvent event) {
+
+        String template = event.getMessage();
+        Object[] params = event.getParameters();
+
+        String message = CMS.getLogMessage(template, params);
+
+        audit(message);
+    }
+
     public static void main(String[] args) {
     }
 
-- 
1.8.3.1


From 164087b1fc302dd8b125cd52e9e55f54ea97e09d Mon Sep 17 00:00:00 2001
From: Jack Magne <jmagne@dhcp-16-206.sjc.redhat.com>
Date: Fri, 24 Mar 2017 15:56:17 -0700
Subject: [PATCH 52/59] SCP03 support for g&d sc 7 card.

This allows the use of the g&d 7 card.
This will require the following:

1. An out of band method is needed to generate an AES based master key.
We do not as of yet have support with tkstool for this:

Ex:

/usr/lib64/nss/unsupported-tools/symkeyutil -d . -K -n new_master_aes -t aes -s 16

2. There are some new config params that can be adjusted to support either the 6.0 or 7.0 cards:

Ex:

tks.defKeySet._005=## tks.prot3   , protocol 3 specific settings
tks.defKeySet._006=## divers= emv,visa2 : Values for the master key case, or > version one.
tks.defKeySet._007=## diversVer1 = emv,visa2, or none. This is for developer or version one keyset
tks.defKeySet._008=## devKeyType = DES3or AES. This is for the key type of developer or version one keys.
tks.defKeySet._009=## masterKeyType = DES3 or AES. This is for the type of key for the master key.
tks.defKeySet._010=##
tks.defKeySet._011=## Only supports two tokens now: G&D Smart Cafe 6 and Smart Cafe 7, use these exact settings
tks.defKeySet._013=## Smart Cafe 6 settings:
tks.defKeySet._014=##    tks.defKeySet.prot3.divers=emv
tks.defKeySet._015=##    tks.defKeySet.prot3.diversVer1Keys=emv
tks.defKeySet._016=##    tks.defKeySet.prot3.devKeyType=DES3
tks.defKeySet._017=##    tks.defKeySet.prot3.masterKeyType=DES3
tks.defKeySet._018=##Smart Cafe 7 settings:
tks.defKeySet._019=##    tks.defKeySet.prot3.divers=none
tks.defKeySet._020=##    tks.defKeySet.prot3.diversVer1Keys=none
tks.defKeySet._021=##    tks.defKeySet.prot3.devKeyType=AES
tks.defKeySet._022=##    tks.defKeySet.prot3.masterKeyType=AES
tks.defKeySet._023=##
tks.defKeySet._024=##
---
 .../src/com/netscape/cms/servlet/tks/GPParams.java |  21 ++++
 .../netscape/cms/servlet/tks/NistSP800_108KDF.java | 114 +++++----------------
 .../cms/servlet/tks/SecureChannelProtocol.java     | 107 ++++++++++++++-----
 .../com/netscape/cms/servlet/tks/TokenServlet.java |  20 ++++
 base/tks/shared/conf/CS.cfg                        |  24 +++++
 base/tps/shared/conf/CS.cfg                        |   2 +-
 6 files changed, 174 insertions(+), 114 deletions(-)

diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/GPParams.java b/base/server/cms/src/com/netscape/cms/servlet/tks/GPParams.java
index f16481b..bda4e66 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/tks/GPParams.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/tks/GPParams.java
@@ -30,6 +30,8 @@ public class GPParams {
     public static String DIVER_NONE = "none";
     public static String DIVER_VISA2 = "visa2";
     public static String NIST_SP800 = "nistsp_800";
+    public static String AES = "AES";
+    public static String DES3 ="DES3";
 
     public GPParams() {
     }
@@ -39,6 +41,25 @@ public class GPParams {
     //Diversification scheme for just version one or developer keys
     private String version1DiversificationScheme;
 
+    private String devKeyType;
+    private String masterKeyType;
+
+    public String getDevKeyType() {
+        return devKeyType;
+    }
+
+    public String getMasterKeyType() {
+        return masterKeyType;
+    }
+
+    public void setDevKeyType(String newType) {
+        devKeyType = newType;
+    }
+
+    public void setMasterKeyType(String newType) {
+        masterKeyType = newType;
+    }
+
     public boolean isDiversEmv() {
         if (DIVER_EMV.equalsIgnoreCase(diversificationScheme))
             return true;
diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java b/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java
index ad4a370..1f2c1b5 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/tks/NistSP800_108KDF.java
@@ -461,8 +461,8 @@ public class NistSP800_108KDF extends KDF {
     // Collection of informal invocations of api used to create various session keys
     // Done with test data.
     public static void main(String[] args) {
-/*
-      Options options = new Options();
+
+  /*   Options options = new Options();
 
         options.addOption("d", true, "Directory for tokendb");
 
@@ -474,15 +474,20 @@ public class NistSP800_108KDF extends KDF {
                 (byte) 0x4f };
 
         byte test_cuid[] = { (byte) 0x47,(byte) 0x90,(byte)0x50,(byte)0x37,(byte)0x72,(byte)0x71,(byte)0x97,(byte)0x00,(byte)0x74,(byte)0xA9 };
-        byte test_kdd[] = { (byte)0x00, (byte)0x00, (byte)0x50, (byte)0x24,(byte) 0x97,(byte) 0x00,(byte) 0x74, (byte) 0xA9, (byte)0x72,(byte)0x71 };
+        byte test_kdd[] = { 0x00 ,0x00, 0x04 ,(byte)0x47 ,0x00 ,(byte)0x1F ,0x00 ,(byte)0x46 ,(byte)0xA7 ,0x02 };
+
 
+        byte test_host_challenge[]  = { (byte)0x2F ,(byte)0xB7 ,(byte)0x9F ,(byte)0xB7 ,(byte)0x04 ,(byte)0xFA ,(byte)0x60 ,(byte)0xE8 };
+        byte test_card_challenge[]  = { (byte)0xB9,(byte) 0x69 ,(byte)0xB0 ,(byte)0xCA ,(byte)0x37 ,(byte)0x27 ,(byte)0x2F ,(byte)0x89};
 
-        byte test_host_challenge[]  = { 0x06 ,(byte)0xA4 ,0x46 ,0x57 ,(byte) 0x8B ,0x65 ,0x48 ,0x51 };
-        byte test_card_challenge[]  = { (byte) 0xAD ,(byte) 0x2E ,(byte)0xD0 ,0x1E ,0x7C ,0x2D ,0x0C ,0x6F};
+        byte test_host_challenge_1[] = { (byte)0xD9 ,(byte)0xA0 ,(byte)0x0E ,(byte)0x36 ,(byte)0x69 ,(byte)0x67 ,(byte)0xFA ,(byte)0xFB };
+        byte test_card_challenge_1[] = {(byte)0x08 ,(byte) 0xF3 ,(byte) 0xE2 ,(byte)0xC3 ,0x72 ,(byte)0xF0 ,(byte)0xBE ,0x26 };
 
-        byte test_key_info[] = { (byte) 0x02,(byte) 03,(byte) 00 };
+        byte test_key_info[] = { (byte) 0x01,(byte) 03,(byte) 70 };
         byte test_old_key_info[] = {0x01,0x03,0x00};
 
+        byte test_sequence_counter[] = { 0x00 ,0x00 ,0x06 };
+
         try {
             CommandLineParser parser = new DefaultParser();
             CommandLine cmd = parser.parse(options, args);
@@ -500,11 +505,6 @@ public class NistSP800_108KDF extends KDF {
         SymmetricKey macKey = null;
         SymmetricKey kekKey = null;
 
-        SymmetricKey putEncKey = null;
-        SymmetricKey putMacKey = null;
-        SymmetricKey putKekKey = null;
-
-        SymmetricKey tempKey = null;
 
         try {
             CryptoManager.initialize(db_dir);
@@ -512,113 +512,55 @@ public class NistSP800_108KDF extends KDF {
 
             CryptoToken token = cm.getInternalKeyStorageToken();
 
-           KeyGenerator kg = token.getKeyGenerator(KeyGenAlgorithm.AES);
-
-            SymmetricKey.Usage usages[] = new SymmetricKey.Usage[4];
-            usages[0] = SymmetricKey.Usage.WRAP;
-            usages[1] = SymmetricKey.Usage.UNWRAP;
-            usages[2] = SymmetricKey.Usage.ENCRYPT;
-            usages[3] = SymmetricKey.Usage.DECRYPT;
-
-            kg.setKeyUsages(usages);
-            kg.temporaryKeys(true);
-            kg.initialize(128);
-            tempKey = kg.generate();
-
-
-            Cipher encryptor = token.getCipherContext(EncryptionAlgorithm.AES_128_CBC);
-
-            int ivLength = EncryptionAlgorithm.AES_128_CBC.getIVLength();
-            byte[] iv = null;
-
-            if (ivLength > 0) {
-                iv = new byte[ivLength]; // all zeroes
-            }
-
-            encryptor.initEncrypt(tempKey, new IVParameterSpec(iv));
-            byte[] wrappedKey = encryptor.doFinal(devKey);
-
-            KeyWrapper keyWrap = token.getKeyWrapper(KeyWrapAlgorithm.AES_CBC);
-            keyWrap.initUnwrap(tempKey, new IVParameterSpec(iv));
-
-            encKey = keyWrap.unwrapSymmetric(wrappedKey, SymmetricKey.DES3, 16);
-            macKey = keyWrap.unwrapSymmetric(wrappedKey, SymmetricKey.DES3, 16);
-            kekKey = keyWrap.unwrapSymmetric(wrappedKey, SymmetricKey.DES3, 16);
-
             String transportName = "TPS-dhcp-16-206.sjc.redhat.com-8443 sharedSecret";
             SecureChannelProtocol prot = new SecureChannelProtocol(SecureChannelProtocol.PROTOCOL_THREE);
 
             SymmetricKey masterKey =  SecureChannelProtocol.getSymKeyByName(token,"new_master");
 
             GPParams params = new GPParams();
-            params.setVersion1DiversificationScheme("visa2");
-            params.setDiversificationScheme("visa2");
-
-            putEncKey = prot.computeSessionKey_SCP03("internal", "new_master",test_old_key_info,
-                    SecureChannelProtocol.encType, devKey, "defKeySet", test_cuid, test_kdd, null, null,
-                    transportName,params);
-
-            putMacKey = prot.computeSessionKey_SCP03("internal", "new_master",test_old_key_info,
-                    SecureChannelProtocol.macType, devKey, "defKeySet", test_cuid, test_kdd, null, null,
-                    transportName,params);
-
-            putKekKey = prot.computeSessionKey_SCP03("internal", "new_master",test_old_key_info,
-                    SecureChannelProtocol.kekType, devKey, "defKeySet", test_cuid, test_kdd, null, null,
-                    transportName,params);
+            params.setVersion1DiversificationScheme("emv");
+            params.setDiversificationScheme("emv");
+            params.setDevKeyType(GPParams.AES);
+            params.setMasterKeyType(GPParams.AES);
 
             //create test session keys
-            encKey = prot.computeSessionKey_SCP03("internal", "new_master",test_key_info,
-                    SecureChannelProtocol.encType, devKey, "defKeySet", test_cuid, test_kdd, test_host_challenge, test_card_challenge,
+            encKey = prot.computeSessionKey_SCP03("internal", "#01#03#70",test_key_info,
+                    SecureChannelProtocol.encType, devKey, "defKeySet", test_cuid, test_kdd, test_host_challenge_1, test_card_challenge_1,
                     transportName,params);
 
-            macKey = prot.computeSessionKey_SCP03("internal", "new_master",test_key_info,
-                    SecureChannelProtocol.macType,devKey,"defKeySet", test_cuid, test_kdd, test_host_challenge, test_card_challenge,
+            macKey = prot.computeSessionKey_SCP03("internal", "#01#03#70",test_key_info,
+                    SecureChannelProtocol.macType,devKey,"defKeySet", test_cuid, test_kdd, test_host_challenge_1, test_card_challenge_1,
                     transportName,params);
 
-            kekKey = prot.computeSessionKey_SCP03("internal", "new_master",test_key_info,
-                    SecureChannelProtocol.kekType, devKey, "defKeySet", test_cuid, test_kdd, test_host_challenge, test_card_challenge,
+            kekKey = prot.computeSessionKey_SCP03("internal", "#01#03#70",test_key_info,
+                    SecureChannelProtocol.kekType, devKey, "defKeySet", test_cuid, test_kdd, test_host_challenge_1, test_card_challenge_1,
                     transportName,params);
 
             System.out.println("masterKey: " + masterKey);
 
             System.out.println("\n");
 
-            SecureChannelProtocol.debugByteArray(putEncKey.getKeyData(), " derived putEnc session key data: ");
-            SecureChannelProtocol.debugByteArray(putMacKey.getKeyData(), " derived putMac session key data: ");
-            SecureChannelProtocol.debugByteArray(putKekKey.getKeyData(), " derived putKek session key data: ");
-
-            System.out.println("\n");
 
             SecureChannelProtocol.debugByteArray(encKey.getKeyData(), " derived enc session key data: ");
             SecureChannelProtocol.debugByteArray(macKey.getKeyData(), " derived mac session key data: ");
             SecureChannelProtocol.debugByteArray(kekKey.getKeyData(), " derived kek session key data: ");
 
-            ByteArrayOutputStream contextStream = new ByteArrayOutputStream();
-            try {
-                contextStream.write(test_host_challenge);
-                contextStream.write(test_card_challenge);
-            } catch (IOException e) {
-            }
-
-            StandardKDF standard = new StandardKDF(prot);
 
             ByteArrayOutputStream testContext = new ByteArrayOutputStream();
 
-            testContext.write(test_host_challenge);
-            testContext.write(test_card_challenge);
+            testContext.write(test_host_challenge_1);
+            testContext.write(test_card_challenge_1);
+
+            SecureChannelProtocol.debugByteArray(testContext.toByteArray(), "Test context bytes: ");
 
-            NistSP800_108KDF  nistKdf = new NistSP800_108KDF(prot);
 
-            byte[] finalEncBytes = nistKdf.kdf_AES_CMAC_SCP03(encKey, testContext.toByteArray(), (byte) 0x04, 16);
-            byte[] finalMacBytes = nistKdf.kdf_AES_CMAC_SCP03(macKey, testContext.toByteArray(), (byte) 0x06, 16);
+            NistSP800_108KDF  nistKdf = new NistSP800_108KDF(prot);
 
-            SymmetricKey sEnc  = prot.unwrapAESSymKeyOnToken(token, finalEncBytes, false);
-            SymmetricKey sMac  = macKey = prot.unwrapAESSymKeyOnToken(token, finalMacBytes, false);
 
-            byte[] cardCryptoVerify = nistKdf.kdf_AES_CMAC_SCP03(sMac, testContext.toByteArray(), CARD_CRYPTO_KDF_CONSTANT, 8);
+            byte[] cardCryptoVerify = nistKdf.kdf_AES_CMAC_SCP03(macKey, testContext.toByteArray(), CARD_CRYPTO_KDF_CONSTANT, 8);
             SecureChannelProtocol.debugByteArray(cardCryptoVerify, " calculated card cryptogram");
 
-            byte[] hostCrypto = nistKdf.kdf_AES_CMAC_SCP03(sMac, testContext.toByteArray(), HOST_CRYPTO_KDF_CONSTANT, 8);
+            byte[] hostCrypto = nistKdf.kdf_AES_CMAC_SCP03(macKey, testContext.toByteArray(), HOST_CRYPTO_KDF_CONSTANT, 8);
             SecureChannelProtocol.debugByteArray(hostCrypto, " calculated host cryptogram");
 
         } catch (AlreadyInitializedException e) {
diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
index 371e734..ef0c61b 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/tks/SecureChannelProtocol.java
@@ -36,6 +36,7 @@ public class SecureChannelProtocol {
     static String sharedSecretKeyName = null;
     static String masterKeyPrefix = null;
 
+    static final int DEF_AES_KEYLENGTH = 16;
     static final int KEYLENGTH = 16;
     static final int PREFIXLENGHT = 128;
     static final int DES2_LENGTH = 16;
@@ -288,7 +289,9 @@ public class SecureChannelProtocol {
 
         {
             String finalKeyType = keyType;
-            SymmetricKey devSymKey = returnDeveloperSymKey(token, finalKeyType, keySet, devKeyArray);
+            String devKeyType = params.getDevKeyType();
+            CMS.debug(method + " Developer key set case: incoming dev key type: " + devKeyType);
+            SymmetricKey devSymKey = returnDeveloperSymKey(token, finalKeyType, keySet, devKeyArray,devKeyType);
 
             StandardKDF standard = new StandardKDF(this);
             SymmetricKey divKey = null;
@@ -297,22 +300,31 @@ public class SecureChannelProtocol {
 
             //Consult the config to determine with diversification method to use.
             if (params.isVer1DiversNone()) {
+                CMS.debug(method + " No diversifcation requested. ");
                 noDivers = true;
             } else if (params.isVer1DiversEmv()) {
+                CMS.debug(method + " EMV diversification requested. ");
                 keyDiversified = KDF.getDiversificationData_EMV(xKDD, keyType);
             } else if (params.isVer1DiversVisa2()) {
+                CMS.debug(method + " Visa2 diversification requested.");
                 keyDiversified = KDF.getDiversificationData_VISA2(xKDD, keyType);
             } else {
                 throw new EBaseException(method + " Invalid diversification method!");
             }
 
             //Obtain the card key,it may just be the raw developer key
-            if (noDivers == true) {
-                divKey = unwrapAESSymKeyOnToken(token, devKeyArray, false);
+            if (noDivers == true || GPParams.AES.equalsIgnoreCase(devKeyType)) {
+                divKey = devSymKey;
             } else {
 
                 // The g&d calls for computing the aes card key with DES, it will then be treated as aes
-                divKey = standard.computeCardKey_SCP03_WithDES3(devSymKey, keyDiversified, token);
+                // Right now if the dev key type is AES, we do not support any diversification
+
+                if (GPParams.DES3.equalsIgnoreCase(devKeyType)) {
+                    divKey = standard.computeCardKey_SCP03_WithDES3(devSymKey, keyDiversified, token);
+                } else {
+                    throw new EBaseException(method + " Invalid devolper key type. Does not support diversification: "+ devKeyType);
+                }
             }
 
             NistSP800_108KDF nistKdf = new NistSP800_108KDF(this);
@@ -338,22 +350,35 @@ public class SecureChannelProtocol {
 
             masterKey = getSymKeyByName(token, keyNameStr);
 
+            String masterKeyType = params.getMasterKeyType();
+
+            CMS.debug(method + " Master key case: requested master key type: " + masterKeyType);
+
             StandardKDF standard = new StandardKDF(this);
 
             byte[] keyDiversified = null;
 
             if (params.isDiversNone()) {
-                throw new EBaseException(method + " No diversification requested in master key mode. Aborting...");
+                if (GPParams.AES.equalsIgnoreCase(masterKeyType)) {
+                    CMS.debug(method + " Master key case: no diversification requested: With master key type of AES ");
+                }
+                else {
+                    throw new EBaseException(method + " No diversification requested in master key mode. With master key type of DES3: Aborting...");
+                }
             } //Allow choice of emv or standard diversification
             else if (params.isDiversEmv()) {
                 keyDiversified = KDF.getDiversificationData_EMV(xKDD, keyType);
             } else if (params.isDiversVisa2()) {
                 keyDiversified = KDF.getDiversificationData_VISA2(xKDD, keyType);
             }
-
             SymmetricKey divKey = null;
 
-            divKey = standard.computeCardKey_SCP03_WithDES3(masterKey, keyDiversified, token);
+            if(GPParams.AES.equalsIgnoreCase(masterKeyType)) {
+                CMS.debug(method + " master key case with AES type.");
+                divKey = masterKey;
+            } else {
+                divKey = standard.computeCardKey_SCP03_WithDES3(masterKey, keyDiversified, token);
+            }
 
             NistSP800_108KDF nistKdf = new NistSP800_108KDF(this);
             // The kek session key does not call for derivation
@@ -488,11 +513,11 @@ public class SecureChannelProtocol {
 
             String finalKeyType = keyType;
 
-            SymmetricKey devSymKey = returnDeveloperSymKey(token, finalKeyType, keySet, devKeyArray);
+            SymmetricKey devSymKey = returnDeveloperSymKey(token, finalKeyType, keySet, devKeyArray,"DES3");
 
             // Create the auth with is the same as enc, might need it later.
             if (keyType.equals(encType)) {
-                returnDeveloperSymKey(token, authType, keySet, devKeyArray);
+                returnDeveloperSymKey(token, authType, keySet, devKeyArray,"DES3");
             }
 
             if (noDerive == true) {
@@ -672,14 +697,25 @@ public class SecureChannelProtocol {
     From that point it is a simple matter of retrieving  the desired key from the token.
     No security advantage is implied or desired here.
     */
-    public SymmetricKey returnDeveloperSymKey(CryptoToken token, String keyType, String keySet, byte[] inputKeyArray)
+    public SymmetricKey returnDeveloperSymKey(CryptoToken token, String keyType, String keySet, byte[] inputKeyArray, String keyAlg)
             throws EBaseException {
 
         SymmetricKey devKey = null;
 
         String method = "SecureChannelProtocol.returnDeveloperSymKey:";
 
-        String devKeyName = keySet + "-" + keyType + "Key";
+        boolean isAES = false;
+        String finalAlg = null;
+        if(keyAlg == null) {
+            finalAlg = "DES3";
+        }
+
+        if(keyAlg.equalsIgnoreCase("AES")) {
+            isAES = true;
+            finalAlg = "AES";
+        }
+
+        String devKeyName = keySet + "-" + keyType + "Key"  + "-" + finalAlg;
         CMS.debug(method + " entering.. searching for key: " + devKeyName);
 
         if (token == null || keyType == null || keySet == null) {
@@ -706,22 +742,31 @@ public class SecureChannelProtocol {
 
             CMS.debug(method + " inputKeyArray.length: " + inputLen);
 
-            if (inputLen != DES3_LENGTH && inputLen != DES2_LENGTH) {
-                throw new EBaseException(method + "invalid input key length!");
-            }
+            if (!isAES) {
+                if (inputLen != DES3_LENGTH && inputLen != DES2_LENGTH) {
+                    throw new EBaseException(method + "invalid input key length!");
+                }
+
+                if (inputLen == DES2_LENGTH) {
+                    des3InputKey = new byte[DES3_LENGTH];
+                    System.arraycopy(inputKeyArray, 0, des3InputKey, 0, DES2_LENGTH);
+                    System.arraycopy(inputKeyArray, 0, des3InputKey, DES2_LENGTH, EIGHT_BYTES);
+
+                } else {
+                    System.arraycopy(inputKeyArray, 0, des3InputKey, 0, DES3_LENGTH);
+                }
+
+                SecureChannelProtocol.debugByteArray(des3InputKey, "Developer key to import: " + keyType + ": ");
 
-            if (inputLen == DES2_LENGTH) {
-                des3InputKey = new byte[DES3_LENGTH];
-                System.arraycopy(inputKeyArray, 0, des3InputKey, 0, DES2_LENGTH);
-                System.arraycopy(inputKeyArray, 0, des3InputKey, DES2_LENGTH, EIGHT_BYTES);
+                devKey = unwrapSymKeyOnToken(token, des3InputKey, true);
 
             } else {
-                System.arraycopy(inputKeyArray, 0, des3InputKey, 0, DES3_LENGTH);
-            }
 
-            SecureChannelProtocol.debugByteArray(des3InputKey, "Developer key to import: " + keyType + ": ");
+                if(inputLen == DEF_AES_KEYLENGTH) { // support 128 bits for now
+                    devKey = unwrapAESSymKeyOnToken(token, inputKeyArray, true);
+                }
+            }
 
-            devKey = unwrapSymKeyOnToken(token, des3InputKey, true);
             devKey.setNickName(devKeyName);
         } else {
             CMS.debug(method + " Found sym key: " + devKeyName);
@@ -1823,9 +1868,9 @@ public class SecureChannelProtocol {
             //This is the case where we revert to the original developer key set or key set 1
             if (protocol == PROTOCOL_ONE) {
                 CMS.debug(method + " Special case returning to the dev key set (1) for DiversifyKey, protocol 1!");
-                encKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.encType, keySet, null);
-                macKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.macType, keySet, null);
-                kekKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.kekType, keySet, null);
+                encKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.encType, keySet, null,"DES3");
+                macKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.macType, keySet, null,"DES3");
+                kekKey = returnDeveloperSymKey(newToken, SecureChannelProtocol.kekType, keySet, null,"DES3");
             } else if (protocol == PROTOCOL_THREE) {
                 CMS.debug(method + " Special case or returning to the dev key set (or ver 1) for DiversifyKey, protocol 3!");
                 encKey = this.computeSessionKey_SCP03(tokenName, newMasterKeyName, newKeyInfo,
@@ -1920,7 +1965,15 @@ public class SecureChannelProtocol {
 
             CMS.debug(method + " old kek sym key is null");
 
-            old_kek_sym_key = returnDeveloperSymKey(token, SecureChannelProtocol.kekType, keySet, kekKeyArray);
+            String devKeyType = null;
+
+            if(protocol == PROTOCOL_THREE) {
+                devKeyType = params.getDevKeyType();
+            } else {
+                devKeyType = "DES3";
+            }
+
+            old_kek_sym_key = returnDeveloperSymKey(token, SecureChannelProtocol.kekType, keySet, kekKeyArray, devKeyType);
 
             output = createKeySetDataWithSymKeys(newKeyVersion, (byte[]) null,
                     old_kek_sym_key,
@@ -2070,7 +2123,7 @@ public class SecureChannelProtocol {
             throw new EBaseException(method + " Can't compose final output byte array!");
         }
 
-        //SecureChannelProtocol.debugByteArray(output, " Final output to createKeySetData: ");
+        SecureChannelProtocol.debugByteArray(output, " Final output to createKeySetData: ");
         CMS.debug(method + " returning output");
 
         return output;
diff --git a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java
index 3915b73..1377055 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/tks/TokenServlet.java
@@ -3184,6 +3184,26 @@ public class TokenServlet extends CMSServlet {
         params.setVersion1DiversificationScheme(diversVer1Keys);
         CMS.debug(method + " Version 1 keys Divers: " + divers);
 
+        String keyType = null;
+        try {
+            keyType = CMS.getConfigStore().getString(gp3Settings + ".devKeyType","DES3");
+        } catch (EBaseException e) {
+        }
+
+        CMS.debug(method + " devKeyType: " + keyType);
+
+        params.setDevKeyType(keyType);
+
+        try {
+            keyType = CMS.getConfigStore().getString(gp3Settings + ".masterKeyType","DES3");
+        } catch (EBaseException e) {
+        }
+
+        params.setMasterKeyType(keyType);
+
+        CMS.debug(method + " masterKeyType: " + keyType);
+
+
         return params;
     }
 
diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg
index 0eea3e9..45716d2 100644
--- a/base/tks/shared/conf/CS.cfg
+++ b/base/tks/shared/conf/CS.cfg
@@ -340,11 +340,35 @@ tks.defKeySet._001=## Axalto default key set:
 tks.defKeySet._002=##
 tks.defKeySet._003=## tks.defKeySet.mk_mappings.#02#01=<tokenname>:<nickname>
 tks.defKeySet._004=##
+tks.defKeySet._005=## tks.prot3   , protocol 3 specific settings
+tks.defKeySet._006=## divers= emv,visa2 : Values for the master key case, or > version one.
+tks.defKeySet._007=## diversVer1 = emv,visa2, or none. This is for developer or version one keyset
+tks.defKeySet._008=## devKeyType = DES3or AES. This is for the key type of developer or version one keys.
+tks.defKeySet._009=## masterKeyType = DES3 or AES. This is for the type of key for the master key.
+tks.defKeySet._010=##
+tks.defKeySet._011=## Only supports two tokens now: G&D Smart Cafe 6 and Smart Cafe 7, use these exact settings
+tks.defKeySet._013=## Smart Cafe 6 settings:
+tks.defKeySet._014=##    tks.defKeySet.prot3.divers=emv
+tks.defKeySet._015=##    tks.defKeySet.prot3.diversVer1Keys=emv
+tks.defKeySet._016=##    tks.defKeySet.prot3.devKeyType=DES3
+tks.defKeySet._017=##    tks.defKeySet.prot3.masterKeyType=DES3
+tks.defKeySet._018=##Smart Cafe 7 settings:
+tks.defKeySet._019=##    tks.defKeySet.prot3.divers=none
+tks.defKeySet._020=##    tks.defKeySet.prot3.diversVer1Keys=none
+tks.defKeySet._021=##    tks.defKeySet.prot3.devKeyType=AES
+tks.defKeySet._022=##    tks.defKeySet.prot3.masterKeyType=AES
+tks.defKeySet._023=##
+tks.defKeySet._024=##
 tks.defKeySet.auth_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f
 tks.defKeySet.mac_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f
 tks.defKeySet.kek_key=#40#41#42#43#44#45#46#47#48#49#4a#4b#4c#4d#4e#4f
 tks.defKeySet.nistSP800-108KdfOnKeyVersion=00
 tks.defKeySet.nistSP800-108KdfUseCuidAsKdd=false
+tks.defKeySet.prot3.divers=emv
+tks.defKeySet.prot3.diversVer1Keys=emv
+tks.defKeySet.prot3.devKeyType=DES3
+tks.defKeySet.prot3.masterKeyType=DES3
+
 tks.jForte._000=##
 tks.jForte._001=## SAFLink's jForte default key set:
 tks.jForte._002=##
diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
index 8d667f5..2d9057a 100644
--- a/base/tps/shared/conf/CS.cfg
+++ b/base/tps/shared/conf/CS.cfg
@@ -10,7 +10,7 @@ applet._001=# applet information
 applet._002=# SAF Key:
 applet._003=# applet.aid.cardmgr_instance=A0000001510000
 applet._004=# Stock RSA,KeyRecover applet : 1.4.58768072.ijc 
-applet._005=# Beta RSA/KeyRecovery/GP211/SCP02 applet : 1.5.558cdcff.ijc
+applet._005=# RSA/KeyRecovery/GP211/SCP02, SCP03 applet : 1.5.558cdcff.ijc
 applet._006=# Use GP211 applet only with SCP02 card
 applet._007=#########################################
 applet.aid.cardmgr_instance=A0000000030000
-- 
1.8.3.1


From 7672b543f8c62da34f0bb11be17d5e6d336cb2da Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Tue, 11 Apr 2017 23:04:34 -0400
Subject: [PATCH 53/59] Fix python issues identified in review

subprocess returns bytes in Python 3.  Make sure to
decode first when returning env variables.

Change-Id: I225044c0463f0a84ac5ffb77b28391fac269598d
---
 base/common/python/pki/util.py | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py
index 0de13fd..5832f55 100644
--- a/base/common/python/pki/util.py
+++ b/base/common/python/pki/util.py
@@ -258,10 +258,9 @@ def read_environment_files(env_file_list=None):
     if env_file_list is None:
         env_file_list = DEFAULT_PKI_ENV_LIST
 
-    file_command = ''
-    for env_file in env_file_list:
-        file_command += "source " + env_file + " && "
-    file_command += "env"
+    file_command = ' && '.join(
+        'source {}'.format(env_file) for env_file in env_file_list)
+    file_command += ' && env'
 
     command = [
         'bash',
@@ -269,7 +268,7 @@ def read_environment_files(env_file_list=None):
         file_command
     ]
 
-    env_vals = subprocess.check_output(command).split('\n')
+    env_vals = subprocess.check_output(command).decode('utf-8').split('\n')
 
     for env_val in env_vals:
         (key, _, value) = env_val.partition("=")
-- 
1.8.3.1


From af1ad849c62fb76915142796ead7677abd5896f3 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 11 Apr 2017 09:28:15 +0200
Subject: [PATCH 54/59] Add Travis CI to compose core RPM packages

The command "./scripts/compose_pki_core_packages rpms" is tested on
Fedora 25, 26 and rawhide. On 25 and 26, the COPR @pki/10.4 is enabled
to provide additional build dependencies.

Travis Ci is configured to use pre-populated Docker images from
https://github.com/dogtagpki/pki-ci-containers . The images contain
build dependencies.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
 .travis.test | 31 +++++++++++++++++++++++++++++++
 .travis.yml  | 20 ++++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100755 .travis.test
 create mode 100644 .travis.yml

diff --git a/.travis.test b/.travis.test
new file mode 100755
index 0000000..ca81022
--- /dev/null
+++ b/.travis.test
@@ -0,0 +1,31 @@
+#!/bin/bash
+set -ex
+
+WORKDIR="${BUILDDIR:-/tmp/builddir}"
+BUILDUSER=builduser
+BUILDUSER_UID=${UID:-1000}
+BUILDUSER_GID=${GID:-1000}
+
+. /etc/os-release
+
+echo "$NAME $VERSION $1"
+
+## compose_pki_core_packages doesn't run as root, create a build user
+groupadd --non-unique -g $BUILDUSER_GID ${BUILDUSER}
+useradd --non-unique -u $BUILDUSER_UID -g $BUILDUSER_GID ${BUILDUSER}
+
+## chown workdir and enter pki dir
+chown ${BUILDUSER}:${BUILDUSER} ${WORKDIR}
+cd ${WORKDIR}/pki
+
+## prepare additional build dependencies
+dnf copr -y enable @pki/10.4
+dnf builddep -y ./specs/pki-core.spec
+
+# update, container might be outdated
+dnf update -y
+
+## run tox and build
+# run make with --quiet to reduce log verbosity. Travis CI has a log limit
+# of 10,000 lines.
+sudo -u ${BUILDUSER} MAKEFLAGS="-j2 --quiet" -s -- ./scripts/compose_pki_core_packages rpms
diff --git a/.travis.yml b/.travis.yml
new file mode 100644
index 0000000..2e1a69f
--- /dev/null
+++ b/.travis.yml
@@ -0,0 +1,20 @@
+sudo: required
+language: python
+
+services:
+  - docker
+
+env:
+  - CONTAINER=dogtagpki/pki-ci-containers:f25_104
+  - CONTAINER=dogtagpki/pki-ci-containers:f26_104
+  - CONTAINER=dogtagpki/pki-ci-containers:rawhide
+
+script:
+  - docker pull $CONTAINER
+  - >
+    docker run
+    -v $(pwd):/tmp/workdir/pki
+    -e UID=$(id -u)
+    -e GID=$(id -g)
+    $CONTAINER
+    /tmp/workdir/pki/.travis.test $CONTAINER
-- 
1.8.3.1


From c381566ddf1f4f05330063bb012d59e5c1753b13 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 13 Apr 2017 08:13:26 +0200
Subject: [PATCH 55/59] Fixed ClientIP field in SSL session audit log.

The PKIServerSocketListener has been fixed to obtain the correct
client IP address from SSL socket.

https://pagure.io/dogtagpki/issue/2602

Change-Id: I7d3b2dc14d6f442830ee5911613a0e9fc360cfba
---
 .../cms/src/org/dogtagpki/server/PKIServerSocketListener.java | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
index 7016bc8..093776f 100644
--- a/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
+++ b/base/server/cms/src/org/dogtagpki/server/PKIServerSocketListener.java
@@ -18,8 +18,6 @@
 package org.dogtagpki.server;
 
 import java.net.InetAddress;
-import java.net.InetSocketAddress;
-import java.net.SocketAddress;
 import java.security.Principal;
 
 import org.mozilla.jss.crypto.X509Certificate;
@@ -45,8 +43,7 @@ public class PKIServerSocketListener implements SSLSocketListener {
         try {
             SSLSocket socket = event.getSocket();
 
-            SocketAddress remoteSocketAddress = socket.getRemoteSocketAddress();
-            InetAddress clientAddress = remoteSocketAddress == null ? null : ((InetSocketAddress)remoteSocketAddress).getAddress();
+            InetAddress clientAddress = socket.getInetAddress();
             InetAddress serverAddress = socket.getLocalAddress();
             String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress();
             String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress();
@@ -85,8 +82,7 @@ public class PKIServerSocketListener implements SSLSocketListener {
         try {
             SSLSocket socket = event.getSocket();
 
-            SocketAddress remoteSocketAddress = socket.getRemoteSocketAddress();
-            InetAddress clientAddress = remoteSocketAddress == null ? null : ((InetSocketAddress)remoteSocketAddress).getAddress();
+            InetAddress clientAddress = socket.getInetAddress();
             InetAddress serverAddress = socket.getLocalAddress();
             String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress();
             String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress();
@@ -139,8 +135,7 @@ public class PKIServerSocketListener implements SSLSocketListener {
         try {
             SSLSocket socket = event.getSocket();
 
-            SocketAddress remoteSocketAddress = socket.getRemoteSocketAddress();
-            InetAddress clientAddress = remoteSocketAddress == null ? null : ((InetSocketAddress)remoteSocketAddress).getAddress();
+            InetAddress clientAddress = socket.getInetAddress();
             InetAddress serverAddress = socket.getLocalAddress();
             String clientIP = clientAddress == null ? "" : clientAddress.getHostAddress();
             String serverIP = serverAddress == null ? "" : serverAddress.getHostAddress();
-- 
1.8.3.1


From 716dca464943a22eb6588187fba9fad85e1c1345 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Thu, 6 Apr 2017 17:09:39 -0400
Subject: [PATCH 56/59] Fix symkey retrieval in python client

Keys (like symmetric keys and asymmetric keys) are returned
from the KRA either encrypted or key wrapped.  Because the
AES keywrapping algorithm cannot be decrypted using AES CBC,
we need special logic to unwrap the keys.

The flow here is as follows:
1. When a key retrieval request is sent to the server,
   the client sends the encryption and key wrapping
   algorithms it requires the key to be wrapped along
   with the wrapping key.
2. If no encryption algorithm or key wrap algorithm is
   recieved, the server assumes its talking to an old
   client and uses DES3.
3. The key is retrieved and (on server's choice) is wrapped
   or encrypted.  The return package will have either
   encryption or key wrap algorithm set (depending on how
   the key was encrypted/wrapped.)
4. client uses that to determine how to unwrap key.

This patch:
1. Makes sure the key wrap algorithm requested by client
   is passed through and used to wrap the retrieved key.
2. Adds logic in the python client to unwrap/decrypt.
3. As python-cryptography does not yet support
   AES KeyWrap with padding, the python client is configured
   to request AES-CBC by default.

Change-Id: I4ba219bade821249b81e4e9a088959c27827ece1
---
 base/common/python/pki/crypto.py                   | 51 +++++++++++++-
 base/common/python/pki/key.py                      | 56 ++++++++++++---
 .../src/com/netscape/certsrv/key/KeyClient.java    |  4 ++
 .../com/netscape/kra/SecurityDataProcessor.java    | 79 ++++++++++++++++++----
 .../netscape/cms/servlet/key/KeyRequestDAO.java    |  9 +++
 5 files changed, 173 insertions(+), 26 deletions(-)

diff --git a/base/common/python/pki/crypto.py b/base/common/python/pki/crypto.py
index b767abd..0891acd 100644
--- a/base/common/python/pki/crypto.py
+++ b/base/common/python/pki/crypto.py
@@ -34,10 +34,21 @@ from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.ciphers import (
     Cipher, algorithms, modes
 )
+from cryptography.hazmat.primitives import keywrap
 from cryptography.hazmat.primitives import padding
 from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15
 import cryptography.x509
 
+# encryption algorithms OIDs
+DES_EDE3_CBC_OID = "{1 2 840 113549 3 7}"
+AES_128_CBC_OID = "{2 16 840 1 101 3 4 1 2}"
+
+# Wrap Algorithm names as defined by JSS.
+WRAP_AES_CBC_PAD = "AES/CBC/PKCS5Padding"
+WRAP_AES_KEY_WRAP = "AES KeyWrap"
+WRAP_AES_KEY_WRAP_PAD = "AES KeyWrap/Padding"
+WRAP_DES3_CBC_PAD = "DES3/CBC/Pad"
+
 
 class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)):
     """
@@ -96,7 +107,11 @@ class CryptoProvider(six.with_metaclass(abc.ABCMeta, object)):
         DES3 key.
         """
 
-    # abc.abstractmethod
+    @abc.abstractmethod
+    def key_unwrap(self, mechanism, data, wrapping_key, nonce_iv):
+        """ Unwrap data that has been key wrapped using AES KeyWrap """
+
+    @abc.abstractmethod
     def get_cert(self, cert_nick):
         """ Get the certificate for the specified cert_nick. """
 
@@ -302,6 +317,18 @@ class NSSCryptoProvider(CryptoProvider):
         public_key = wrapping_cert.subject_public_key_info.public_key
         return nss.pub_wrap_sym_key(mechanism, public_key, data)
 
+    def key_unwrap(self, mechanism, data, wrapping_key, nonce_iv):
+        """
+        :param mechanism        Key wrapping mechanism
+        :param data:            Data to be unwrapped
+        :param wrapping_key:    Wrapping Key
+        :param nonce_iv         Nonce data
+        :return:                Unwrapped data
+
+        Return unwrapped data for data wrapped using AES KeyWrap
+        """
+        raise NotImplementedError()
+
     def get_cert(self, cert_nick):
         """
         :param cert_nick       Nickname for the certificate to be returned
@@ -461,6 +488,28 @@ class CryptographyCryptoProvider(CryptoProvider):
             PKCS1v15()
         )
 
+    def key_unwrap(self, mechanism, data, wrapping_key, nonce_iv):
+        """
+        :param mechanism        key wrapping mechanism
+        :param data:            data to unwrap
+        :param wrapping_key:    AES key used to wrap data
+        :param nonce_iv         Nonce data
+        :return:                unwrapped data
+
+        Unwrap the encrypted data which has been wrapped using a
+        KeyWrap mechanism.
+        """
+        if mechanism == WRAP_AES_CBC_PAD or mechanism == WRAP_DES3_CBC_PAD:
+            return self.symmetric_unwrap(
+                data,
+                wrapping_key,
+                nonce_iv=nonce_iv)
+
+        if mechanism == WRAP_AES_KEY_WRAP:
+            return keywrap.aes_key_unwrap(wrapping_key, data, self.backend)
+
+        raise ValueError("Unsupported key wrap algorithm: " + mechanism)
+
     def get_cert(self, cert_nick):
         """
         :param cert_nick  Nickname for the certificate to be returned.
diff --git a/base/common/python/pki/key.py b/base/common/python/pki/key.py
index 6c5641a..e782d54 100644
--- a/base/common/python/pki/key.py
+++ b/base/common/python/pki/key.py
@@ -33,6 +33,7 @@ from six import iteritems
 from six.moves.urllib.parse import quote  # pylint: disable=F0401,E0611
 
 import pki
+import pki.crypto
 import pki.encoder as encoder
 from pki.info import Version
 import pki.util
@@ -459,10 +460,6 @@ class KeyClient(object):
     RSA_ALGORITHM = "RSA"
     DSA_ALGORITHM = "DSA"
 
-    # default session key wrapping algorithm
-    DES_EDE3_CBC_OID = "{1 2 840 113549 3 7}"
-    AES_128_CBC_OID = "{2 16 840 1 101 3 4 1 2}"
-
     def __init__(self, connection, crypto, transport_cert_nick=None,
                  info_client=None):
         """ Constructor """
@@ -481,6 +478,7 @@ class KeyClient(object):
 
         self.info_client = info_client
         self.encrypt_alg_oid = None
+        self.wrap_name = None
         self.set_crypto_algorithms()
 
     def set_transport_cert(self, transport_cert_nick):
@@ -502,9 +500,14 @@ class KeyClient(object):
 
         # set keyset related constants needed in KeyClient
         if keyset_id == 0:
-            self.encrypt_alg_oid = self.DES_EDE3_CBC_OID
+            self.encrypt_alg_oid = pki.crypto.DES_EDE3_CBC_OID
+            self.wrap_name = pki.crypto.WRAP_DES3_CBC_PAD
         else:
-            self.encrypt_alg_oid = self.AES_128_CBC_OID
+            self.encrypt_alg_oid = pki.crypto.AES_128_CBC_OID
+            # Note:  AES_KEY_WRAP_PAD is not yet supported by
+            # python cryptography.  Therefore we will default
+            # to AES_CBC_PAD instead
+            self.wrap_name = pki.crypto.WRAP_AES_CBC_PAD
 
     def get_client_keyset(self):
         # get client keyset
@@ -847,7 +850,7 @@ class KeyClient(object):
             raise TypeError('Missing wrapped session key')
 
         if not algorithm_oid:
-            algorithm_oid = KeyClient.AES_128_CBC_OID
+            algorithm_oid = pki.crypto.AES_128_CBC_OID
             # algorithm_oid = KeyClient.DES_EDE3_CBC_OID
 
         if not nonce_iv:
@@ -1015,16 +1018,47 @@ class KeyClient(object):
             request_id=request_id,
             trans_wrapped_session_key=base64.b64encode(
                 trans_wrapped_session_key),
-            payload_encryption_oid=self.encrypt_alg_oid
+            payload_encryption_oid=self.encrypt_alg_oid,
+            payload_wrapping_name=self.wrap_name
         )
 
         key = self.retrieve_key_data(request)
         if not key_provided and key.encrypted_data is not None:
-            key.data = self.crypto.symmetric_unwrap(
+            self.process_returned_key(key, session_key)
+        return key
+
+    @pki.handle_exceptions()
+    def process_returned_key(self, key, session_key):
+        """
+        Decrypt the returned key and place in key.data
+
+        The data will either by encrypted using an encryption algorithm -
+        in which case, the key data will contain an encryption algorithm OID,
+        or it will be key wrapped - in which case, the key data will contain
+        a key wrap mechanism name.
+
+        Only one of these should be present.  If we are talking to an older
+        server, and none is present, we will assume encryption.
+        """
+        if key.wrap_algorithm is not None:
+            if key.encrypt_algorithm_oid is not None:
+                raise ValueError(
+                    "Both encryptOID and wrapping name have been set " +
+                    "in server response"
+                )
+            # do key unwrapping here
+            key.data = self.crypto.key_unwrap(
+                key.wrap_algorithm,
                 key.encrypted_data,
                 session_key,
-                nonce_iv=key.nonce_data)
-        return key
+                key.nonce_data)
+            return
+
+        # do decryption
+        key.data = self.crypto.symmetric_unwrap(
+            key.encrypted_data,
+            session_key,
+            nonce_iv=key.nonce_data)
 
     @pki.handle_exceptions()
     def retrieve_key_by_passphrase(self, key_id=None, request_id=None,
diff --git a/base/common/src/com/netscape/certsrv/key/KeyClient.java b/base/common/src/com/netscape/certsrv/key/KeyClient.java
index dea44b1..2c99e1c 100644
--- a/base/common/src/com/netscape/certsrv/key/KeyClient.java
+++ b/base/common/src/com/netscape/certsrv/key/KeyClient.java
@@ -465,6 +465,7 @@ public class KeyClient extends Client {
         recoveryRequest.setRequestId(requestId);
         recoveryRequest.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey));
         recoveryRequest.setPayloadEncryptionOID(getEncryptAlgorithmOID());
+        recoveryRequest.setPayloadWrappingName(wrapAlgorithm.toString());
 
         Key data = retrieveKeyData(recoveryRequest);
         processKeyData(data, sessionKey);
@@ -503,6 +504,7 @@ public class KeyClient extends Client {
         recoveryRequest.setKeyId(keyId);
         recoveryRequest.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey));
         recoveryRequest.setPayloadEncryptionOID(getEncryptAlgorithmOID());
+        recoveryRequest.setPayloadWrappingName(wrapAlgorithm.toString());
 
         return retrieveKeyData(recoveryRequest);
     }
@@ -562,6 +564,7 @@ public class KeyClient extends Client {
         data.setSessionWrappedPassphrase(Utils.base64encode(sessionWrappedPassphrase));
         data.setNonceData(Utils.base64encode(nonceData));
         data.setPayloadEncryptionOID(getEncryptAlgorithmOID());
+        data.setPayloadWrappingName(wrapAlgorithm.toString());
 
         return retrieveKeyData(data);
     }
@@ -610,6 +613,7 @@ public class KeyClient extends Client {
         data.setKeyId(keyId);
         data.setRequestId(requestId);
         data.setPayloadEncryptionOID(getEncryptAlgorithmOID());
+        data.setPayloadWrappingName(wrapAlgorithm.toString());
 
         if (transWrappedSessionKey != null) {
             data.setTransWrappedSessionKey(Utils.base64encode(transWrappedSessionKey));
diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
index 05dccb9..4659901 100644
--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
@@ -402,26 +402,34 @@ public class SecurityDataProcessor {
         String transportKeyAlgo = transportUnit.getCertificate().getPublicKey().getAlgorithm();
 
         byte[] iv = null;
+        byte[] iv_wrap = null;
         try {
-            iv = generate_iv(payloadEncryptOID, transportUnit.getOldWrappingParams());
+            iv = generate_iv(
+                    payloadEncryptOID,
+                    transportUnit.getOldWrappingParams().getPayloadEncryptionAlgorithm());
+            iv_wrap = generate_wrap_iv(
+                    payloadWrapName,
+                    transportUnit.getOldWrappingParams().getPayloadWrapAlgorithm());
         } catch (Exception e1) {
              throw new EBaseException("Failed to generate IV when wrapping secret", e1);
         }
-        String ivStr = Utils.base64encode(iv);
+        String ivStr = iv != null? Utils.base64encode(iv): null;
+        String ivStr_wrap = iv_wrap != null ? Utils.base64encode(iv_wrap): null;
 
         WrappingParams wrapParams = null;
         if (payloadEncryptOID == null) {
+            // talking to an old server, use 3DES
             wrapParams = transportUnit.getOldWrappingParams();
             wrapParams.setPayloadEncryptionIV(new IVParameterSpec(iv));
-            wrapParams.setPayloadWrappingIV(new IVParameterSpec(iv));
+            wrapParams.setPayloadWrappingIV(new IVParameterSpec(iv_wrap));
         } else {
             try {
                 wrapParams = new WrappingParams(
                     payloadEncryptOID,
                     payloadWrapName,
                     transportKeyAlgo,
-                    new IVParameterSpec(iv),
-                    null);
+                    iv != null? new IVParameterSpec(iv): null,
+                    iv_wrap != null? new IVParameterSpec(iv_wrap): null);
             } catch (Exception e) {
                 auditRecoveryRequestProcessed(auditSubjectID, ILogger.FAILURE, requestID, serialno.toString(),
                         "Cannot generate wrapping params");
@@ -597,7 +605,7 @@ public class SecurityDataProcessor {
             //secret has wrapped using a key wrapping algorithm
             params.put(IRequest.SECURITY_DATA_PL_WRAPPED, Boolean.toString(true));
             if (wrapParams.getPayloadWrappingIV() != null) {
-                params.put(IRequest.SECURITY_DATA_IV_STRING_OUT, ivStr);
+                params.put(IRequest.SECURITY_DATA_IV_STRING_OUT, ivStr_wrap);
             }
         }
 
@@ -614,17 +622,60 @@ public class SecurityDataProcessor {
         return false; //return true ? TODO
     }
 
-    private byte[] generate_iv(String oid, WrappingParams old) throws Exception {
+    /***
+     * This method returns an IV for the Encryption Algorithm referenced in OID.
+     * If the oid is null, we return an IV for the default encryption algorithm.
+     * The method checks to see if the encryption algorithm requires an IV by checking
+     * the parameterClasses() for the encryption algorithm.
+     *
+     * @param oid           -- OID of encryption algorithm (as a string)
+     * @param defaultAlg    -- default encryption algorithm
+     * @return              -- initialization vector or null if none needed
+     * @throws Exception if algorithm is not found, or if default and OID are null.
+     *                   (ie. algorithm is unknown)
+     */
+    private byte[] generate_iv(String oid, EncryptionAlgorithm defaultAlg) throws Exception {
         int numBytes = 0;
-        if (oid != null) {
-            numBytes = EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(oid)).getIVLength();
-        } else {
-            // old client (OID not provided)
-            numBytes = old.getPayloadEncryptionAlgorithm().getIVLength();
+        EncryptionAlgorithm alg = oid != null? EncryptionAlgorithm.fromOID(new OBJECT_IDENTIFIER(oid)):
+            defaultAlg;
+
+        if (alg == null) {
+            throw new EBaseException("Cannot determine encryption algorithm to generate IV");
+        };
+
+        if (alg.getParameterClasses() == null)
+            return null;
+
+        numBytes = alg.getIVLength();
+        return (new SecureRandom()).generateSeed(numBytes);
+    }
+
+    /***
+     * This method returns an IV for the KeyWrap algorithm referenced in wrapName.
+     * If the wrapName is null, we return an IV for the default wrap algorithm.
+     * The method checks to see if the key wrap algorithm requires an IV by checking
+     * the parameterClasses() for the key wrap algorithm.
+     *
+     * @param wrapName      -- name of the key wrap algorithm (as defined in JSS)
+     * @param defaultAlg    -- default wrapping parameters
+     * @return              -- initialization vector or null if none needed
+     * @throws Exception if algorithm is not found, or if default and OID are null.
+     *                   (ie. algorithm is unknown)
+     */
+    private byte[] generate_wrap_iv(String wrapName, KeyWrapAlgorithm defaultAlg) throws Exception {
+        int numBytes = 0;
+        KeyWrapAlgorithm alg = wrapName != null ? KeyWrapAlgorithm.fromString(wrapName) :
+            defaultAlg;
+
+        if (alg == null) {
+            throw new EBaseException("Cannot determine keywrap algorithm to generate IV");
         }
 
-        SecureRandom rnd = new SecureRandom();
-        return rnd.generateSeed(numBytes);
+        if (alg.getParameterClasses() == null)
+            return null;
+
+        numBytes = alg.getBlockSize();
+        return (new SecureRandom()).generateSeed(numBytes);
     }
 
     public SymmetricKey recoverSymKey(KeyRecord keyRecord)
diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
index b2008f2..5ffb36b 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRequestDAO.java
@@ -283,6 +283,10 @@ public class KeyRequestDAO extends CMSRequestDAO {
         if (encryptOID != null)
             request.setExtData(IRequest.SECURITY_DATA_PL_ENCRYPTION_OID, encryptOID);
 
+        String wrapName = data.getPayloadWrappingName();
+        if (wrapName != null)
+            request.setExtData(IRequest.SECURITY_DATA_PL_WRAPPING_NAME, wrapName);
+
         return request;
     }
 
@@ -294,6 +298,7 @@ public class KeyRequestDAO extends CMSRequestDAO {
         String wrappedPassPhraseStr = data.getSessionWrappedPassphrase();
         String nonceDataStr = data.getNonceData();
         String encryptOID = data.getPaylodEncryptionOID();
+        String wrapName = data.getPayloadWrappingName();
 
         if (wrappedPassPhraseStr != null) {
             requestParams.put(IRequest.SECURITY_DATA_SESS_PASS_PHRASE, wrappedPassPhraseStr);
@@ -310,6 +315,10 @@ public class KeyRequestDAO extends CMSRequestDAO {
         if (encryptOID != null) {
             requestParams.put(IRequest.SECURITY_DATA_PL_ENCRYPTION_OID, encryptOID);
         }
+
+        if (wrapName != null) {
+            requestParams.put(IRequest.SECURITY_DATA_PL_WRAPPING_NAME, wrapName);
+        }
     }
 
     public Hashtable<String, Object> getTransientData(IRequest request) throws EBaseException {
-- 
1.8.3.1


From 2d7ab34b812eb1cf28c7c53fb43bf595f94a806f Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Thu, 13 Apr 2017 14:54:38 -0400
Subject: [PATCH 57/59] Add field to indicate if key was encrypted or wrapped

Whether a secret was encrypted or wrapped in the storage unit
depends on a parameter in CS.cfg.  If that parameter is changed,
the Storage unit may use the wrong mechanism to try to decrypt
the stored key.  Thats ok for encrypt/wrap using DES or AES-CBC,
but not for AES KeyWrap.

In this patch, we add a field in the Key record to specify whether
the secret was encrypted with stored (or keywrapped if false).

A subsequent patch will change the logic when decrypting to use
this field.

Change-Id: If535156179bd1259cfaaf5e56fd4d36ffdb0eb0e
---
 base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java    | 2 +-
 base/kra/src/com/netscape/kra/AsymKeyGenService.java              | 8 ++++++--
 base/kra/src/com/netscape/kra/EnrollmentService.java              | 2 +-
 base/kra/src/com/netscape/kra/NetkeyKeygenService.java            | 3 ++-
 base/kra/src/com/netscape/kra/SecurityDataProcessor.java          | 5 ++++-
 base/kra/src/com/netscape/kra/SymKeyGenService.java               | 3 ++-
 .../cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java     | 1 +
 base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java   | 3 ++-
 8 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
index aa4eb30..c947d3c 100644
--- a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
+++ b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
@@ -170,7 +170,7 @@ public interface IKeyRecord {
      */
     public String getRealm() throws EBaseException;
 
-    public void setWrappingParams(WrappingParams params) throws Exception;
+    public void setWrappingParams(WrappingParams params, boolean encrypted) throws Exception;
 
     public WrappingParams getWrappingParams(WrappingParams oldParams) throws Exception;
 }
diff --git a/base/kra/src/com/netscape/kra/AsymKeyGenService.java b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
index bd2be70..9528972 100644
--- a/base/kra/src/com/netscape/kra/AsymKeyGenService.java
+++ b/base/kra/src/com/netscape/kra/AsymKeyGenService.java
@@ -30,6 +30,7 @@ import org.mozilla.jss.crypto.TokenException;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
+import com.netscape.certsrv.base.IConfigStore;
 import com.netscape.certsrv.dbs.keydb.IKeyRecord;
 import com.netscape.certsrv.dbs.keydb.IKeyRepository;
 import com.netscape.certsrv.key.AsymKeyGenerationRequest;
@@ -72,7 +73,7 @@ public class AsymKeyGenService implements IService {
 
     @Override
     public boolean serviceRequest(IRequest request) throws EBaseException {
-
+        IConfigStore cs = CMS.getConfigStore();
         String clientKeyId = request.getExtDataInString(IRequest.SECURITY_DATA_CLIENT_KEY_ID);
         String algorithm = request.getExtDataInString(IRequest.KEY_GEN_ALGORITHM);
 
@@ -81,6 +82,8 @@ public class AsymKeyGenService implements IService {
 
         String realm = request.getRealm();
 
+        boolean allowEncDecrypt_archival = cs.getBoolean("kra.allowEncDecrypt.archival", false);
+
         KeyPairGeneratorSpi.Usage[] usageList = null;
         String usageStr = request.getExtDataInString(IRequest.KEY_GEN_USAGES);
         if (usageStr != null) {
@@ -164,6 +167,7 @@ public class AsymKeyGenService implements IService {
         WrappingParams params = null;
 
         try {
+            // TODO(alee) What happens if key wrap algorithm is not supported?
             params = storageUnit.getWrappingParams();
             privateSecurityData = storageUnit.wrap((PrivateKey) kp.getPrivate(), params);
         } catch (Exception e) {
@@ -201,7 +205,7 @@ public class AsymKeyGenService implements IService {
         }
 
         try {
-            record.setWrappingParams(params);
+            record.setWrappingParams(params, false);
         } catch (Exception e) {
             auditAsymKeyGenRequestProcessed(auditSubjectID, ILogger.FAILURE, request.getRequestId(),
                     clientKeyId, null, "Failed to store wrapping params");
diff --git a/base/kra/src/com/netscape/kra/EnrollmentService.java b/base/kra/src/com/netscape/kra/EnrollmentService.java
index 7c179d4..381fee8 100644
--- a/base/kra/src/com/netscape/kra/EnrollmentService.java
+++ b/base/kra/src/com/netscape/kra/EnrollmentService.java
@@ -502,7 +502,7 @@ public class EnrollmentService implements IService {
             }
 
             try {
-                rec.setWrappingParams(params);
+                rec.setWrappingParams(params, allowEncDecrypt_archival);
             } catch (Exception e) {
                 mKRA.log(ILogger.LL_FAILURE, "Failed to store wrapping parameters");
                 // TODO(alee) Set correct audit message here
diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
index 4926873..e09eb42 100644
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
@@ -584,6 +584,7 @@ public class NetkeyKeygenService implements IService {
                     WrappingParams params = null;
 
                     try {
+                        // TODO(alee)  What happens if key wrap algorithm is not supported?
                         params = mStorageUnit.getWrappingParams();
                         privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params);
                     } catch (Exception e) {
@@ -656,7 +657,7 @@ public class NetkeyKeygenService implements IService {
                         return false;
                     }
 
-                    rec.setWrappingParams(params);
+                    rec.setWrappingParams(params, false);
 
                     CMS.debug("NetkeyKeygenService: before addKeyRecord");
                     rec.set(KeyRecord.ATTR_ID, serialNo);
diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
index 4659901..4261833 100644
--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
@@ -214,6 +214,7 @@ public class SecurityDataProcessor {
 
         byte[] publicKey = null;
         byte privateSecurityData[] = null;
+        boolean doEncrypt = false;
 
         try {
             params = storageUnit.getWrappingParams();
@@ -222,9 +223,11 @@ public class SecurityDataProcessor {
             } else if (unwrapped != null && allowEncDecrypt_archival == true) {
                 privateSecurityData = storageUnit.encryptInternalPrivate(unwrapped, params);
                 Arrays.fill(unwrapped, (byte)0);
+                doEncrypt = true;
                 CMS.debug("allowEncDecrypt_archival of symmetric key.");
             } else if (securityData != null) {
                 privateSecurityData = storageUnit.encryptInternalPrivate(securityData, params);
+                doEncrypt = true;
             } else { // We have no data.
                 auditArchivalRequestProcessed(auditSubjectID, ILogger.FAILURE, requestId,
                         clientKeyId, null, "Failed to create security data to archive");
@@ -282,7 +285,7 @@ public class SecurityDataProcessor {
         }
 
         try {
-            rec.setWrappingParams(params);
+            rec.setWrappingParams(params, doEncrypt);
         } catch (Exception e) {
             kra.log(ILogger.LL_FAILURE,
                     "Failed to store wrapping parameters: " + e);
diff --git a/base/kra/src/com/netscape/kra/SymKeyGenService.java b/base/kra/src/com/netscape/kra/SymKeyGenService.java
index 0dfd3a2..c1830ec 100644
--- a/base/kra/src/com/netscape/kra/SymKeyGenService.java
+++ b/base/kra/src/com/netscape/kra/SymKeyGenService.java
@@ -170,6 +170,7 @@ public class SymKeyGenService implements IService {
         }
 
         try {
+            // TODO(alee) what happens if key wrap algorithm is not supported?
             params = mStorageUnit.getWrappingParams();
             privateSecurityData = mStorageUnit.wrap(sk, params);
         } catch (Exception e) {
@@ -215,7 +216,7 @@ public class SymKeyGenService implements IService {
         }
 
         try {
-            rec.setWrappingParams(params);
+            rec.setWrappingParams(params, false);
         } catch (Exception e) {
             mKRA.log(ILogger.LL_FAILURE,
                     "Failed to store wrapping parameters: " + e);
diff --git a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java
index b1e6cd6..f4e54c4 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/key/KeyRecordParser.java
@@ -60,6 +60,7 @@ public class KeyRecordParser {
     public final static String OUT_PL_ENCRYPTION_IV = "payloadEncryptionIV";
     public final static String OUT_PL_ENCRYPTION_IV_LEN = "payloadEncryptionIVLen";
     public final static String OUT_PL_ENCRYPTION_OID = "payloadEncryptionOID";
+    public static final String OUT_PL_ENCRYPTED = "payloadEncrypted";
 
     /**
      * Fills key record into argument block.
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java
index 97f4942..b082165 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java
@@ -407,7 +407,7 @@ public class KeyRecord implements IDBObj, IKeyRecord {
         return realm;
     }
 
-    public void setWrappingParams(WrappingParams params) throws Exception {
+    public void setWrappingParams(WrappingParams params, boolean doEncrypt) throws Exception {
         if (mMetaInfo == null) {
             mMetaInfo = new MetaInfo();
         }
@@ -456,6 +456,7 @@ public class KeyRecord implements IDBObj, IKeyRecord {
             );
         }
 
+        mMetaInfo.set(KeyRecordParser.OUT_PL_ENCRYPTED, Boolean.toString(doEncrypt));
     }
 
     public WrappingParams getWrappingParams(WrappingParams oldParams) throws Exception {
-- 
1.8.3.1


From b04739d364e7e220da29ce8d47654377999ad881 Mon Sep 17 00:00:00 2001
From: Christina Fu <cfu@redhat.com>
Date: Thu, 13 Apr 2017 16:53:58 -0700
Subject: [PATCH 58/59] Ticket #2614 CMC: id-cmc-popLinkWitnessV2 feature
 implementation This patch provides the feature for CMC on handling
 id-cmc-popLinkWitnessV2

---
 .../src/com/netscape/cmstools/CMCRequest.java      | 458 +++++++++++++++++++--
 .../src/com/netscape/cmstools/CRMFPopClient.java   |  10 +-
 .../src/com/netscape/cmstools/PKCS10Client.java    |  22 +-
 .../netscape/cms/profile/common/EnrollProfile.java | 421 ++++++++++++++-----
 .../cms/servlet/common/CMCOutputTemplate.java      |  12 +
 base/server/cmsbundle/src/UserMessages.properties  |   2 +
 6 files changed, 770 insertions(+), 155 deletions(-)

diff --git a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
index a2aca8a..ac523ad 100644
--- a/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
+++ b/base/java-tools/src/com/netscape/cmstools/CMCRequest.java
@@ -34,6 +34,7 @@ import java.security.NoSuchAlgorithmException;
 import java.text.SimpleDateFormat;
 import java.util.Arrays;
 import java.util.Date;
+import java.util.Random;
 import java.util.StringTokenizer;
 
 import org.mozilla.jss.CryptoManager;
@@ -53,10 +54,12 @@ import org.mozilla.jss.crypto.CryptoToken;
 import org.mozilla.jss.crypto.DigestAlgorithm;
 import org.mozilla.jss.crypto.ObjectNotFoundException;
 import org.mozilla.jss.crypto.PrivateKey;
+import org.mozilla.jss.crypto.Signature;
 import org.mozilla.jss.crypto.SignatureAlgorithm;
 import org.mozilla.jss.crypto.SymmetricKey;
 import org.mozilla.jss.crypto.X509Certificate;
 import org.mozilla.jss.pkcs10.CertificationRequest;
+import org.mozilla.jss.pkcs10.CertificationRequestInfo;
 import org.mozilla.jss.pkix.cmc.CMCCertId;
 import org.mozilla.jss.pkix.cmc.CMCStatusInfo;
 import org.mozilla.jss.pkix.cmc.DecryptedPOP;
@@ -68,6 +71,7 @@ import org.mozilla.jss.pkix.cmc.OtherInfo;
 import org.mozilla.jss.pkix.cmc.OtherMsg;
 import org.mozilla.jss.pkix.cmc.PKIData;
 import org.mozilla.jss.pkix.cmc.PendInfo;
+import org.mozilla.jss.pkix.cmc.PopLinkWitnessV2;
 import org.mozilla.jss.pkix.cmc.ResponseBody;
 import org.mozilla.jss.pkix.cmc.TaggedAttribute;
 import org.mozilla.jss.pkix.cmc.TaggedCertificationRequest;
@@ -85,7 +89,11 @@ import org.mozilla.jss.pkix.cms.SignerInfo;
 import org.mozilla.jss.pkix.crmf.CertReqMsg;
 import org.mozilla.jss.pkix.crmf.CertRequest;
 import org.mozilla.jss.pkix.crmf.CertTemplate;
+import org.mozilla.jss.pkix.crmf.POPOSigningKey;
+import org.mozilla.jss.pkix.crmf.ProofOfPossession;
+import org.mozilla.jss.pkix.primitive.AVA;
 import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier;
+import org.mozilla.jss.pkix.primitive.Attribute;
 import org.mozilla.jss.pkix.primitive.Name;
 import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
 import org.mozilla.jss.util.Password;
@@ -148,6 +156,43 @@ public class CMCRequest {
     }
 
     /**
+     * getSigningAlgFromPrivate
+     *
+     */
+    static SignatureAlgorithm getSigningAlgFromPrivate (java.security.PrivateKey privKey) {
+        String method = "getSigningAlgFromPrivate: ";
+        System.out.println(method + "begins.");
+
+        if (privKey == null) {
+            System.out.println(method + "method param privKey cannot be null");
+            System.exit(1);
+        }
+
+        SignatureAlgorithm signAlg = null;
+        /*
+            org.mozilla.jss.crypto.PrivateKey.Type signingKeyType =
+                    ((org.mozilla.jss.crypto.PrivateKey) privKey)
+                    .getType();
+        */
+        // TODO: allow more options later
+        String signingKeyType = privKey.getAlgorithm();
+        System.out.println(method + "found signingKeyType=" + signingKeyType);
+        if (signingKeyType.equalsIgnoreCase("RSA")) {
+            signAlg = SignatureAlgorithm.RSASignatureWithSHA256Digest;
+        } else if (signingKeyType.equalsIgnoreCase("EC")) {
+            signAlg = SignatureAlgorithm.ECSignatureWithSHA256Digest;
+        } else {
+            System.out.println(method + "Algorithm not supported:" +
+                    signingKeyType);
+            return null;
+        }
+        System.out.println(method + "using SignatureAlgorithm: " +
+                signAlg.toString());
+
+        return signAlg;
+    }
+
+    /**
      * signData signs the request PKIData
      *
      * @param signerCert the certificate of the authorized signer of the CMC revocation request.
@@ -190,17 +235,9 @@ public class CMCRequest {
 
             EncapsulatedContentInfo ci = new EncapsulatedContentInfo(OBJECT_IDENTIFIER.id_cct_PKIData, pkidata);
             DigestAlgorithm digestAlg = null;
-            SignatureAlgorithm signAlg = null;
-            org.mozilla.jss.crypto.PrivateKey.Type signingKeyType = ((org.mozilla.jss.crypto.PrivateKey) privKey)
-                    .getType();
-            if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.RSA)) {
-                signAlg = SignatureAlgorithm.RSASignatureWithSHA256Digest;
-            } else if (signingKeyType.equals(org.mozilla.jss.crypto.PrivateKey.Type.EC)) {
-                signAlg = SignatureAlgorithm.ECSignatureWithSHA256Digest;
-            } else {
-                System.out.println("Algorithm not supported");
+            SignatureAlgorithm signAlg = getSigningAlgFromPrivate(privKey);
+            if (signAlg == null)
                 return null;
-            }
 
             MessageDigest SHADigest = null;
 
@@ -292,9 +329,13 @@ public class CMCRequest {
             String transactionMgtId,
             String identificationEnable, String identification,
             String identityProofEnable, String identityProofSharedSecret,
-            String identityProofV2Enable, String witnessSharedSecret,
+            String witnessSharedSecret,
+            String identityProofV2Enable,
             String identityProofV2hashAlg, String identityProofV2macAlg,
-            SEQUENCE controlSeq, SEQUENCE otherMsgSeq, int bpid) {
+            String popLinkWitnessV2Enable,
+            String popLinkWitnessV2keyGenAlg, String popLinkWitnessV2macAlg,
+            SEQUENCE controlSeq, SEQUENCE otherMsgSeq, int bpid,
+            CryptoToken token, PrivateKey privk) {
 
         String method = "createPKIData: ";
 
@@ -305,6 +346,26 @@ public class CMCRequest {
             TaggedRequest trq = null;
             PKCS10 pkcs = null;
             CertReqMsg certReqMsg = null;
+            CertReqMsg new_certReqMsg = null;
+            CertRequest new_certreq = null;
+
+            PopLinkWitnessV2 popLinkWitnessV2Control = null;
+            if (popLinkWitnessV2Enable.equals("true")) {
+                popLinkWitnessV2Control =
+                        createPopLinkWitnessV2Attr(
+                                bpid,
+                                controlSeq,
+                                witnessSharedSecret,
+                                popLinkWitnessV2keyGenAlg,
+                                popLinkWitnessV2macAlg,
+                                (identificationEnable.equals("true")) ?
+                                        identification : null);
+                if (popLinkWitnessV2Control == null) {
+                    System.out.println(method +
+                            "createPopLinkWitnessV2Attr returned null...exit");
+                    System.exit(1);
+                }
+            }
 
             // create CMC req
             SEQUENCE reqSequence = new SEQUENCE();
@@ -325,9 +386,63 @@ public class CMCRequest {
                             System.exit(1);
                         }
                         certReqMsg = (CertReqMsg) crmfMsgs.elementAt(0);
-                        trq = new TaggedRequest(TaggedRequest.CRMF, null,
-                                certReqMsg);
+
+                        if (popLinkWitnessV2Enable.equals("true")) {
+                            System.out.println(method +
+                                    "popLinkWitnessV2 enabled. reconstructing crmf");
+                            //crmf reconstruction to include PopLinkWitnessV2 control
+                            CertRequest certReq = certReqMsg.getCertReq();
+                            INTEGER certReqId = certReq.getCertReqId();
+                            CertTemplate certTemplate = certReq.getCertTemplate();
+                            SEQUENCE controls = certReq.getControls();
+                            controls.addElement(new AVA(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2,
+                                    popLinkWitnessV2Control));
+                            new_certreq = new CertRequest(certReqId, certTemplate, controls);
+
+                            // recalculate signing POP, if it had one
+                            ProofOfPossession new_pop = null;
+                            if (certReqMsg.hasPop()) {
+                                if (privk == null) {
+                                    System.out.println(method +
+                                            "privateKey not found; can't regenerate new POP");
+                                    System.exit(1);
+                                }
+                                if (token == null) {
+                                    System.out.println(method +
+                                            "token not found; can't regenerate new POP");
+                                    System.exit(1);
+                                }
+                                new_pop = createNewPOP(
+                                        certReqMsg,
+                                        new_certreq,
+                                        token,
+                                        privk);
+                            } else { // !hasPop
+                                System.out.println(method +
+                                        "old certReqMsg has no pop, so will the new certReqMsg");
+                            }
+
+                            new_certReqMsg = new CertReqMsg(new_certreq, new_pop, null);
+                            SEQUENCE seq = new SEQUENCE();
+                            seq.addElement(new_certReqMsg);
+
+                            byte[] encodedNewCrmfMessage = ASN1Util.encode(seq);
+                            String b64String = Utils.base64encode(encodedNewCrmfMessage);
+                            System.out.println(method + "new CRMF b64encode completes.");
+                            System.out.println(CryptoUtil.CERTREQ_BEGIN_HEADING);
+                            System.out.println(b64String);
+                            System.out.println(CryptoUtil.CERTREQ_END_HEADING);
+                            System.out.println("");
+
+                            trq = new TaggedRequest(TaggedRequest.CRMF, null,
+                                    new_certReqMsg);
+
+                        } else { // !popLinkWitnessV2Enable
+                            trq = new TaggedRequest(TaggedRequest.CRMF, null,
+                                    certReqMsg);
+                        }
                     } else if (format.equals("pkcs10")) {
+                        System.out.println(method + " format: pkcs10");
                         try {
                             pkcs = new PKCS10(decodedBytes, true);
                         } catch (Exception e2) {
@@ -338,9 +453,82 @@ public class CMCRequest {
                                 pkcs.toByteArray());
                         CertificationRequest cr = (CertificationRequest) CertificationRequest.getTemplate()
                                 .decode(crInputStream);
-                        TaggedCertificationRequest tcr = new TaggedCertificationRequest(
-                                new INTEGER(bpid++), cr);
-                        trq = new TaggedRequest(TaggedRequest.PKCS10, tcr, null);
+                        if (popLinkWitnessV2Enable.equals("true")) {
+                            System.out.println(method +
+                                    "popLinkWitnessV2 enabled. reconstructing pkcs#10");
+                            //pkcs#10 reconstruction to include PopLinkWitnessV2 control
+
+                            CertificationRequestInfo certReqInfo = cr.getInfo();
+
+                            INTEGER version = certReqInfo.getVersion();
+                            Name subject = certReqInfo.getSubject();
+                            SubjectPublicKeyInfo spkInfo = certReqInfo.getSubjectPublicKeyInfo();
+                            /*
+                            AlgorithmIdentifier alg = spkInfo.getAlgorithmIdentifier();
+                            SignatureAlgorithm signAlg = SignatureAlgorithm.fromOID(alg.getOID());
+                            if (signAlg == SignatureAlgorithm.RSASignatureWithSHA256Digest) {
+                                System.out.println(method +
+                                        "signAlg == SignatureAlgorithm.RSASignatureWithSHA256Digest");
+                            } else {
+                                System.out.println(method +
+                                        "signAlg == " + signAlg.toString());
+                            }
+                            */
+
+                            Attribute attr = new Attribute(
+                                    OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2,
+                                    popLinkWitnessV2Control);
+                            SET attrs = certReqInfo.getAttributes();
+                            if (attrs == null) {
+                                attrs = new SET();
+                            }
+                            attrs.addElement(attr);
+                            System.out.println(method +
+                                    " new pkcs#10 Attribute created for id_cmc_popLinkWitnessV2.");
+
+                            SignatureAlgorithm signAlg = getSigningAlgFromPrivate(privk);
+                            if (signAlg == null) {
+                                System.out.println(method +
+                                        "signAlg not found");
+                                System.exit(1);
+                            }
+                            CertificationRequestInfo new_certReqInfo = new CertificationRequestInfo(
+                                    version,
+                                    subject,
+                                    spkInfo,
+                                    attrs);
+                            System.out.println(method +
+                                    " new pkcs#10 CertificationRequestInfo created.");
+
+                            CertificationRequest new_certRequest = new CertificationRequest(
+                                    new_certReqInfo,
+                                    privk,
+                                    signAlg);
+                            System.out.println(method +
+                                    "new pkcs#10 CertificationRequest created.");
+
+                            ByteArrayOutputStream bos = new ByteArrayOutputStream();
+                            new_certRequest.encode(bos);
+                            byte[] bb = bos.toByteArray();
+
+                            System.out.println(method + "calling Utils.b64encode.");
+                            String b64String = Utils.base64encode(bb);
+                            System.out.println(method + "new PKCS#10 b64encode completes.");
+                            System.out.println(CryptoUtil.CERTREQ_BEGIN_HEADING);
+                            System.out.println(b64String);
+                            System.out.println(CryptoUtil.CERTREQ_END_HEADING);
+                            System.out.println("");
+
+                            TaggedCertificationRequest tcr = new TaggedCertificationRequest(
+                                    new INTEGER(bpid++), new_certRequest);
+                            trq = new TaggedRequest(TaggedRequest.PKCS10, tcr, null);
+
+                        } else { // !popLinkWitnessV2Enable
+
+                            TaggedCertificationRequest tcr = new TaggedCertificationRequest(
+                                    new INTEGER(bpid++), cr);
+                            trq = new TaggedRequest(TaggedRequest.PKCS10, tcr, null);
+                        }
                     } else {
                         System.out.println(method + " Unrecognized request format: " + format);
                         System.exit(1);
@@ -348,7 +536,7 @@ public class CMCRequest {
                     reqSequence.addElement(trq);
                 }
             } catch (Exception e) {
-                System.out.println(method + " Exception:" + e.toString());
+                System.out.println(method + " Exception:" + e);
                 System.exit(1);
             }
 
@@ -380,6 +568,63 @@ public class CMCRequest {
         return pkidata;
     }
 
+    /**
+     * createNewPOP
+     * called in case of PopLinkwitnessV2 when pop exists, thus
+     * requiring recalculation due to changes in CertRequest controls
+     *
+     * @param old_certReqMsg,
+     * @param new_certReqMsg,
+     * @param token,
+     * @param privKey
+     *
+     * @author cfu
+     */
+    static ProofOfPossession createNewPOP(
+            CertReqMsg old_certReqMsg,
+            CertRequest new_certReq,
+            CryptoToken token,
+            PrivateKey privKey) {
+        String method = "createNewPOP: ";
+
+        System.out.println(method + "begins");
+        if (old_certReqMsg == null ||
+                new_certReq == null ||
+                token == null ||
+                privKey == null) {
+            System.out.println(method + "method params cannot be null.");
+            System.exit(1);
+        }
+        ProofOfPossession old_pop = old_certReqMsg.getPop();
+        if (old_pop == null) {
+            System.out.println(method + "no pop in old_certReqMsg.");
+            System.exit(1);
+        }
+
+        POPOSigningKey PopOfsignKey = old_pop.getSignature();
+        AlgorithmIdentifier algId = PopOfsignKey.getAlgorithmIdentifier();
+
+        byte[] signature = null;
+        try {
+            SignatureAlgorithm signAlg = SignatureAlgorithm.fromOID(algId.getOID());
+            Signature signer = token.getSignatureContext(signAlg);
+            signer.initSign(privKey);
+            ByteArrayOutputStream bo = new ByteArrayOutputStream();
+            new_certReq.encode(bo);
+            signer.update(bo.toByteArray());
+            signature = signer.sign();
+        } catch (Exception e) {
+            System.out.println(method + e);
+            System.exit(1);
+        }
+
+        System.out.println(method + "about to create POPOSigningKey");
+        POPOSigningKey newPopOfSigningKey = new POPOSigningKey(null, algId, new BIT_STRING(signature, 0));
+
+        System.out.println(method + "creating and returning newPopOfSigningKey");
+        return ProofOfPossession.createSignature(newPopOfSigningKey);
+    }
+
     static void printUsage() {
         System.out.println("");
         System.out.println("Usage: CMCRequest <configuration file>");
@@ -516,13 +761,29 @@ public class CMCRequest {
         System.out.println("identityProofV2.hashAlg=SHA-256");
         System.out.println("identityProofV2.macAlg=SHA-256-HMAC");
         System.out.println("");
+        System.out.println("#witness.sharedSecret works with identityProofV2 and popLinkWitnessV2");
         System.out.println("#witness.sharedSecret: Shared Secret");
         System.out.println("witness.sharedSecret=testing");
         System.out.println("");
-        System.out.println("#identification works with identityProofV2");
+        System.out.println("#identification works with identityProofV2 and popLinkWitnessV2");
         System.out.println("identification.enable=false");
         System.out.println("identification=testuser");
         System.out.println("");
+        System.out.println("#popLinkWitnessV2.enable:  if true, then the underlying request will contain");
+        System.out.println("#this control or attribute. Otherwise, false.");
+        System.out.println("#Supported keyGenAlg are:");
+        System.out.println("# SHA-256, SHA-384, and SHA-512");
+        System.out.println("#Supported macAlg are:");
+        System.out.println("# SHA-256-HMAC, SHA-384-HMAC, and SHA-512-HMAC");
+        System.out.println("popLinkWitnessV2.enable=false");
+        System.out.println("popLinkWitnessV2.keyGenAlg=SHA-256");
+        System.out.println("popLinkWitnessV2.macAlg=SHA-256-HMAC");
+        System.out.println("");
+        System.out.println("");
+        System.out.println("###############################");
+        System.out.println("Note: The following controls are outdated and replaced by newer");
+        System.out.println("      controls above.  They remain untouched, but also untested.");
+        System.out.println("###############################");
         System.out.println("#identityProof.enable: if true, then the request will contain");
         System.out.println("#this control. Otherwise, false.");
         System.out.println("#Note that this control is updated by identityProofV2 above");
@@ -879,7 +1140,7 @@ public class CMCRequest {
             System.out.println("");
             seq.addElement(getCertControl);
         } catch (Exception e) {
-            System.out.println("Error in creating get certificate control. Check the parameters.");
+            System.out.println("Error in creating get certificate control. Check the parameters." + e);
             System.exit(1);
         }
 
@@ -1023,6 +1284,118 @@ public class CMCRequest {
         return bpid;
     }
 
+    /**
+     * createPopLinkWitnessV2Attr generates witness v2
+     *
+     * @param
+     * @return PopLinkWitnessV2
+     *
+     * @author cfu
+     */
+    private static PopLinkWitnessV2 createPopLinkWitnessV2Attr(
+            int bpid, SEQUENCE controlSeq,
+            String sharedSecret,
+            String keyGenAlgString,
+            String macAlgString,
+            String ident) {
+
+        String method = "createPopLinkWitnessV2Attr: ";
+        System.out.println(method + "begins");
+
+        if (sharedSecret == null) {
+            System.out.println(method + "method param sharedSecret cannot be null");
+            System.exit(1);
+        }
+
+        byte[] key = null;
+        byte[] finalDigest = null;
+
+        // (1) generate a random byte-string R of 512 bits
+        Random random = new Random();
+        byte[] random_R = new byte[64];
+        random.nextBytes(random_R);
+
+        // default to SHA256 if not specified
+        if (keyGenAlgString == null) {
+            keyGenAlgString = "SHA-256";
+        }
+        if (macAlgString == null) {
+            macAlgString = "SHA-256-HMAC";
+        }
+        System.out.println(method + "keyGenAlg=" + keyGenAlgString +
+                "; macAlg=" + macAlgString);
+
+        String toBeDigested = sharedSecret;
+        if (ident != null) {
+            toBeDigested = sharedSecret + ident;
+        }
+
+        // (2) compute key from sharedSecret + identity
+        try {
+            MessageDigest hash = MessageDigest.getInstance(keyGenAlgString);
+            key = hash.digest(toBeDigested.getBytes());
+        } catch (NoSuchAlgorithmException ex) {
+            System.out.println(method + "No such algorithm!");
+            return null;
+        }
+
+        MessageDigest mac;
+        // (3) compute MAC over R from (1) using key from (2)
+        try {
+            mac = MessageDigest.getInstance(
+                    CryptoUtil.getHMACtoMessageDigestName(macAlgString));
+            HMACDigest hmacDigest = new HMACDigest(mac, key);
+            hmacDigest.update(random_R);
+            finalDigest = hmacDigest.digest();
+        } catch (NoSuchAlgorithmException ex) {
+            System.out.println(method + "No such algorithm!");
+            return null;
+        }
+
+        // (4) encode R as the value of a POP Link Random control
+        TaggedAttribute idPOPLinkRandom =
+                new TaggedAttribute(new INTEGER(bpid++),
+                OBJECT_IDENTIFIER.id_cmc_idPOPLinkRandom,
+                new OCTET_STRING(random_R));
+        controlSeq.addElement(idPOPLinkRandom);
+        System.out.println(method +
+                "Successfully created id_cmc_idPOPLinkRandom control. bpid = "
+                + (bpid - 1));
+
+        AlgorithmIdentifier keyGenAlg;
+        try {
+            keyGenAlg = new AlgorithmIdentifier(
+                    CryptoUtil.getHashAlgorithmOID(keyGenAlgString));
+        } catch (NoSuchAlgorithmException ex) {
+            System.out.println(method + "No such hashing algorithm:" + keyGenAlgString);
+            return null;
+        }
+        AlgorithmIdentifier macAlg;
+        try {
+            macAlg = new AlgorithmIdentifier(
+                    CryptoUtil.getHMACAlgorithmOID(macAlgString));
+        } catch (NoSuchAlgorithmException ex) {
+            System.out.println(method + "No such HMAC algorithm:" + macAlgString);
+            return null;
+        }
+
+        // (5) put MAC value from (3) in PopLinkWitnessV2
+        PopLinkWitnessV2 popLinkWitnessV2 =
+                new PopLinkWitnessV2(keyGenAlg, macAlg,
+                        new OCTET_STRING(finalDigest));
+        /*
+         * for CRMF, needs to go into CRMF controls field of the CertRequest structure.
+         * for PKCS#10, needs to go into the aributes field of CertificationRequestInfo structure
+         *   - return the PopLinkWitnessV2 for such surgical procedure
+         */
+        System.out.println(method + "Successfully created PopLinkWitnessV2 control.");
+
+        System.out.println(method + "returning...");
+        System.out.println("");
+
+        return popLinkWitnessV2;
+    }
+
     private static int addPopLinkWitnessAttr(int bpid, SEQUENCE controlSeq) {
         byte[] seed =
         { 0x10, 0x53, 0x42, 0x24, 0x1a, 0x2a, 0x35, 0x3c,
@@ -1309,7 +1682,8 @@ public class CMCRequest {
         String dbdir = null, nickname = null;
         String tokenName = null;
         String ifilename = null, ofilename = null, password = null, format = null;
-        String decryptedPopEnable = "false", encryptedPopResponseFile=null, privKeyId = null, decryptedPopRequestFile= null;
+        String privKeyId = null;
+        String decryptedPopEnable = "false", encryptedPopResponseFile=null, decryptedPopRequestFile= null;
         String confirmCertEnable = "false", confirmCertIssuer = null, confirmCertSerial = null;
         String getCertEnable = "false", getCertIssuer = null, getCertSerial = null;
         String dataReturnEnable = "false", dataReturnData = null;
@@ -1321,7 +1695,9 @@ public class CMCRequest {
         String revRequestInvalidityDatePresent = "false";
         String identificationEnable = "false", identification = null;
         String identityProofEnable = "false", identityProofSharedSecret = null;
-        String identityProofV2Enable = "false", witnessSharedSecret = null, identityProofV2hashAlg = "SHA256", identityProofV2macAlg = "SHA256";
+        String identityProofV2Enable = "false", identityProofV2hashAlg = "SHA256", identityProofV2macAlg = "SHA256";
+        String witnessSharedSecret = null; //shared by identityProofV2 and popLinkWitnessV2
+        String popLinkWitnessV2Enable = "false", popLinkWitnessV2keyGenAlg = "SHA256", popLinkWitnessV2macAlg = "SHA256";
         String popLinkWitnessEnable = "false";
         String bodyPartIDs = null, lraPopWitnessEnable = "false";
 
@@ -1378,6 +1754,8 @@ public class CMCRequest {
                         ofilename = val;
                     } else if (name.equals("input")) {
                         ifilename = val;
+                    } else if (name.equals("numRequests")) {
+                        numRequests = val;
                     } else if (name.equals("decryptedPop.enable")) {
                         decryptedPopEnable = val;
                     } else if (name.equals("encryptedPopResponseFile")) {
@@ -1430,14 +1808,21 @@ public class CMCRequest {
                         identificationEnable = val;
                     } else if (name.equals("identification")) {
                         identification = val;
-                    } else if (name.equals("identityProofV2.enable")) {
-                        identityProofV2Enable = val;
                     } else if (name.equals("witness.sharedSecret")) {
                         witnessSharedSecret = val;
+                    } else if (name.equals("identityProofV2.enable")) {
+                        identityProofV2Enable = val;
                     } else if (name.equals("identityProofV2.hashAlg")) {
                         identityProofV2hashAlg = val;
                     } else if (name.equals("identityProofV2.macAlg")) {
                         identityProofV2macAlg = val;
+                    } else if (name.equals("popLinkWitnessV2.enable")) {
+                        popLinkWitnessV2Enable = val;
+                    } else if (name.equals("popLinkWitnessV2.keyGenAlg")) {
+                        popLinkWitnessV2keyGenAlg = val;
+                    } else if (name.equals("popLinkWitnessV2.macAlg")) {
+                        popLinkWitnessV2macAlg = val;
+                    /* the following are outdated */
                     } else if (name.equals("identityProof.enable")) {
                         identityProofEnable = val;
                     } else if (name.equals("identityProof.sharedSecret")) {
@@ -1448,8 +1833,6 @@ public class CMCRequest {
                         lraPopWitnessEnable = val;
                     } else if (name.equals("LraPopWitness.bodyPartIDs")) {
                         bodyPartIDs = val;
-                    } else if (name.equals("numRequests")) {
-                        numRequests = val;
                     }
                 }
             }
@@ -1518,13 +1901,14 @@ public class CMCRequest {
             //cfu
             ContentInfo cmcblob = null;
             PKIData pkidata = null;
-            if (decryptedPopEnable.equalsIgnoreCase("true")) {
-                PrivateKey privk = null;
+            PrivateKey privk = null;
+            if (decryptedPopEnable.equalsIgnoreCase("true") ||
+                    popLinkWitnessV2Enable.equalsIgnoreCase("true")) {
                 if (privKeyId == null) {
-                    System.out.println("ecryptedPop.enable = true, but privKeyId not specified.");
+                    System.out.println("ecryptedPop.enable or popLinkWitnessV2 true, but privKeyId not specified.");
                     printUsage();
                 } else {
-                    System.out.println("got privKeyId: " + privKeyId);
+                    System.out.println("got request privKeyId: " + privKeyId);
 
                     byte[] keyIDb = CryptoUtil.string2byte(privKeyId);
 
@@ -1538,7 +1922,9 @@ public class CMCRequest {
                         System.exit(1);
                     }
                 }
+            }
 
+            if (decryptedPopEnable.equalsIgnoreCase("true")) {
                 if (encryptedPopResponseFile == null) {
                     System.out.println("ecryptedPop.enable = true, but encryptedPopResponseFile is not specified.");
                     printUsage();
@@ -1688,7 +2074,9 @@ public class CMCRequest {
                 if (senderNonceEnable.equalsIgnoreCase("true"))
                     bpid = addSenderNonceAttr(bpid, controlSeq, senderNonce);
 
-                if (popLinkWitnessEnable.equalsIgnoreCase("true"))
+                //popLinkWitnessV2 takes precedence
+                if (!popLinkWitnessV2Enable.equalsIgnoreCase("true") &
+                        popLinkWitnessEnable.equalsIgnoreCase("true"))
                     bpid = addPopLinkWitnessAttr(bpid, controlSeq);
 
                 SEQUENCE otherMsgSeq = new SEQUENCE();
@@ -1711,9 +2099,13 @@ public class CMCRequest {
                         format, transactionMgtEnable, transactionMgtId,
                         identificationEnable, identification,
                         identityProofEnable, identityProofSharedSecret,
-                        identityProofV2Enable, witnessSharedSecret,
+                        witnessSharedSecret,
+                        identityProofV2Enable,
                         identityProofV2hashAlg, identityProofV2macAlg,
-                        controlSeq, otherMsgSeq, bpid);
+                        popLinkWitnessV2Enable,
+                        popLinkWitnessV2keyGenAlg, popLinkWitnessV2macAlg,
+                        controlSeq, otherMsgSeq, bpid,
+                        token, privk);
 
                 if (pkidata == null) {
                     System.out.println("pkidata null after createPKIData(). Exiting with error");
diff --git a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
index c5da9cf..5d9f7f1 100644
--- a/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
+++ b/base/java-tools/src/com/netscape/cmstools/CRMFPopClient.java
@@ -599,8 +599,10 @@ public class CRMFPopClient {
         SEQUENCE seq = new SEQUENCE();
         seq.addElement(new AVA(new OBJECT_IDENTIFIER("1.3.6.1.5.5.7.5.1.4"), opts));
 
+        /*
         OCTET_STRING ostr = createIDPOPLinkWitness();
         seq.addElement(new AVA(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness, ostr));
+        */
 
         return new CertRequest(new INTEGER(1), certTemplate, seq);
     }
@@ -676,10 +678,10 @@ public class CRMFPopClient {
 
         Signature signer;
         if (algorithm.equals("rsa")) {
-            signer =  token.getSignatureContext(SignatureAlgorithm.RSASignatureWithMD5Digest);
+            signer =  token.getSignatureContext(SignatureAlgorithm.RSASignatureWithSHA256Digest);
 
         } else if (algorithm.equals("ec")) {
-            signer =  token.getSignatureContext(SignatureAlgorithm.ECSignatureWithSHA1Digest);
+            signer =  token.getSignatureContext(SignatureAlgorithm.ECSignatureWithSHA256Digest);
 
         } else {
             throw new Exception("Unknown algorithm: " + algorithm);
@@ -694,10 +696,10 @@ public class CRMFPopClient {
 
         AlgorithmIdentifier algorithmID;
         if (algorithm.equals("rsa")) {
-            algorithmID = new AlgorithmIdentifier(SignatureAlgorithm.RSASignatureWithMD5Digest.toOID(), null);
+            algorithmID = new AlgorithmIdentifier(SignatureAlgorithm.RSASignatureWithSHA256Digest.toOID(), null);
 
         } else if (algorithm.equals("ec")) {
-            algorithmID = new AlgorithmIdentifier(SignatureAlgorithm.ECSignatureWithSHA1Digest.toOID(), null);
+            algorithmID = new AlgorithmIdentifier(SignatureAlgorithm.ECSignatureWithSHA256Digest.toOID(), null);
 
         } else {
             throw new Exception("Unknown algorithm: " + algorithm);
diff --git a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
index 57f8792..fd1d087 100644
--- a/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
+++ b/base/java-tools/src/com/netscape/cmstools/PKCS10Client.java
@@ -22,14 +22,12 @@ import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.PrintStream;
 import java.security.KeyPair;
-import java.security.MessageDigest;
 import java.security.PublicKey;
 
 import org.mozilla.jss.CryptoManager;
 import org.mozilla.jss.asn1.BMPString;
 import org.mozilla.jss.asn1.INTEGER;
 import org.mozilla.jss.asn1.OBJECT_IDENTIFIER;
-import org.mozilla.jss.asn1.OCTET_STRING;
 import org.mozilla.jss.asn1.PrintableString;
 import org.mozilla.jss.asn1.SET;
 import org.mozilla.jss.asn1.TeletexString;
@@ -38,17 +36,16 @@ import org.mozilla.jss.asn1.UniversalString;
 import org.mozilla.jss.crypto.CryptoToken;
 import org.mozilla.jss.crypto.KeyPairAlgorithm;
 import org.mozilla.jss.crypto.KeyPairGenerator;
+import org.mozilla.jss.crypto.PrivateKey;
 import org.mozilla.jss.crypto.SignatureAlgorithm;
 import org.mozilla.jss.pkcs10.CertificationRequest;
 import org.mozilla.jss.pkcs10.CertificationRequestInfo;
 import org.mozilla.jss.pkix.primitive.AVA;
-import org.mozilla.jss.pkix.primitive.Attribute;
 import org.mozilla.jss.pkix.primitive.Name;
 import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
 import org.mozilla.jss.util.Password;
 
 import com.netscape.cmsutil.crypto.CryptoUtil;
-import com.netscape.cmsutil.util.HMACDigest;
 import com.netscape.cmsutil.util.Utils;
 
 import netscape.security.pkcs.PKCS10;
@@ -248,6 +245,8 @@ public class PKCS10Client {
 
             System.out.println("PKCS10Client: key pair generated."); //key pair generated");
 
+            /*** leave out this test code; cmc can add popLinkwitnessV2;
+
             // Add idPOPLinkWitness control
             String secretValue = "testing";
             byte[] key1 = null;
@@ -255,7 +254,7 @@ public class PKCS10Client {
             MessageDigest SHA1Digest = MessageDigest.getInstance("SHA1");
             key1 = SHA1Digest.digest(secretValue.getBytes());
 
-            /* seed */
+            // seed
             byte[] b =
             { 0x10, 0x53, 0x42, 0x24, 0x1a, 0x2a, 0x35, 0x3c,
                 0x7a, 0x52, 0x54, 0x56, 0x71, 0x65, 0x66, 0x4c,
@@ -272,9 +271,10 @@ public class PKCS10Client {
 
             OCTET_STRING ostr = new OCTET_STRING(finalDigest);
             Attribute attr = new Attribute(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness, ostr);
+            ***/
 
             SET attributes = new SET();
-            attributes.addElement(attr);
+            //attributes.addElement(attr);
             Name n = getJssName(enable_encoding, subjectName);
             SubjectPublicKeyInfo subjectPub = new SubjectPublicKeyInfo(pair.getPublic());
             System.out.println("PKCS10Client: pair.getPublic() called.");
@@ -286,7 +286,7 @@ public class PKCS10Client {
             if (alg.equals("rsa")) {
                 CertificationRequest certRequest = null;
                 certRequest = new CertificationRequest(certReqInfo,
-                pair.getPrivate(), SignatureAlgorithm.RSASignatureWithMD5Digest);
+                pair.getPrivate(), SignatureAlgorithm.RSASignatureWithSHA256Digest);
                 System.out.println("PKCS10Client: CertificationRequest created.");
 
                 ByteArrayOutputStream bos = new ByteArrayOutputStream();
@@ -323,6 +323,14 @@ public class PKCS10Client {
                 b64E = CryptoUtil.base64Encode(certReqb);
             }
 
+            // print out keyid to be used in cmc popLinkWitnessV2
+            PrivateKey privateKey = (PrivateKey) pair.getPrivate();
+            @SuppressWarnings("deprecation")
+            byte id[] = privateKey.getUniqueID();
+            String kid = CryptoUtil.byte2string(id);
+            System.out.println("Keypair private key id: " + kid);
+            System.out.println("");
+
             System.out.println(RFC7468_HEADER);
             System.out.println(b64E);
             System.out.println(RFC7468_TRAILER);
diff --git a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
index 370cc33..5f7b0ef 100644
--- a/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
+++ b/base/server/cms/src/com/netscape/cms/profile/common/EnrollProfile.java
@@ -55,6 +55,7 @@ import org.mozilla.jss.pkix.cmc.IdentityProofV2;
 import org.mozilla.jss.pkix.cmc.LraPopWitness;
 import org.mozilla.jss.pkix.cmc.OtherMsg;
 import org.mozilla.jss.pkix.cmc.PKIData;
+import org.mozilla.jss.pkix.cmc.PopLinkWitnessV2;
 import org.mozilla.jss.pkix.cmc.TaggedAttribute;
 import org.mozilla.jss.pkix.cmc.TaggedCertificationRequest;
 import org.mozilla.jss.pkix.cmc.TaggedRequest;
@@ -64,6 +65,7 @@ import org.mozilla.jss.pkix.crmf.CertTemplate;
 import org.mozilla.jss.pkix.crmf.PKIArchiveOptions;
 import org.mozilla.jss.pkix.crmf.ProofOfPossession;
 import org.mozilla.jss.pkix.primitive.AVA;
+import org.mozilla.jss.pkix.primitive.AlgorithmIdentifier;
 import org.mozilla.jss.pkix.primitive.Attribute;
 import org.mozilla.jss.pkix.primitive.Name;
 import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
@@ -73,7 +75,6 @@ import com.netscape.certsrv.authentication.IAuthToken;
 import com.netscape.certsrv.authentication.ISharedToken;
 import com.netscape.certsrv.authority.IAuthority;
 import com.netscape.certsrv.base.EBaseException;
-import com.netscape.certsrv.base.EPropertyNotFound;
 import com.netscape.certsrv.base.SessionContext;
 import com.netscape.certsrv.ca.ICertificateAuthority;
 import com.netscape.certsrv.logging.AuditEvent;
@@ -143,6 +144,9 @@ public abstract class EnrollProfile extends BasicProfile
      */
     public IRequest[] createRequests(IProfileContext ctx, Locale locale)
             throws EProfileException {
+        String method = "EnrollProfile: createRequests";
+        CMS.debug(method + "begins");
+
         // determine how many requests should be created
         String cert_request_type = ctx.get(CTX_CERT_REQUEST_TYPE);
         String cert_request = ctx.get(CTX_CERT_REQUEST);
@@ -151,7 +155,7 @@ public abstract class EnrollProfile extends BasicProfile
 
         /* cert_request_type can be null for the case of CMC */
         if (cert_request_type == null) {
-            CMS.debug("EnrollProfile: request type is null");
+            CMS.debug(method + " request type is null");
         }
 
         int num_requests = 1; // default to 1 request
@@ -174,10 +178,14 @@ public abstract class EnrollProfile extends BasicProfile
              */
             // catch for invalid request
             cmc_msgs = parseCMC(locale, cert_request);
-            if (cmc_msgs == null)
+            if (cmc_msgs == null) {
+                CMS.debug(method + "parseCMC returns cmc_msgs null");
                 return null;
-            else
+            } else {
                 num_requests = cmc_msgs.length;
+                CMS.debug(method + "parseCMC returns cmc_msgs num_requests=" +
+                        num_requests);
+            }
         }
 
         // only 1 request for renewal
@@ -356,7 +364,6 @@ public abstract class EnrollProfile extends BasicProfile
             throw new EBaseException(method + msg);
         }
         byte[] req_key_data = req.getExtDataInByteArray(IEnrollProfile.REQUEST_KEY);
-        netscape.security.x509.CertificateX509Key pubKey = null;
         if (req_key_data != null) {
             CMS.debug(method + "found user public key in request");
 
@@ -511,6 +518,11 @@ public abstract class EnrollProfile extends BasicProfile
         }
     }
 
+    /*
+     * parseCMC
+     * @throws EProfileException in case of error
+     *   note: returing "null" doesn't mean failure
+     */
     public TaggedRequest[] parseCMC(Locale locale, String certreq)
             throws EProfileException {
 
@@ -553,6 +565,7 @@ public abstract class EnrollProfile extends BasicProfile
             int numcontrols = controlSeq.size();
             SEQUENCE reqSeq = pkiData.getReqSequence();
             byte randomSeed[] = null;
+            UTF8String ident_s = null;
             SessionContext context = SessionContext.getContext();
             if (!context.containsKey("numOfControls")) {
                 if (numcontrols > 0) {
@@ -588,6 +601,7 @@ public abstract class EnrollProfile extends BasicProfile
                             id_cmc_identityProof = true;
                             attr = attributes[i];
                         } else if (oid.equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkRandom)) {
+                            CMS.debug(method + "id_cmc_idPOPLinkRandom true");
                             id_cmc_idPOPLinkRandom = true;
                             vals = attributes[i].getValues();
                         } else {
@@ -621,23 +635,31 @@ public abstract class EnrollProfile extends BasicProfile
                         return null;
                     }
 
-                    UTF8String ident_s = null;
                     if (id_cmc_identification) {
                         if (ident == null) {
                             msg = "id_cmc_identification contains null attribute value";
                             CMS.debug(method + msg);
                             SEQUENCE bpids = getRequestBpids(reqSeq);
                             context.put("identification", bpids);
-                            return null;
+
+                            msg = " id_cmc_identification attribute value not found in";
+                            CMS.debug(method + msg);
+                            throw new EProfileException(
+                                    CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") +
+                                            msg);
                         }
                         ident_s = (UTF8String) (ASN1Util.decode(UTF8String.getTemplate(),
                                 ASN1Util.encode(ident.elementAt(0))));
                         if (ident_s == null) {
-                            msg = "id_cmc_identification contains invalid content";
+                            msg = " id_cmc_identification contains invalid content";
                             CMS.debug(method + msg);
                             SEQUENCE bpids = getRequestBpids(reqSeq);
                             context.put("identification", bpids);
-                            return null;
+
+                            CMS.debug(method + msg);
+                            throw new EProfileException(
+                                    CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") +
+                                            msg);
                         }
                     }
 
@@ -646,7 +668,8 @@ public abstract class EnrollProfile extends BasicProfile
                         if (!id_cmc_identification) {
                             SEQUENCE bpids = getRequestBpids(reqSeq);
                             context.put("identification", bpids);
-                            msg = "id_cmc_identityProofV2 must be accompanied by id_cmc_identification in this server";
+                            context.put("identityProofV2", bpids);
+                            msg = "id_cmc_identityProofV2 missing id_cmc_identification";
                             CMS.debug(method + msg);
                             throw new EProfileException(
                                     CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST") +
@@ -658,7 +681,11 @@ public abstract class EnrollProfile extends BasicProfile
                         if (!valid) {
                             SEQUENCE bpids = getRequestBpids(reqSeq);
                             context.put("identityProofV2", bpids);
-                            return null;
+
+                            msg = " in verifyIdentityProofV2";
+                            CMS.debug(method + msg);
+                            throw new EProfileException(CMS.getUserMessage(locale,
+                                    "CMS_POI_VERIFICATION_ERROR")+ msg);
                         }
                     } else if (id_cmc_identityProof && (attr != null)) {
                         boolean valid = verifyIdentityProof(attr,
@@ -666,14 +693,20 @@ public abstract class EnrollProfile extends BasicProfile
                         if (!valid) {
                             SEQUENCE bpids = getRequestBpids(reqSeq);
                             context.put("identityProof", bpids);
-                            return null;
+
+                            msg = " in verifyIdentityProof";
+                            CMS.debug(method + msg);
+                            throw new EProfileException(CMS.getUserMessage(locale,
+                                    "CMS_POI_VERIFICATION_ERROR")+ msg);
                         }
                     }
 
                     if (id_cmc_idPOPLinkRandom && vals != null) {
-                        OCTET_STRING ostr = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(),
+                        OCTET_STRING ostr =
+                                (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(),
                                 ASN1Util.encode(vals.elementAt(0))));
                         randomSeed = ostr.toByteArray();
+                        CMS.debug(method + "got randomSeed");
                     }
                 } // numcontrols > 0
             }
@@ -691,19 +724,55 @@ public abstract class EnrollProfile extends BasicProfile
 
             int nummsgs = reqSeq.size();
             if (nummsgs > 0) {
+
                 msgs = new TaggedRequest[reqSeq.size()];
                 SEQUENCE bpids = new SEQUENCE();
+
+                /* TODO: add this in CS.cfg later: cmc.popLinkWitnessRequired=true
+                // enforce popLinkWitness (or V2)
+                boolean popLinkWitnessRequired = true;
+                try {
+                    String configName = "cmc.popLinkWitnessRequired";
+                    CMS.debug(method + "getting :" + configName);
+                    popLinkWitnessRequired = CMS.getConfigStore().getBoolean(configName, true);
+                    CMS.debug(method + "cmc.popLinkWitnessRequired is " + popLinkWitnessRequired);
+                } catch (Exception e) {
+                    // unlikely to get here
+                    msg = method + " Failed to retrieve cmc.popLinkWitnessRequired";
+                    CMS.debug(msg);
+                    throw new EProfileException(method + msg);
+                }
+*/
+
                 boolean valid = true;
                 for (int i = 0; i < nummsgs; i++) {
                     msgs[i] = (TaggedRequest) reqSeq.elementAt(i);
-                    if (!context.containsKey("POPLinkWitness")) {
+                    if (!context.containsKey("POPLinkWitnessV2") &&
+                            !context.containsKey("POPLinkWitness")) {
                         if (randomSeed != null) {
-                            valid = verifyPOPLinkWitness(randomSeed, msgs[i], bpids);
-                            if (!valid || bpids.size() > 0) {
-                                context.put("POPLinkWitness", bpids);
-                                return null;
+                            // verifyPOPLinkWitness() will determine if this is
+                            // POPLinkWitnessV2 or POPLinkWitness
+                            // If failure, context is set in verifyPOPLinkWitness
+                            valid = verifyPOPLinkWitness(ident_s, randomSeed, msgs[i], bpids, context);
+                            if (valid == false) {
+                                if (context.containsKey("POPLinkWitnessV2"))
+                                    msg = " in POPLinkWitnessV2";
+                                else if (context.containsKey("POPLinkWitness"))
+                                    msg = " in POPLinkWitness";
+                                else
+                                    msg = " unspecified failure from verifyPOPLinkWitness";
+
+                                CMS.debug(method + msg);
+                                throw new EProfileException(CMS.getUserMessage(locale,
+                                        "MS_POP_LINK_WITNESS_VERIFICATION_ERROR")+ msg);
                             }
-                        }
+                        /* TODO: for next cmc ticket, eliminate the extra trip of parseCMC if possible, or figure a way out to bypass this on 2nd trip
+                        } else if (popLinkWitnessRequired == true) {
+                            //popLinkWitnessRequired == true, must have randomSeed
+                            CMS.debug(method + "popLinkWitness(V2) required; no randomSeed found");
+                            context.put("POPLinkWitnessV2", bpids);
+                            return null;*/
+                        } //randomSeed != null
                     }
                 }
             } else
@@ -711,8 +780,10 @@ public abstract class EnrollProfile extends BasicProfile
 
             CMS.debug(method + "ends");
             return msgs;
+        } catch (EProfileException e) {
+            throw new EProfileException(e);
         } catch (Exception e) {
-            CMS.debug(method + "Unable to parse CMC request: " + e);
+            CMS.debug(method + e);
             throw new EProfileException(
                     CMS.getUserMessage(locale, "CMS_PROFILE_INVALID_REQUEST"), e);
         }
@@ -778,9 +849,9 @@ public abstract class EnrollProfile extends BasicProfile
         }
 
         byte[] cmc_msg = req.getExtDataInByteArray(IEnrollProfile.CTX_CERT_REQUEST);
-        if (pop_sysPubEncreyptedSession == null) {
+        if (cmc_msg == null) {
             msg = method +
-                    "pop_sysPubEncreyptedSession not found in request:" +
+                    "cmc_msg not found in request:" +
                     reqId.toString();
             CMS.debug(msg);
             return null;
@@ -857,43 +928,125 @@ public abstract class EnrollProfile extends BasicProfile
         return reqId;
     }
 
-    private boolean verifyPOPLinkWitness(byte[] randomSeed, TaggedRequest req,
-            SEQUENCE bpids) {
-        ISharedToken tokenClass = null;
-        boolean sharedSecretFound = true;
-        String name = null;
+    /**
+     * getPopLinkWitnessV2control
+     *
+     * @author cfu
+     */
+    protected PopLinkWitnessV2 getPopLinkWitnessV2control(ASN1Value value) {
+        String method = "EnrollProfile: getPopLinkWitnessV2control: ";
+
+        ByteArrayInputStream bis = new ByteArrayInputStream(
+                ASN1Util.encode(value));
+        PopLinkWitnessV2 popLinkWitnessV2 = null;
+
         try {
-            name = CMS.getConfigStore().getString("cmc.sharedSecret.class");
-        } catch (EPropertyNotFound e) {
-            CMS.debug("EnrollProfile: Failed to find the token class in the configuration file.");
-            sharedSecretFound = false;
-        } catch (EBaseException e) {
-            CMS.debug("EnrollProfile: Failed to find the token class in the configuration file.");
-            sharedSecretFound = false;
+            popLinkWitnessV2 = (PopLinkWitnessV2) (new PopLinkWitnessV2.Template()).decode(bis);
+        } catch (Exception e) {
+            CMS.debug(method + e);
+        }
+        return popLinkWitnessV2;
+    }
+
+    /**
+     * verifyPopLinkWitnessV2
+     *
+     * @author cfu
+     */
+    protected boolean verifyPopLinkWitnessV2(
+            PopLinkWitnessV2 popLinkWitnessV2,
+            byte[] randomSeed,
+            String sharedSecret,
+            String ident_string) {
+        String method = "EnrollProfile: verifyPopLinkWitnessV2: ";
+
+        if ((popLinkWitnessV2 == null) ||
+                (randomSeed == null) ||
+                (sharedSecret == null)) {
+            CMS.debug(method + " method parameters cannot be null");
+            return false;
+        }
+        AlgorithmIdentifier keyGenAlg = popLinkWitnessV2.getKeyGenAlgorithm();
+        AlgorithmIdentifier macAlg = popLinkWitnessV2.getMacAlgorithm();
+        OCTET_STRING witness = popLinkWitnessV2.getWitness();
+        if (keyGenAlg == null) {
+            CMS.debug(method + " keyGenAlg reurned by popLinkWitnessV2.getWitness is null");
+            return false;
+        }
+        if (macAlg == null) {
+            CMS.debug(method + " macAlg reurned by popLinkWitnessV2.getWitness is null");
+            return false;
+        }
+        if (witness == null) {
+            CMS.debug(method + " witness reurned by popLinkWitnessV2.getWitness is null");
+            return false;
         }
 
         try {
-            tokenClass = (ISharedToken) Class.forName(name).newInstance();
-        } catch (ClassNotFoundException e) {
-            CMS.debug("EnrollProfile: Failed to find class name: " + name);
-            sharedSecretFound = false;
-        } catch (InstantiationException e) {
-            CMS.debug("EnrollProfile: Failed to instantiate class: " + name);
-            sharedSecretFound = false;
-        } catch (IllegalAccessException e) {
-            CMS.debug("EnrollProfile: Illegal access: " + name);
+            DigestAlgorithm keyGenAlgID = DigestAlgorithm.fromOID(keyGenAlg.getOID());
+            MessageDigest keyGenMDAlg = MessageDigest.getInstance(keyGenAlgID.toString());
+
+            HMACAlgorithm macAlgID = HMACAlgorithm.fromOID(macAlg.getOID());
+            MessageDigest macMDAlg = MessageDigest
+                    .getInstance(CryptoUtil.getHMACtoMessageDigestName(macAlgID.toString()));
+
+            byte[] witness_bytes = witness.toByteArray();
+            return verifyDigest(
+                    (ident_string != null) ? (sharedSecret + ident_string).getBytes() : sharedSecret.getBytes(),
+                    randomSeed,
+                    witness_bytes,
+                    keyGenMDAlg, macMDAlg);
+        } catch (NoSuchAlgorithmException e) {
+            CMS.debug(method + e);
+            return false;
+        } catch (Exception e) {
+            CMS.debug(method + e);
+            return false;
+        }
+    }
+
+    /*
+     * verifyPOPLinkWitness now handles POPLinkWitnessV2;
+     */
+    private boolean verifyPOPLinkWitness(
+            UTF8String ident, byte[] randomSeed, TaggedRequest req,
+            SEQUENCE bpids, SessionContext context) {
+        String method = "EnrollProfile: verifyPOPLinkWitness: ";
+        CMS.debug(method + "begins.");
+
+        String ident_string = null;
+        if (ident != null) {
+            ident_string = ident.toString();
+        }
+
+        boolean sharedSecretFound = true;
+        String configName = "cmc.sharedSecret.class";
+        String sharedSecret = null;
+        ISharedToken tokenClass = getSharedTokenClass(configName);
+        if (tokenClass == null) {
+            CMS.debug(method + " Failed to retrieve shared secret plugin class");
             sharedSecretFound = false;
+        } else {
+            if (ident_string != null) {
+                sharedSecret = tokenClass.getSharedToken(ident_string);
+            } else {
+                sharedSecret = tokenClass.getSharedToken(mCMCData);
+            }
+            if (sharedSecret == null)
+                sharedSecretFound = false;
         }
 
         INTEGER reqId = null;
         byte[] bv = null;
-        String sharedSecret = null;
-        if (tokenClass != null)
-            sharedSecret = tokenClass.getSharedToken(mCMCData);
+
         if (req.getType().equals(TaggedRequest.PKCS10)) {
+            String methodPos = method + "PKCS10: ";
+            CMS.debug(methodPos + "begins");
+
             TaggedCertificationRequest tcr = req.getTcr();
             if (!sharedSecretFound) {
                 bpids.addElement(tcr.getBodyPartID());
+                context.put("POPLinkWitness", bpids);
                 return false;
             } else {
                 CertificationRequest creq = tcr.getCertificationRequest();
@@ -901,13 +1054,42 @@ public abstract class EnrollProfile extends BasicProfile
                 SET attrs = cinfo.getAttributes();
                 for (int j = 0; j < attrs.size(); j++) {
                     Attribute pkcs10Attr = (Attribute) attrs.elementAt(j);
-                    if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) {
+                    if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2)) {
+                        CMS.debug(methodPos + "found id_cmc_popLinkWitnessV2");
+                        if (ident_string == null) {
+                            bpids.addElement(reqId);
+                            context.put("identification", bpids);
+                            context.put("POPLinkWitnessV2", bpids);
+                            String msg = "id_cmc_popLinkWitnessV2 must be accompanied by id_cmc_identification in this server";
+                            CMS.debug(methodPos + msg);
+                            return false;
+                        }
+
+                        SET witnessVal = pkcs10Attr.getValues();
+                        if (witnessVal.size() > 0) {
+                            try {
+                                PopLinkWitnessV2 popLinkWitnessV2 = getPopLinkWitnessV2control(witnessVal.elementAt(0));
+                                boolean valid = verifyPopLinkWitnessV2(popLinkWitnessV2,
+                                        randomSeed,
+                                        sharedSecret,
+                                        ident_string);
+                                if (!valid) {
+                                    bpids.addElement(reqId);
+                                    context.put("POPLinkWitnessV2", bpids);
+                                    return valid;
+                                }
+                                return true;
+                            } catch (Exception ex) {
+                                CMS.debug(methodPos + ex);
+                                return false;
+                            }
+                        }
+                    } else if (pkcs10Attr.getType().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) {
                         SET witnessVal = pkcs10Attr.getValues();
                         if (witnessVal.size() > 0) {
                             try {
-                                OCTET_STRING str =
-                                        (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(),
-                                                ASN1Util.encode(witnessVal.elementAt(0))));
+                                OCTET_STRING str = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(),
+                                        ASN1Util.encode(witnessVal.elementAt(0))));
                                 bv = str.toByteArray();
                                 return verifyDigest(sharedSecret.getBytes(),
                                         randomSeed, bv);
@@ -921,27 +1103,55 @@ public abstract class EnrollProfile extends BasicProfile
                 return false;
             }
         } else if (req.getType().equals(TaggedRequest.CRMF)) {
+            String methodPos = method + "CRMF: ";
+            CMS.debug(methodPos + "begins");
+
             CertReqMsg crm = req.getCrm();
             CertRequest certReq = crm.getCertReq();
             reqId = certReq.getCertReqId();
             if (!sharedSecretFound) {
                 bpids.addElement(reqId);
+                context.put("POPLinkWitness", bpids);
                 return false;
             } else {
                 for (int i = 0; i < certReq.numControls(); i++) {
                     AVA ava = certReq.controlAt(i);
 
-                    if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) {
+                    if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_popLinkWitnessV2)) {
+                        CMS.debug(methodPos + "found id_cmc_popLinkWitnessV2");
+                        if (ident_string == null) {
+                            bpids.addElement(reqId);
+                            context.put("identification", bpids);
+                            context.put("POPLinkWitnessV2", bpids);
+                            String msg = "id_cmc_popLinkWitnessV2 must be accompanied by id_cmc_identification in this server";
+                            CMS.debug(methodPos + msg);
+                            return false;
+                        }
+
+                        ASN1Value value = ava.getValue();
+                        PopLinkWitnessV2 popLinkWitnessV2 = getPopLinkWitnessV2control(value);
+
+                        boolean valid = verifyPopLinkWitnessV2(popLinkWitnessV2,
+                                randomSeed,
+                                sharedSecret,
+                                ident_string);
+                        if (!valid) {
+                            bpids.addElement(reqId);
+                            context.put("POPLinkWitnessV2", bpids);
+                            return valid;
+                        }
+                    } else if (ava.getOID().equals(OBJECT_IDENTIFIER.id_cmc_idPOPLinkWitness)) {
+                        CMS.debug(methodPos + "found id_cmc_idPOPLinkWitness");
                         ASN1Value value = ava.getValue();
                         ByteArrayInputStream bis = new ByteArrayInputStream(
                                 ASN1Util.encode(value));
                         OCTET_STRING ostr = null;
                         try {
-                            ostr = (OCTET_STRING)
-                                    (new OCTET_STRING.Template()).decode(bis);
+                            ostr = (OCTET_STRING) (new OCTET_STRING.Template()).decode(bis);
                             bv = ostr.toByteArray();
                         } catch (Exception e) {
                             bpids.addElement(reqId);
+                            context.put("POPLinkWitness", bpids);
                             return false;
                         }
 
@@ -949,6 +1159,7 @@ public abstract class EnrollProfile extends BasicProfile
                                 randomSeed, bv);
                         if (!valid) {
                             bpids.addElement(reqId);
+                            context.put("POPLinkWitness", bpids);
                             return valid;
                         }
                     }
@@ -1002,10 +1213,7 @@ public abstract class EnrollProfile extends BasicProfile
         byte[] finalDigest = null;
         HMACDigest hmacDigest = new HMACDigest(macAlg, key);
         hmacDigest.update(text);
-        if (hmacDigest == null) {
-            CMS.debug(method + " hmacDigest null after hmacDigest.update");
-            return false;
-        }
+
         finalDigest = hmacDigest.digest();
 
         if (finalDigest.length != bv.length) {
@@ -1041,6 +1249,40 @@ public abstract class EnrollProfile extends BasicProfile
         return bpids;
     }
 
+
+    ISharedToken getSharedTokenClass(String configName) {
+        String method = "EnrollProfile: getSharedTokenClass: ";
+        ISharedToken tokenClass = null;
+
+        String name = null;
+        try {
+            CMS.debug(method + "getting :" + configName);
+            name = CMS.getConfigStore().getString(configName);
+            CMS.debug(method + "Shared Secret plugin class name retrieved:" +
+                    name);
+        } catch (Exception e) {
+            CMS.debug(method + " Failed to retrieve shared secret plugin class name");
+            return null;
+        }
+
+        try {
+            tokenClass = (ISharedToken) Class.forName(name).newInstance();
+            CMS.debug(method + "Shared Secret plugin class retrieved");
+        } catch (ClassNotFoundException e) {
+            CMS.debug(method + " Failed to find class name: " + name);
+            return null;
+        } catch (InstantiationException e) {
+            CMS.debug("EnrollProfile: Failed to instantiate class: " + name);
+            return null;
+        } catch (IllegalAccessException e) {
+            CMS.debug(method + " Illegal access: " + name);
+            return null;
+        }
+
+        return tokenClass;
+    }
+
+
     /**
      * verifyIdentityProofV2 handles IdentityProofV2 as defined by RFC5272
      *
@@ -1070,32 +1312,9 @@ public abstract class EnrollProfile extends BasicProfile
             return false;
         }
 
-        String name = null;
-        try {
-            String configName = "cmc.sharedSecret.class";
-            CMS.debug(method + "getting :" + configName);
-            name = CMS.getConfigStore().getString(configName);
-            CMS.debug(method + "Shared Secret plugin class name retrieved:" +
-                    name);
-        } catch (Exception e) {
-            CMS.debug(method + " Failed to retrieve shared secret plugin class name");
-            return false;
-        }
+        String configName = "cmc.sharedSecret.class";
+        ISharedToken tokenClass = getSharedTokenClass(configName);
 
-        ISharedToken tokenClass = null;
-        try {
-            tokenClass = (ISharedToken) Class.forName(name).newInstance();
-            CMS.debug(method + "Shared Secret plugin class retrieved");
-        } catch (ClassNotFoundException e) {
-            CMS.debug(method + " Failed to find class name: " + name);
-            return false;
-        } catch (InstantiationException e) {
-            CMS.debug("EnrollProfile: Failed to instantiate class: " + name);
-            return false;
-        } catch (IllegalAccessException e) {
-            CMS.debug(method + " Illegal access: " + name);
-            return false;
-        }
         if (tokenClass == null) {
             CMS.debug(method + " Failed to retrieve shared secret plugin class");
             return false;
@@ -1116,19 +1335,13 @@ public abstract class EnrollProfile extends BasicProfile
         try {
             IdentityProofV2 idV2val = (IdentityProofV2) (ASN1Util.decode(IdentityProofV2.getTemplate(),
                     ASN1Util.encode(vals.elementAt(0))));
-            /**
-             * TODO: cfu:
-             * phase2: getting configurable allowable hashing and mac algorithms
-             */
 
             DigestAlgorithm hashAlgID = DigestAlgorithm.fromOID(idV2val.getHashAlgID().getOID());
             MessageDigest hashAlg = MessageDigest.getInstance(hashAlgID.toString());
-            // TODO: check against CA allowed algs later
 
             HMACAlgorithm macAlgId = HMACAlgorithm.fromOID(idV2val.getMacAlgId().getOID());
             MessageDigest macAlg = MessageDigest
                     .getInstance(CryptoUtil.getHMACtoMessageDigestName(macAlgId.toString()));
-            // TODO: check against CA allowed algs later
 
             OCTET_STRING witness = idV2val.getWitness();
             if (witness == null) {
@@ -1151,32 +1364,18 @@ public abstract class EnrollProfile extends BasicProfile
     } // verifyIdentityProofV2
 
     private boolean verifyIdentityProof(TaggedAttribute attr, SEQUENCE reqSeq) {
+        String method = "verifyIdentityProof: ";
+
         SET vals = attr.getValues();
         if (vals.size() < 1)
             return false;
-        String name = null;
-        try {
-            name = CMS.getConfigStore().getString("cmc.sharedSecret.class");
-        } catch (EPropertyNotFound e) {
-        } catch (EBaseException e) {
-        }
 
-        if (name == null)
+        String configName = "cmc.sharedSecret.class";
+            ISharedToken tokenClass = getSharedTokenClass(configName);
+        if (tokenClass == null) {
+            CMS.debug(method + " Failed to retrieve shared secret plugin class");
             return false;
-        else {
-            ISharedToken tokenClass = null;
-            try {
-                tokenClass = (ISharedToken) Class.forName(name).newInstance();
-            } catch (ClassNotFoundException e) {
-                CMS.debug("EnrollProfile: Failed to find class name: " + name);
-                return false;
-            } catch (InstantiationException e) {
-                CMS.debug("EnrollProfile: Failed to instantiate class: " + name);
-                return false;
-            } catch (IllegalAccessException e) {
-                CMS.debug("EnrollProfile: Illegal access: " + name);
-                return false;
-            }
+        }
 
             String token = tokenClass.getSharedToken(mCMCData);
             OCTET_STRING ostr = null;
@@ -1184,20 +1383,20 @@ public abstract class EnrollProfile extends BasicProfile
                 ostr = (OCTET_STRING) (ASN1Util.decode(OCTET_STRING.getTemplate(),
                         ASN1Util.encode(vals.elementAt(0))));
             } catch (InvalidBERException e) {
-                CMS.debug("EnrollProfile: Failed to decode the byte value.");
+                CMS.debug(method + "Failed to decode the byte value.");
                 return false;
             }
             byte[] b = ostr.toByteArray();
             byte[] text = ASN1Util.encode(reqSeq);
 
             return verifyDigest(token.getBytes(), text, b);
-        }
     }
 
     public void fillTaggedRequest(Locale locale, TaggedRequest tagreq, X509CertInfo info,
             IRequest req)
             throws EProfileException {
         String method = "EnrollProfile: fillTaggedRequest: ";
+        CMS.debug(method + "begins");
         TaggedRequest.Type type = tagreq.getType();
         if (type == null) {
             CMS.debug(method + "TaggedRequest type == null");
diff --git a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
index ac690f2..c130a1e 100644
--- a/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
+++ b/base/server/cms/src/com/netscape/cms/servlet/common/CMCOutputTemplate.java
@@ -268,6 +268,18 @@ public class CMCOutputTemplate {
                 controlSeq.addElement(tagattr);
             }
 
+            SEQUENCE POPLinkWitnessV2Bpids = (SEQUENCE) context.get("POPLinkWitnessV2");
+            if (POPLinkWitnessV2Bpids != null && POPLinkWitnessV2Bpids.size() > 0) {
+                OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL,
+                        new INTEGER(OtherInfo.BAD_REQUEST), null);
+                cmcStatusInfo = new CMCStatusInfo(CMCStatusInfo.FAILED,
+                        POPLinkWitnessV2Bpids, (String) null, otherInfo);
+                tagattr = new TaggedAttribute(
+                        new INTEGER(bpid++),
+                        OBJECT_IDENTIFIER.id_cmc_cMCStatusInfo, cmcStatusInfo);
+                controlSeq.addElement(tagattr);
+            }
+
             SEQUENCE POPLinkWitnessBpids = (SEQUENCE) context.get("POPLinkWitness");
             if (POPLinkWitnessBpids != null && POPLinkWitnessBpids.size() > 0) {
                 OtherInfo otherInfo = new OtherInfo(OtherInfo.FAIL,
diff --git a/base/server/cmsbundle/src/UserMessages.properties b/base/server/cmsbundle/src/UserMessages.properties
index bc7f8cf..bf96f90 100644
--- a/base/server/cmsbundle/src/UserMessages.properties
+++ b/base/server/cmsbundle/src/UserMessages.properties
@@ -306,6 +306,8 @@ CMS_ADMIN_SRVLT_CERT_VALIDATE_FAILED=Imported cert has not been verified to be v
 # ProfileSubmitServlet
 #######################################################
 CMS_POP_VERIFICATION_ERROR=Proof-of-Possession Verification Failed
+CMS_POI_VERIFICATION_ERROR=Proof-of-Identification Verification Failed
+CMS_POP_LINK_WITNESS_VERIFICATION_ERROR=POP Link Witness Verification Failed
 CMS_AUTHENTICATION_AGENT_NAME=Agent Authentication
 CMS_AUTHENTICATION_AGENT_TEXT=This plugin authenticates agents using a certificate.
 CMS_AUTHENTICATION_SSL_CLIENT_NAME=SSL Client Authentication
-- 
1.8.3.1


From 0bd94db7a4266a7a91e08162c7e5eebf071800f2 Mon Sep 17 00:00:00 2001
From: Ade Lee <alee@redhat.com>
Date: Thu, 13 Apr 2017 20:44:32 -0400
Subject: [PATCH 59/59] Allow key recovery to use encrypted field in key record

The previous commit added a field in the KeyRecord to
specify whether or not a key was encrypted or key wrapped
when archived.  This patch modifies the recovery servlets
to use this field to determine how to decrypt/unwrap the
key for transport.

Absence of this field in the key record implies that is
an old record - and we use the value of the CS.cfg parameter
as the default.

Change-Id: Ia8ae679e8b3fe8462d42848d614bff863ef68e50
---
 .../com/netscape/certsrv/dbs/keydb/IKeyRecord.java  |  2 ++
 base/kra/src/com/netscape/kra/RecoveryService.java  | 13 ++++++++++---
 .../src/com/netscape/kra/SecurityDataProcessor.java | 21 ++++++++++++++-------
 .../com/netscape/kra/TokenKeyRecoveryService.java   | 11 +++++++++--
 .../src/com/netscape/cmscore/dbs/KeyRecord.java     |  9 +++++++++
 5 files changed, 44 insertions(+), 12 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
index c947d3c..d3aaa63 100644
--- a/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
+++ b/base/common/src/com/netscape/certsrv/dbs/keydb/IKeyRecord.java
@@ -173,4 +173,6 @@ public interface IKeyRecord {
     public void setWrappingParams(WrappingParams params, boolean encrypted) throws Exception;
 
     public WrappingParams getWrappingParams(WrappingParams oldParams) throws Exception;
+
+    public Boolean isEncrypted() throws EBaseException;
 }
diff --git a/base/kra/src/com/netscape/kra/RecoveryService.java b/base/kra/src/com/netscape/kra/RecoveryService.java
index c89e2f3..fda5b80 100644
--- a/base/kra/src/com/netscape/kra/RecoveryService.java
+++ b/base/kra/src/com/netscape/kra/RecoveryService.java
@@ -224,8 +224,15 @@ public class RecoveryService implements IService {
                 statsSub.startTiming("recover_key");
             }
 
+            Boolean encrypted = keyRecord.isEncrypted();
+            if (encrypted == null) {
+                // must be an old key record
+                // assume the value of allowEncDecrypt
+                encrypted = allowEncDecrypt_recovery;
+            }
+
             PrivateKey privKey = null;
-            if (allowEncDecrypt_recovery == true) {
+            if (encrypted) {
                 privateKeyData = recoverKey(params, keyRecord);
             } else {
                 privKey = recoverKey(params, keyRecord, isRSA);
@@ -234,7 +241,7 @@ public class RecoveryService implements IService {
                 statsSub.endTiming("recover_key");
             }
 
-            if ((isRSA == true) && (allowEncDecrypt_recovery == true)) {
+            if ((isRSA == true) && encrypted) {
                 if (statsSub != null) {
                     statsSub.startTiming("verify_key");
                 }
@@ -253,7 +260,7 @@ public class RecoveryService implements IService {
             if (statsSub != null) {
                 statsSub.startTiming("create_p12");
             }
-            if (allowEncDecrypt_recovery == true) {
+            if (encrypted) {
                 createPFX(request, params, privateKeyData);
             } else {
                 createPFX(request, params, privKey, ct);
diff --git a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
index 4261833..701b611 100644
--- a/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
+++ b/base/kra/src/com/netscape/kra/SecurityDataProcessor.java
@@ -363,8 +363,15 @@ public class SecurityDataProcessor {
         byte[] unwrappedSecData = null;
         PrivateKey privateKey = null;
 
+        Boolean encrypted = keyRecord.isEncrypted();
+        if (encrypted == null) {
+            // must be an old key record
+            // assume the value of allowEncDecrypt
+            encrypted = allowEncDecrypt_recovery;
+        }
+
         if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) {
-            if (allowEncDecrypt_recovery == true) {
+            if (encrypted) {
                 CMS.debug("Recover symmetric key by decrypting as per allowEncDecrypt_recovery: true.");
                 unwrappedSecData = recoverSecurityData(keyRecord);
             } else {
@@ -375,7 +382,7 @@ public class SecurityDataProcessor {
             unwrappedSecData = recoverSecurityData(keyRecord);
         } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) {
             try {
-                if (allowEncDecrypt_recovery == true) {
+                if (encrypted) {
                     CMS.debug("Recover asymmetric key by decrypting as per allowEncDecrypt_recovery: true.");
                     unwrappedSecData = recoverSecurityData(keyRecord);
                 } else {
@@ -466,7 +473,7 @@ public class SecurityDataProcessor {
                 if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) {
 
                     CMS.debug("SecurityDataProcessor.recover(): wrap or encrypt stored symmetric key with transport passphrase");
-                    if (allowEncDecrypt_recovery == true) {
+                    if (encrypted) {
                         CMS.debug("SecurityDataProcessor.recover(): allowEncDecyypt_recovery: true, symmetric key:  create blob with unwrapped key.");
                         pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null, pass);
                     } else {
@@ -478,7 +485,7 @@ public class SecurityDataProcessor {
                     CMS.debug("SecurityDataProcessor.recover(): encrypt stored passphrase with transport passphrase");
                     pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null, pass);
                 } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) {
-                    if (allowEncDecrypt_recovery == true) {
+                    if (encrypted) {
                         CMS.debug("SecurityDataProcessor.recover(): allowEncDecyypt_recovery: true, asymmetric key:  create blob with unwrapped key.");
                         pbeWrappedData = createEncryptedContentInfo(ct, null, unwrappedSecData, null, pass);
                     } else {
@@ -511,7 +518,7 @@ public class SecurityDataProcessor {
             if (dataType.equals(KeyRequestResource.SYMMETRIC_KEY_TYPE)) {
                 CMS.debug("SecurityDataProcessor.recover(): wrap or encrypt stored symmetric key with session key");
                 try {
-                    if (allowEncDecrypt_recovery == true) {
+                    if (encrypted) {
                         CMS.debug("SecurityDataProcessor.recover(): encrypt symmetric key with session key as per allowEncDecrypt_recovery: true.");
                         unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey,
                                 SymmetricKey.Usage.ENCRYPT, wrapParams);
@@ -559,7 +566,7 @@ public class SecurityDataProcessor {
             } else if (dataType.equals(KeyRequestResource.ASYMMETRIC_KEY_TYPE)) {
                 CMS.debug("SecurityDataProcessor.recover(): wrap or encrypt stored private key with session key");
                 try {
-                    if (allowEncDecrypt_recovery == true) {
+                    if (encrypted) {
                         CMS.debug("SecurityDataProcessor.recover(): encrypt symmetric key.");
                         unwrappedSess = transportUnit.unwrap_session_key(ct, wrappedSessKey,
                                 SymmetricKey.Usage.ENCRYPT, wrapParams);
@@ -599,7 +606,7 @@ public class SecurityDataProcessor {
         params.put(IRequest.SECURITY_DATA_PL_WRAPPING_NAME,
                 wrapParams.getPayloadWrapAlgorithm().toString());
 
-        if ((allowEncDecrypt_recovery == true) || (dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE))) {
+        if (encrypted || dataType.equals(KeyRequestResource.PASS_PHRASE_TYPE)) {
             params.put(IRequest.SECURITY_DATA_PL_WRAPPED, Boolean.toString(false));
             if (wrapParams.getPayloadEncryptionIV() != null) {
                 params.put(IRequest.SECURITY_DATA_IV_STRING_OUT, ivStr);
diff --git a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
index 67f4dc6..64f65a0 100644
--- a/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
+++ b/base/kra/src/com/netscape/kra/TokenKeyRecoveryService.java
@@ -433,9 +433,16 @@ public class TokenKeyRecoveryService implements IService {
                 }
             } // else, searched by keyid, can't check
 
+            Boolean encrypted = keyRecord.isEncrypted();
+            if (encrypted == null) {
+                // must be an old key record
+                // assume the value of allowEncDecrypt
+                encrypted = allowEncDecrypt_recovery;
+            }
+
             Type keyType = PrivateKey.RSA;
             byte wrapped[];
-            if (allowEncDecrypt_recovery == true) {
+            if (encrypted) {
                 // Unwrap the archived private key
                 byte privateKeyData[] = null;
                 privateKeyData = recoverKey(params, keyRecord);
@@ -493,7 +500,7 @@ public class TokenKeyRecoveryService implements IService {
                         privateKeyData,
                         EncryptionAlgorithm.DES3_CBC_PAD,
                         algParam);
-            } else { //allowEncDecrypt_recovery == false
+            } else { //encrypted == false
                 PrivateKey privKey = recoverKey(params, keyRecord, allowEncDecrypt_recovery);
                 if (privKey == null) {
                     request.setExtData(IRequest.RESULT, Integer.valueOf(4));
diff --git a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java
index b082165..556c4a7 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/dbs/KeyRecord.java
@@ -504,4 +504,13 @@ public class KeyRecord implements IDBObj, IKeyRecord {
 
         return params;
     }
+
+    public Boolean isEncrypted() throws EBaseException {
+        String encrypted = (String) mMetaInfo.get(KeyRecordParser.OUT_PL_ENCRYPTED);
+        if (encrypted == null)
+            return null;
+        return Boolean.valueOf(encrypted);
+    }
+
+
 }
-- 
1.8.3.1